EDPB Issues Draft Guidance on International Data Transfers

On November 18, 2021, the European Data Protection Board (“EDPB”) published draft guidance on the interaction between the GDPR’s transfer provisions set out in Chapters V and Art. 3 of the GDPR. In June 2021 the European Commission (EC) published new standard contractual clauses (“SCCs”), but made clear that they are suitable only for data transfers where the data importer’s processing of the personal data is not subject to the GDPR.

Even where the data importer is located outside the EEA, but its data processing is caught by the GDPR, a valid data transfer mechanism will be required. Given that the new SCCs were not drafted for in-scope data importers, other data transfer mechanisms approved by the EC will be required, or the SCCs will have to be modified to align with the EDPB’s guidance. Any modification will have to take into account the potential conflict between the GDPR and the legislation in the country of the in-scope data importer. If the draft guidance is adopted as proposed, the EDPB will effectively be requiring controllers to undertake a Schrems II transfer impact assessment (even where there is no “transfer” under the GDPR). For a more detailed analysis of the draft guidelines please review our recent Dechert OnPoint.

Takeaway: where the data importer is located outside the EEA, but its data processing is caught by the GDPR, a valid data transfer mechanism will be required. Given that the new SCCs were not drafted for in-scope data importers, other data transfer mechanisms approved by the EC will be required, or the SCCs will have to be modified to align with the EDPB’s guidance. Any modification will have to take into account the potential conflict between the GDPR and the legislation in the country of the in-scope data importer. If the draft guidance is adopted as proposed, the EDPB will effectively be requiring controllers to undertake a Schrems II transfer impact assessment (even where there is no “transfer” under the GDPR). For a more detailed analysis of the draft guidelines please review our recent Dechert OnPoint.

US Regulators Order Banks to Report Cyberattacks Within 36 Hours

On November 18, 2021, U.S. banking regulators, including the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (collectively, the “U.S. Banking Regulators”), issued a Final Rule that requires U.S. banking oranizations to report to their primary federal regulators any material cyber-security incident as soon as possible and no later than 36 hours after determining the incident has occurred. “Banking organizations” include national banks, U.S. bank holding companies, state member banks, the U.S. operations of foreign banking organizations and all insured state nonmember banks, among others.

The Final Rule defines a “notification incident” as “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s: (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” The Final Rule includes a “non-exhaustive list” of examples that would qualify as notification incidents under this definition.

The Final Rule also includes a separate requirement that a bank service provider must notify its customers as soon as possible once the service provider determines it has experienced an incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade,” the services provided to its customers for four or more hours.

The Final Rule will go into effect on April 1, 2022, with a compliance date of May 1, 2022, to allow additional time for banking organizations to implement procedures necessary to comply with the Final Rule.

Takeaway: Due to the increased frequency and severity of cyberattacks that have targeted the financial services industry, U.S. Banking Regulators have adopted the Final Rule to help promote “early awareness of emerging threats to banking organizations and the broader financial system.” U.S. banking organizations should train employees on the new requirements and evaluate their policies and procedures with respect to detecting and reporting cybersecurity threats to ensure that such policies comply with these new notification requirements.

Belgian DPA Sends its Draft Decision in the IAB Europe Case to its EU Counterparts

The Belgian Data Protection Authority (“DPA”) announced on November 25, 2021 that it had finalized its draft decision against the Interactive Advertising Bureau Europe (“IAB”) for GDPR breaches and circulated it to EU DPAs for review. The DPA’s investigation was triggered in 2019 by complaints that the IAB’s Transparency & Consent Framework (“TCF”) may not satisfy GDPR requirements for controllers. According to reports, IAB, the European-level trade association for the digital marketing and advertising industry, had not previously considered itself to be a controller with respect to the TCF so it had not fulfilled certain controller obligations.

The draft decision has now been shared with EU DPAs, who have four weeks to either agree with the draft or issue a relevant and reasoned objection. The Belgian DPA will then either circulate a revised draft, or reject any objections, which would trigger the GDPR dispute mechanism (Article 65 GDPR). In this case, the European Data Protection Board would have to rule on the issue within one month – which will likely be extended to two months considering the complexity of the issues Presented.

Takeaway: The The circulation of the draft decision is a key step in this case but not yet the end of the tunnel. Since all 27 DPAs previously indicated their wish to be involved in the procedure as concerned supervisory authorities, it is likely that at least some DPAs will comment on the draft and trigger a lengthy process, so patience is warranted. Companies involved in the AdTech industry should monitor developments and consider their options for carrying out behavioural advertising in compliance with the GDPR.

