The amended Judicial Redress Act has passed the House and is on its way to the president to be signed into law. The Act, which we covered in an earlier blog post, gives citizens of foreign countries the same rights as US citizens in connection with the use by the US government of their personal data, subject to a determination by the Attorney General that the country in question cooperates with the US in sharing law enforcement information, doesn’t impede the flow of personal data to the US for commercial purposes, and meets certain other requirements. Essentially, the Judicial Redress Act helps assuage the EU’s concerns about government uses of personal data. The Judicial Redress Act is vital for the EU’s acceptance of the Umbrella Agreement for sharing of data by law enforcement agencies. It should be helpful for the proposed new “Privacy Shield,” which is currently under review by representatives of Europe’s national data protection agencies.
There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US. But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world. No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.
Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures). Only two of the countries are in the top twenty (Canada is in twelfth place). Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list. Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission). So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?
Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas. The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.
Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves. Continue Reading Happy New Year – Cybersecurity Information Sharing Act
The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor. Importantly, LIBE has also called on the Commission to reassess whether the European Court of Justice’s recent invalidation of Safe Harbor casts doubt on other means for legitimizing the transfer of personal data from the EEA to the US.
As we have commented previously here, the ECJ’s rationale in the Schrems Safe Harbor decision could be used to attack both BCRs and Model Clauses. LIBE certainly seems to have picked up on that also. Continue Reading EU Parliament Committee calls on the Commission for immediate action on US data transfers
As EU data protection watchers know, the draft General Data Protection Regulation (which has been around long enough to be universally referred to by its acronym, GDPR) exists in three major versions, with a fourth version recently released by the office of the European Data Protection Supervisor (EDPS). The EDPS is the EU’s own internal privacy cop and, of course, a significant commentator on EU data protection matters.
The authors of the EU Parliament and Council drafts used their own unique editing styles to show their changes to the Commission’s original draft, which makes it a challenge to compare all three drafts. The EDPS has made the drafts a bit more accessible to the public by launching an app to display the drafts side by side (two at a time) on a smart phone or tablet. There’s a Google Play and an Apple AppStore version – links here. I’ve tried the Apple version of the app and am pleased to report that it works well. The interface is easy to use. There’s a search function (remember to use British spellings, like “pseudonymisation” and “unauthorised”).
The EDPS has also prepared a PDF version showing the four drafts in columns, but it’s not a particularly user-friendly format. As a lawyer, I’d prefer nice clean copies of the four versions in a form I could redline, but failing that, I’ll take the app!
As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco. Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.
Wheeler centered his remarks on information sharing and accountability by the private sector. He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing. Cyber-attacks should be subject to similar reporting requirements.
He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework. He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts. He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk. He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out. The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.
And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups. Read more:
Security is on the agenda from coast to coast this week.
Cybersecurity information sharing legislation will hit the House floor this week. H.R. 1731, the National Cybersecurity Protection Advancement Act was reported out of the House Committee on Homeland Security on April 17, and H.R. 1560, the Protecting Cyber Networks Act was moved by the House Permanent Select Committee on Intelligence on April 13. The two bills will likely be merged before coming to a vote. Similar to the Cybersecurity Information Sharing Act moving through the Senate – the most recent version of which, S. 754, was reported out of the Senate Select Committee on Intelligence in March – both House bills authorize and provide liability protections for companies to, for cybersecurity purposes, monitor their networks and share information on cybersecurity threats with both the government and other private companies. The bills also authorize the use of defensive measures to protect networks from malicious threats, though they contain limits designed to restrict so-called “hack back” techniques.
Both bills include privacy protections designed to safeguard personal information and restrict companies from sharing it with either the government or other private entities, but some privacy advocates are still concerned about the adequacy of these safeguards. Privacy has remained a hot-button issue surrounding cyber information sharing legislation since Edward Snowden’s exposure of the National Security Agency’s bulk collection of telephone metadata and PRISM surveillance program.
And, the RSA Conference — “where the world talks security” — opens today in San Francisco. The conference kicks off this morning, with a keynote by RSA President Amit Yoran and another later in the day by Department of Homeland Security Secretary Jeh Johnson, but yesterday, things were already getting rolling as the Cloud Security Alliance held its CSA Summit, focusing on enterprise cloud adoption and security lessons learned. Trusted Computing Group had its panel discussion combining mobile computing, Internet of Things, and cloud security. Follow the RSA Conference blog for summaries and updates.
Thanks to Mary Lovejoy for the Washington update.
