Data Protection Law Compliance

On Tuesday, November 7th from 2:00 to 6:30, Fox Rothschild and Kroll will be presenting the CLE: Staying One Step Ahead: Developments in Privacy and Data.  The CLE will take place at Fox Rothschild’s offices at 353 N. Clark Street in Chicago.  The speakers are Bill Dixon from Kroll, and Dan Farris and Mark McCreary from Fox Rothschild.  Cocktails and networking will follow the presentations.

If you are in the Chicago are on November 7th, I hope you will join us.  Click here to register for this free event.

Elizabeth Litten (Fox Rothschild Partner and HIPAA Privacy & Security Officer) and Mark McCreary (Fox Rothschild Partner and Chief Privacy Officer) will be presenting at the New Jersey Chapter of the Healthcare Financial Management Association on August 30, 2017, from 12:00-1:00 pm eastern time.  The presentation is titled: “Can’t Touch That: Best Practices for Health Care Workforce Training on Data Security and Information Privacy.”

This webinar is a comprehensive review of information privacy and data security training, with an emphasis on imparting practical know-how and a fluency with the terminology involving phishing, ransomware, malware and other common threats. We will cover best practices for sensitizing health care industry workers to these threats as part of their ongoing HIPAA compliance efforts and, more generally, for training workers in any business on the proper handling of sensitive data. We will cover the adoption of policies and a training regimen for the entire workforce, as well as tailored training for those in positions responsible for implementing security policies.

More information and a registration link can be found here.

Data privacy and securityFox Rothschild partner and firm Chief Privacy Officer Mark G. McCreary sees a trend: Law firms are increasingly recognizing that naming a lawyer to lead data security and privacy efforts is “an essential ingredient in good risk management.”

In an article for Law360 entitled “Notes From A Law Firm Chief Privacy Officer: CPO vs. CISO,” McCreary writes:

“To understand the role of the CPO — and why that person ought to be a lawyer — it’s important to distinguish the role they fill from that of the chief information security officer or CISO, who is typically a nonlawyer and leads the firm’s information technology department.”

We invite you to read his full article.

 

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

On Wednesday, the United States and Switzerland struck a new “Privacy Shield” agreement that mirrors the U.S.-EU Privacy Shield framework. It will allow multinationals to continue to transfer data between the U.S. and Switzerland while complying with Swiss data protection requirements.

Pixelated shield icon on digital background,, illustrating security or EU-U.S. Privacy Shield conceptThe deal replaces an existing safe harbor agreement, which has been in question since the Schrems decision was issued in October of 2015. Companies with Swiss Safe Harbor certification may begin certifying under the new U.S.-Swiss Privacy Shield framework on April 12. The 90-day delay is intended to provide companies with time to review the new Swiss principles and the commitments they entail.

Ken Hyatt, the acting Under Secretary of Commerce for International Trade, praised the accord, saying it “will enhance transatlantic data protection and support the continued growth of U.S.-Swiss commercial ties, which included two-way direct investment totaling more than $410 billion in 2015.”

And Swiss officials echoed the sentiment, highlighting that the deal aligns with the U.S.-EU Privacy Shield framework, and imposes stronger obligations on U.S. companies to protect the personal data of Europeans. Like the U.S.-EU framework, this new deal also requires more stringent monitoring and enforcement by the Department of Commerce and the Federal Trade Commission.

Last October, the European Court of Justice invalidated Safe Harbor, throwing a legal wrench into the transatlantic data transfer machinery of thousands of EU and U.S. companies. On Tuesday, the European Commission (EC) provided relief from the digital limbo that has ensued by formally approving and adopting the new Privacy Shield pact, a week after EU member states provided their own seal of approval. The agreement paves the way for new certification and the resumption of EU-U.S. data transfers for commercial purposes.

Data privacy and security

Privacy Shield was designed and negotiated to ensure an adequate level of protection for the personal data of EU individuals upon and after transfer from the EU to the U.S. Though the EC’s decision takes immediate effect, domestically the framework will first be published in the Federal Register, and companies will be able to self-certify Privacy Shield compliance to the U.S. Department of Commerce beginning August 1.

While the initial draft of the agreement was met with significant pushback in Europe, negotiators have since strengthened the independence and authority of the U.S. ombudsman, clarified what constitutes proper “bulk” data collection (and how it differs from mass surveillance), and added detail to the requirements for corporations. Among these is an obligation to delete personal data that is no longer necessary for processing purposes. Such changes cleared the way for EU member state and EC approval.

