Features

General Data Protection Regulation (GDPR) Published, Commencing Two-Year Countdown to Application. One of the most important EU legislative initiatives in recent years, and a landmark in privacy regulation worldwide, the GDPR is set to replace the Data Protection Directive (95/46/EC) of 1995. On May 4, the final and as-approved version of the GDPR was published in the EU’s Official Journal. Businesses can expect the GDPR to become the law of the land applying throughout all EU member states beginning on May 25, 2018.

EU-US Privacy Shield – FAQs. Earlier last month, the European Commission formally approved a new transatlantic framework for the transfer of personal data from Europe to the United States, called the Privacy Shield. Under the EU Commission’s decision approving the new framework, U.S. organizations participating in the Privacy Shield will be deemed to ensure an “adequate level of protection” for the transfers of personal data from Europe to the U.S.

Six Myths of Breach Response. As data breaches are on the rise, so are the challenges that businesses face in handling these security incidents. This advisory identifies six strategic pitfalls to avoid when responding to breaches and addresses the true significance of public notification, common mistakes in preserving attorney-client privilege, and tough choices regarding the selection of public relations, investigative, and external counsel.

Recent FTC Action:

• InMobi to Pay $950,000 to Settle FTC Charges That It Secretly Tracked Phone Users. The tracking, conducted through the company’s mobile application, was alleged to involve hundreds of millions of consumers, including children. The FTC complaint alleges that InMobi’s software was actually tracking consumers’ locations regardless of whether opt-in consent was given and even when consumers denied permission to access their geolocation data.
• FTC Approves Final Order Prohibiting Misrepresentation About APEC Cross Border Privacy Rules (CBPR) Participation. In one of its first actions enforcing representations regarding the CBPR, the FTC entered into a final order with Vipvape, a manufacturer of hand-held vaporizers. The complaint alleged Vipvape misrepresented its participation in the Asia-Pacific Economic Cooperation (APEC) CBPR program on its webpage when, in fact, Vipvape was not certified to participate in the APEC CBPR system.
• FTC Issues Warning Letters to 28 Companies Claiming Participation in the APEC CBPR System. On July 14, 2016, the FTC announced that it had issued warning letters to 28 companies regarding their claims of participation in the APEC CBPR system. The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR system and facilitates privacy-respecting transfers of data among APEC member economies. The warning letter states that the FTC’s records do not indicate these companies have taken the requisite steps to be able to claim participation in the APEC CBPR system.

European Council Adopts the Network and Information Security Directive. On May 17, 2016, the European Council formally adopted its position at first reading of the Network and Information Security (NIS) Directive, bringing the NIS Directive closer to entry into force. The NIS Directive sets forth new cybersecurity obligations for providers of essential services (including entities within the energy, transport, banking, health, and drinking water supply and distribution sectors) and digital service providers (providers offering online marketplaces, online search engines, and cloud computing services). For a deeper analysis of the NIS Directive, please see “Even More EU Data Regulation: The Network Information Security Directive,” written by Jan Dhont and Jim Harvey.

Illinois Makes Extensive Changes to Data Breach Notification Law. On May 6, 2016, Illinois Governor Bruce Rauner signed HB 1260, which significantly updates the state’s Personal Information Protection Act. The changes take effect on January 1, 2017. Starting in 2017, the definition of personal information triggering notification in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number or subscriber identification number, or any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, “including such information provided to a website or mobile application.”

U.S. Supreme Court Holds Congress Cannot Confer Automatic Standing by Statute. The U.S. Supreme Court issued its much-anticipated opinion in Spokeo Inc. v. Robins. The Supreme Court granted certiorari in Spokeo to determine whether a bare violation of a statute – the Fair Credit Reporting Act (FCRA) – is sufficient to confer Article III standing, which requires that an injury be both (1) concrete and particularized; and (2) actual or imminent. Most importantly, the Court in Spokeo rejected the notion that Congress can confer standing to a litigant by statute. This analysis will likely have far-reaching implications for data privacy class actions, particularly those under the Telephone Consumer Protection Act.

Nebraska Makes Changes to Data Breach Statute. Nebraska Governor Pete Ricketts signed LB 835 into law, updating the state’s data breach notification statute. The changes took effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information that, if acquired by an unauthorized person, would require notice.

[View source.]