The draft Data Protection Regulation doesn’t offer many carrots to business – and a recent announcement by the Council of the European Union takes away one of the biggest carrots, the “One-Stop Shop” mechanism.
The One-Stop Shop refers to the principle that businesses would have to deal with just a single national data protection authority instead of 28 different authorities across the EU. The objective was to simplify logistics for businesses and to reduce any chance of multiple, inconsistent requirements from different authorities.
Good Monday – The East Coast prepares for Apocalypse (Sn)ow.
In the meantime, here are three privacy-related tidbits for your day.
Privacy Concerns Cause Scale Back of Release of HealthCare.gov Data
We spend a fair amount of time warning about third party vendors and the risk that such vendors can pose to sensitive data. Just ask Target. Last week, the Associated Press revealed that the healthcare insurance exchange, HealthCare.gov, was connecting with third party analytics sites and others and operating much like any commercial website — except that it is not. The AP reported over the weekend that the Obama Administration has “reversed itself” and scaled back the release of (or access to) consumer data — including anonymized data. According to the AP’s Saturday follow-up, an analysis of the Federal exchange showed that the number of third party companies with connections embedded in the site, thus giving them access to consumer data, “dropped from 50 to 30.”
The Hill — The Centers for Medicare and Medicaid Services will encrypt additional data when customers use the Window Shopping feature on HealthCare.gov.
New York Times — Is the data usage “industry standard” and much ado about SOP?
As expected in his State of the Union address last night, President Obama made it very clear that cybersecurity is on his agenda for 2015. After stating that:
“No foreign nation, no hacker should be able to shut down our networks, steal our trade secrets or invade the privacy of American families, especially our kids,”
the President urged Congress to “finally” pass “legislation we need to better meet the evolving threat of cyber attacks, combat identity theft, and protect our children’s information” and cautioned law makers that “if we don’t act, we leave our nation and our economy vulnerable.”
Just days before the State of the Union address, in a speech delivered at the Federal Trade Commission on January 12, the President highlighted the measures he discussed in the State of the Union and unveiled the next steps in his comprehensive approach to better protect American companies, consumers, and infrastructure against cyber threats. These steps include:
- Improving consumer security by establishing a national standard for companies to notify employees and customers about security breaches and identifying and preventing identity theft. For more information about the proposed Personal Data Notification & Protection Act, please see our prior blog post. The President announced that in an effort to tackle identity theft and assist consumers in spotting identity theft early on, several large financial companies have committed to offer free credit scores to their customers, joining an existing list of financial companies that already engage in this practice.
- Improving consumer confidence online by passing a Consumer Privacy Bill of Rights to establish an enforceable code of conduct for online interactions and protect consumers’ privacy. This proposed legislation will be based on the Obama Administration’s 2012 Consumer Privacy Bill of Rights and is expected to be released within the next month and a half.
- Safeguarding student data in the classroom and beyond by passing legislation to promote student privacy, convening the private sector to pledge to help enhance the privacy of students, and offering new tools via the Department of Education to help schools and teachers better protect the privacy of students. Sometime in the next two months, the Obama administration will release a proposal to update the Family Educational Rights and Privacy Act (FERPA). The President highlighted that the proposed Student Digital Privacy Act would: (i) limit the use of data collected “in an educational context” to educational purposes; (ii) prohibit companies from selling student data to third parties for unrelated purposes; and (iii) prohibit targeted advertising derived from data collected in school, however, the bill would still permit the use of such data for certain types of research, as well as for improving the effectiveness of learning technology products. The President noted that the bill would be modeled on a recently passed California law covering the collection and use of student data. For more information on the California law, please see our prior blog post.
- According to a recent White House press release on the subject, as part of the Obama Administration’s comprehensive plan to better protect the privacy of consumers, on January 12, the Department of Energy and the Federal Smart Grid Task Force released a new Voluntary Code of Conduct (VCC) “for utilities and third parties providing consumer energy use services that will addresses privacy related to data enabled by smart grid technologies.” For more information about this initiative, please click here.
The next item on the law makers’ agenda is a hearing before the House Energy and Commerce subcommittee next Tuesday entitled “What are the Elements of Sound Data Breach Legislation?” According to new subcommittee Chairman Michael Burgess (R-TX), “data security will be the focus of our subcommittee’s first hearing as we drill down on what components should be included in a bill that will give consumers the peace of mind they deserve.”
We will keep you updated on proposed legislation and new initiatives that are part of the Administration’s cyber security plan.
If cybersecurity and data privacy are on the President’s agenda, shouldn’t those issues be on the top of your company’s agenda this year?!