Despite the fanfare, the deal has not received universal acclaim. Max Schrems, the Austrian law student whose lawsuit ultimately led to the invalidation of Safe Harbor, has already threatened a new legal challenge. Indeed, the new framework may turn out to be only a short-term solution. If the European Court of Justice eventually considers a challenge to the agreement, there is no guarantee that it will survive. The ECJ could very well find that Privacy Shield contains the same adequacy failings as it found within Safe Harbor – a decision that was based more on U.S. surveillance programs than any business compliance failures.

Nonetheless, Privacy Shield now provides a third option for businesses’ data transfer compliance, alongside binding corporate rules (BCRs) and model contract clauses. The latter two options tend to be more costly and do not provide absolute protection against claims or enforcement actions. Yet, regulators in both the EU and U.S. have made clear that they will not look favorably on a failure to counter Safe Harbor’s invalidation. Incorporating these facts may lead companies to consider a multipronged approach to compliance.

What Are the Implications of the Privacy Shield on U.S. Companies?

Both U.S. companies and the federal government will see significant changes as a result of Privacy Shield. As we await publication of the full text, the Department of Commerce and European Commission have provided some further detail and guidance as to requirements for U.S. companies wishing to participate:

  • The Department of Commerce and the Federal Trade Commission will provide oversight and enforcement.
  • Each participating company must register with the Department of Commerce starting August 1, 2016:
    • They must publicly self-certify that they meet and will continue to meet the outlined data protection standards. These include enhanced rights for individuals whose data they collect, limitations on what data can be transferred, and new rules surrounding data retention;
    • They must renew their self-certification every year.
  • Each company must have an adequate privacy policy in place, containing:
    • a statement of its commitment to the Privacy Shield and other required language; and
    • information on individuals’ right to access their personal data and the possibility the company will disclose that data to third parties (including relevant authorities).
  • Each company must establish procedures to collect and address complaints from individuals, including free avenues to resolve disputes (for example, participating in binding arbitration).
  • Each company must institute additional safeguards and notice requirements for data transfers to third parties.

Companies and chief executives who fail to prepare for, timely report, or learn from data breaches would face significantly enhance penalties if the recommendation of the UK Parliament’s Culture, Media and Sports Committee is adopted.

The Committee, which is probing the circumstances surrounding breach at UK telecom company TalkTalk last November, is calling for tying compensation for CEOs to the effectiveness of their companies’ cybersecurity programs.

While it also called for harsher treatment of for cyber criminals, it was the Committee’s focus on executive compensation that drew the most comment.

“Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment,” Committee Chairman Jesse Norman said in a statement. “Failure to prepare for or learn from cyberattacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

The Committee proposed to strengthen sanctions available to the Information Commissioner’s Office, England’s data protection regulator. The ICO now has the power to impose fines of up to £500,000. The Committee opined that the maximum penalty “may not be a significant deterrent for a large company.”

Instead, it called for fines that grow in severity where a breach is the result of specific factors, such as a company’s lack of attention to threats and vulnerabilities – and especially any that have led to previous breaches – or its failure to implement security by design principles to combat cyber risks. The Committee also proposed that executives be required to take a more active role in cybersecurity initiatives. Companies with significant consumer data, it said, should be required to report annually on their cybersecurity and data protection programs.

Operational and technical, the Committee said, are at the heart of any cyber program, so the onus generally is on the CIO, CISO, or Privacy Officer. “Ultimate responsibility,” however, stays with the organization’s CEO. As a result, the Committee called for CEO compensation to be linked to cybersecurity program effectiveness.

Such a policy, it said, would “ensure this issue receives sufficient CEO attention before a crisis strikes.”

It was a stunning development, especially in light of the view that “TalkTalk responded quickly and well to this attack.” However, the Committee used the TalkTalk inquiry to more generally consider the rules for protecting consumer data, the role of encryption, and damages available to consumers who have been victims of data breach.

“As the TalkTalk case shows, the reality is that cyberattacks are a constant, evolving threat,” Norman said. Although TalkTalk had adequately responded to the breach in question, it “appear[ed] to have been much less effective in the past, failing to learn from repeated breaches of different kinds.”

Such language is breathtaking and hints that any inquiry into a breach could open the door for a comprehensive retroactive analysis of historic privacy and data security initiatives within the organization.

The future of distributed ledger technology (DLT) seems filled with diverse and world-changing applications, from finance and economics to energy distribution and intellectual property. According to the European Securities and Markets Authority (ESMA) – a top EU securities watchdog – it should also be filled with financial regulation.

Last week, ESMA published a Discussion Paper calling for new regulation on DLT and blockchain, as it pertains to financial and securities markets. The paper comes as those markets are experiencing a boom in virtual currencies and the underlying distributed ledgers that support them.

ESMA’s Analysis

The potential benefits of DLT are many, including faster clearing and settlement of financial transactions, a reduction in the number of third parties involved in transactions, and efficiency in the reconciliation process. DLT could become a method to issue digital securities, track ownership, and even provide greater transparency and more robust regulatory reporting.

