Data-rich companies like Facebook have a unique opportunity to capitalize on the recent surge in regulatory scrutiny and turn it to their advantage.

Savvy tech companies are attuned to public opinion and won’t allow others to control the narrative. They are already taking steps to regain the upper hand in the privacy debate.

Facebook demonstrated this during Senate hearings on the Cambridge Analytica “data breach” by announcing it would upgrade privacy features and offer its users protections that mirror those in the EU’s strict General Data Protection Regulation (GDPR). Facebook has also gone out of its way to publicize its efforts to comply with GDPR. Messaging service WhatsApp, too, recently touted its decision to set a minimum age of 16 for EU users.

Some of the major tech companies – Facebook, Google and Apple – could actually benefit from increased data privacy and security regulation if they take the initiative. They have the resources to impose strict compliance requirements on smaller third-party players such as application developers and vendors in the tech eco-system, portraying themselves as trusted custodians of consumer data.

To gain the advantage, they will need to be proactive because regulators are not sitting back.

Officials at all levels of government are clamoring to get a piece of the data privacy enforcement pie. The SEC recently imposed a first-of-its-kind $35 million fine on Altaba Inc., formerly Yahoo, for failing to disclose a major data breach. The FTC struck a first-of-its-type 20-year consent decree that requires Uber Technologies Inc. to report any future data breach regardless of whether it involves harm to consumers. States are also getting into the act. Arizona and Delaware recently joined the list of states that have toughened their breach notification laws, while attorneys general have stepped up enforcement activities in Massachusetts (Equifax), New York (Facebook), Pennsylvania (Uber) and other states.

Data is the new currency. As a result, antitrust regulators have stepped up scrutiny of M&A deals in relation to the aggregation and control of data. This has already affected proposed deals. The EU halted Apple’s proposed acquisition of Shazam over possible adverse effects on other music streaming services.

In this climate, it is no time for major tech companies to lay low. The smarter path – the one that will allow them to regain the initiative – is taking proactive steps to address privacy and data security concerns before regulators do it for them.

EU and U.S. officials finally unveiled the full text of the proposed EU-U.S. Privacy Shield framework earlier this week. The agreement is the culmination of a five-month negotiation to address European concerns regarding mass surveillance and personal data protection issues surrounding transatlantic data transfers. The European Commission’s Article 29 Working Party must now review and approve it.

Pixelated shield icon on digital background,, illustrating EU-U.S. Privacy Shield conceptPrivacy Shield replaces the Safe Harbor framework, which the European Court of Justice invalidated in October. That decision impacted nearly 4,000 United States companies that transfer data from the EU to the United States under Safe Harbor.

Under the provisions of Privacy Shield:

  • Companies must self-certify annually that they meet its requirements
  • The U.S. Department of Commerce will monitor all registered companies to ensure that their publicly facing privacy notices reflect Privacy Shield principles
  • Companies that leave the program will still be required to follow its principles for as long as they use, maintain and store the personal data they received while they were participants
  • There will be a 45-day response period for EU consumer complaints related to mishandling personal information
  • In addition to directly contacting the company, EU consumers can submit their complaint to their data protection authority, which will coordinate with the U.S. Department of Commerce or the Federal Trade Commission to achieve a response within 90 days.
  • Companies must offer an alternative dispute resolution process for consumers and provide details on said process in its privacy notice
  • Participating companies that do not comply with the Privacy Shield framework will face sanctions, which can include fines and exclusion from the program.

The Story So Far

The origins of the Safe Harbor framework, agreed upon in July 2000, lie in the 1995 EU Data Protection Directive, which laid out seven data protection principles. Safe Harbor allowed companies to transfer data out of the EU if they annually self-certified their adherence to those seven principles. About 4,000 U.S. companies took advantage of the program as an alternative to binding corporate rules or model contractual clauses.

In October 2015, the European Court of Justice (ECJ) found that Facebook’s transfer of data from the EU back to the U.S. violated EU citizens’ privacy rights under the EU Data Protection Directive. and invalidated Safe Harbor in the process. The case arose in response to Edward Snowden’s revelations about the NSA’s PRISM program.

Shortly thereafter, EU authorities announced they would suspend enforcement campaigns against Safe Harbor-certified U.S. companies until February 2016, but reserved their rights to enforce the Data Protection Directive in the event that a replacement was not implemented before that deadline.