FBI Breach Results in Fake Emails Being Sent from Agency’s Own Servers

The FBI issued a press release on November 13, 2021, announcing an incident involving fake emails that were sent out from an FBI email account. A hacker sent spam emails to at least 100,000 people, using email addresses that were scraped from a database of a non-profit organization, the American Registry for Internet Numbers. The fake email messages claimed that the email recipients themselves had fallen victim to data breaches.

The FBI attributed the incident to a software misconfiguration that temporarily allowed the hacker to use the Law Enforcement Enterprise Portal (“LEEP”) to send the fake emails. Following the incident, the FBI stated that “no actor was able to access or compromise any data or [personally identifiable information] on the FBI’s network.” The FBI remediated the vulnerability in the LEEP software after learning about the incident and warned readers to disregard the fake emails.

Takeaway: While the FBI is usually a resource to help combat cybersecurity threats, it found itself the victim of this latest cyberattack. This incident underscores that no organization is immune from the risk of a cyberattack. It also underscores the importance of training employees to recognize that even emails that on their face may appear to be from a highly legitimate source may be from a threat actor. Training employees to be on the lookout for sophisticated phishing emails and consistent monitoring for bad actors and potential cybersecurity threats should help reduce risk to your organization.

ICO Calls on Advertising Companies to Eliminate Privacy Risks

The UK Information Commissioner’s Office (“ICO”) published guidance on November 25, 2021 on the privacy standards advertising companies should meet when designing new technologies, explicitly mentioning the Google Privacy Sandbox.

According to the opinion, any new advertising technology must:

• engineer data protection requirements by default;
• offer users the choice of receiving adverts without tracking, profiling or targeting based on personal data;
• be transparent about how and why personal data is processed across the ecosystem and who is responsible for that processing;
• articulate the specific purposes for processing personal data and demonstrate how this is fair, lawful and transparent; and
• address existing privacy risks and mitigate any new privacy risks that their proposal introduces.

Takeaway: The ICO’s guidance is a further example of its ongoing focus on the online advertising sector’s implementation of privacy protections and corresponding compliance obligations, and the push towards “privacy by default” for new technologies. With increased scrutiny from the UK and EU data protection agencies, companies active in AdTech should ensure that their offers are consistent with applicable regulatory guidance in order to mitigate risks. The growing cooperation between data protection authorities and competition agencies in this area should sound a warning to companies to ensure that their initiatives do not infringe competition law.

Report from the Work Group on Virginia’s Consumer Data Protection Statute

The Virginia Consumer Data Protection Work Group of the Joint Commission on Technology and Science (the “Work Group”) issued on November 1, 2021, a final report regarding the implementation of the Virginia Consumer Data Protection Act (“VCDPA”), Virginia’s CCPA-like privacy law. The VCDPA will go into effect on January 1, 2023. The Work Group was established to study findings, best practices, and make recommendations prior to the January 2023 implementation of the VCDPA.

The Work Group identified 17 “points of emphasis” that arose from their meetings. Many of these points focus on the state’s enforcement authority under the VCDPA. Among other actions, the Work Group recommended allowing the Attorney General to “pursue actual damages” based on consumer harm and to submit a budget to fund attorneys and staff members who will lead VCDPA enforcement efforts. The Work Group recommended that an ability to cure option be made available that could allow alleged violators of the VCDPA to cure possible infringements before facing enforcement, but also recommended a sunset on the option to prevent companies from exploiting the cure provision.

Notably, the Work Group recommends recruiting nonprofit consumer and privacy organizations to “address concerns” with the VCDPA’s definitions of “sale,” “personal data,” and “publicly available information.” Another significant point of emphasis calls for the consideration of whether the definition of “sensitive data” should include general demographic data used to promote diversity and outreach to underserved populations. The VCDPA currently requires consumers to consent to the collection of their sensitive data, which would limit the ability of businesses to process sensitive demographic data that could be used to benefit minority groups and underserved communities. This development will be of particular interest to the nascent interest of companies, particularly regulated sectors, in using inclusive demographic data to test for systemic bias in AI models and reduce the risk of associated discriminatory impacts.

The Work Group also encourages the development of “third-party software and browser extensions to allow users to universally opt out of data collection,” in place of individual opt-outs on each website. Incorporating this concept of a universal opt-out mechanism into the VCDPA would align the law with both the California Privacy Rights Act and the Colorado Privacy Act, both of which require rulemaking to develop technical specifications of a universal opt-out mechanism that would allow consumers to signal a preference to opt-out of the sale of their personal information.

Takeaway: Given the approaching January 2023 effective date of the VCDPA, now is the time for businesses to start evaluating their privacy policies and procedures for alignment with the VCDPA. Businesses may also want to monitor opportunities to influence the outcome of the VCDPA’s implementing regulations in rulemaking, “town halls,” or similar proceedings.