According to the paper, ESMA has been “investigating” the rise of blockchain since 2013 and “believes that the DLT will need to overcome a number of possible challenges and shortcomings before its benefits can be reaped.” Beyond technical shortcomings, the agency noted governance gaps, privacy and cybersecurity risks and regulatory issues, among other challenges.

Specifically, the agency noted that “[l]egal issues, such as the legality and enforceability of the records kept on the DLT, also need to be carefully considered. Differences in securities and company Blockchainlaws across the EU may also interfere with a wide deployment of the DLT in securities markets in the EU.” ESMA also raised potential cybersecurity concerns, noting that a criminal who hacked into the shared ledger could not only access information stored at the point of attack, but also potentially any and all of the sensitive information contained in the ledger.

Other Authorities and Stakeholders

The agency is not alone in its interest in greater regulation of DLT in Europe. In May, the European Parliament created a new task force to consider virtual currency technology and regulatory issues surrounding it, moving a step closer to regulation. The European Commission is also forming a team of experts to monitor developments and weigh the benefits and risks of virtual currencies and related technology in financial markets.

While European authorities explore the idea and extent of regulation, banks and technology companies are dedicating more resources to DLT implementation. Last year, 42 large multinational banks banded together to form R3 consortium, a partnership to develop standards and implement blockchain technology cross-platform. Microsoft recently announced a partnership with R3 to develop a “blockchain as a service” cloud-based product suite.

While DLT holds substantial promise, achieving cost savings will likely involve new or additional regulatory compliance obligations.

In February, the European Commission (EC) and U.S. Department of Commerce unveiled Privacy Shield, a proposed deal to replace the invalidated Safe Harbor framework for EU-to-U.S. data transfers.

Pixelated shield icon on digital background,, illustrating security or EU-U.S. Privacy Shield conceptOn Wednesday, the Article 29 Working Party, a group of European data protection authorities (DPAs), weighed in, issuing an opinion criticizing the proposal. The opinion expresses significant concerns about the framework’s protections for EU citizens as they pertain to U.S. government surveillance programs. It is also a setback for U.S. companies awaiting an approved agreement on transatlantic data transfers.

The Working Party’s Concerns

While conceding that the Privacy Shield as proposed is a substantive improvement, the Working Party expressed numerous concerns over the ways that both commercial and government entities outside of the EU could use transferred data.

According to French data protection regulator and Working Party chair Isabelle Falque-Pierrotin, “some key data protection principles as outlined in European law are not really reflected in the [proposed framework] or have been inadequately substituted by alternative notions.” The Working Party noted the absence of data retention and deletion standards for U.S. businesses aimed at avoiding reuse or repurposing of data for broader purposes, as is common practice here.

The Working Party also raised concerns about onward transfer, i.e. the process of transmitting European data transferred to the U.S. on to a third country, particularly those with lower privacy and data security standards. Onward transfer has proven tricky to manage even under Safe Harbor – even access to data on U.S. servers from a third country could be deemed a violation of the prohibition against onward transfer.

Also at issue were proposed administrative mechanisms. For example, the Working Party expressed displeasure with the redress mechanism, which addressed questions about a judicial process through which Europeans could seek redress for misuse of their data. EU regulators prefer that European citizens have rights in European DPAs. Likewise, the Working Party welcomed the creation of an ombudsman at the U.S. Department of State to oversee national security-related complaints, but noted that the position’s powers were not yet clearly defined and expressed doubts that the role would have the authority or independence to adequately address “massive and indiscriminate” bulk collection of data by U.S. surveillance agencies.

Lastly, the Working Party urged agreement on a “revision” clause that would allow it to reexamine the deal in 2018 when the General Data Protection Regulation (GDPR) is slated to take effect. Recently finalized in principle, the GDPR will seek to unify and further strengthen privacy and data security laws across Europe.

What’s Next?

Although it is nonbinding, the opinion will nonetheless be influential. It comes as European Union member states must next vote to approve or reject Privacy Shield. The European Commission must then confirm the adequacy of the framework in light of the Schrems decision. In other words, unless the European Commission and U.S. negotiators address the concerns expressed by the Working Party, the odds will increase that Privacy Shield will be challenged in European courts.

For their part, business leaders and groups across the U.S. and Europe have widely disagreed with the opinion, and have expressed support for Privacy Shield generally. They contend that it does indeed rise to the Court of Justice’s standard that a transatlantic data transfer deal must provide an “essentially equivalent” level of protection for personal data transferred from the EU to the U.S.

Until this regulatory uncertainty ends, U.S. businesses will find substantive compliance all but impossible. As we await next steps, the risk of liability or new regulatory enforcement campaigns aimed at U.S. companies only grows.