Enter the Judicial Redress Act, Stage Left

Meanwhile, the U.S. Senate began negotiating the terms of the Judicial Redress Act – a bill that would allow EU citizens to pursue a private right of action for misuse of their personal data that occurs in the U.S. While the Act falls short of providing the same level of protections EU citizens enjoy in their own countries, it does more closely align those protections, allowing some level of comfort for EU officials.

The U.S. House of Representatives passed its Judicial Redress bill in October 2015, shortly after the ECJ’s decision. The bill was expected to pass the Senate in early 2016, but an 11th hour amendment limited the right to sue to citizens of countries that permit data transfers for commercial purposes to the U.S. and do not impose personal data transfer protections that impede U.S. national security interests. That amendment stalled discussions between the U.S. and the EU days before the February deadline. Fortunately, the parties reached an agreement before Congress finalized the privacy legislation – the interested parties had to wait to see if the U.S. would follow through on its promise to provide privacy protections to EU citizens.

The Senate voted on, and passed, the amended version of the Judicial Redress Act, which allowed both houses to consolidate and pass it. The finalized bill was sent to President Obama’s desk in mid-February and he signed it into law on February 24.

What’s Next?

The European Commission submitted the Privacy Shield text to the EU data protection authorities. The DPAs will convene in April to review and announce their position. While their positions will not be legally binding, they will be highly impactful and could set the stage for the ECJ’s inevitable review of the framework. If the ECJ finds that the agrement fails to adequately protect EU citizens and their right to privacy, then the court will likely send it back to the committee for a rewrite.  The associated uncertainty prior to any review may lead to greater demand for U.S. companies to implement binding corporate rules or model contractual clauses to transfer personal data out of the EU. Additionally, many U.S. companies have already been exploring projects to create local data infrastructure in the EU, which may become necessary if Privacy Shield is never ratified.

U.S. Capitol Building, Washington, D.C.A recent bill proposed by the U.S. Senate states requirements for publicly traded companies to increase transparency about cybersecurity threats, risks and breaches. The bill includes disclosure standards such as having publicly owned companies reveal whether anyone on its board of directors has cybersecurity expertise or specialization. Companies would provide this information through U.S. Securities and Exchange Commission investor reports.

The bill stems from an urgency to combat cyber threats in light of investigative findings from cybersecurity practices of top 100 financial firms as well as recent attacks on major publicly traded companies like Sony and Home Depot. If the bill passes, investors and shareholders can monitor how well public companies secure private data and information, motivating companies to enhance security measures.

In an effort to standardize data breach laws nationwide, Rep. Marsha Blackburn (R-Tenn) introduced H.R. 1770 to the House and Energy Commerce Committee this past week. Called the Data Security and Breach Notification Act, it aims to replace all state data breach laws with one federalized standard. Currently, 47 states and the District of Columbia have separate and distinct data breach laws. Rep. Blackburn’s legislation intends to make it easier for U.S. companies to adhere to data breach requirements by creating uniformity.

U.S. Capitol Building, Washington, D.C.If passed, H.R. 1770 would require any company that “acquires, maintains, stores, sells or otherwise uses data in electronic form that includes personal information”[i] to “implement and maintain reasonable security measures and practices to protect and secure personal information.”[ii] While companies with security breaches must have notification requirements, such notifications can be evaded if there is “no reasonable risk that the breach of security has resulted in, or will result in, identity theft, economic loss or economic harm, or financial fraud to the individuals whose personal information was affected by the breach of security.”[iii] However, in cases where more than 10,000 individuals’ personal information is “accessed or acquired by an unauthorized person,” the breached company would be required to inform both the Federal Bureau of Investigations and/or the Secret Service.[iv] If enacted, the legislation would give enforcement powers to state Attorneys General and the Federal Trade Commission.[v]

Following its approval by the House Energy and Commerce Committee on April 15, H.R. 1770 is expected to potentially see the floor under the guidance of Chairman Fred Upton (R-Mich) sometime the week of April 20.


References
[i] Data Security and Breach Notification Act of 2015, H.R. 1770, 114th Cong. § 5(5) (2015).
[ii] H.R. 1770 at § 2.
[iii] H.R. 1770 at § 3(a)(3).
[iv] H.R. 1770 at § 3(a)(5).
[v] H.R. 1770 at §4(a)-(b).