Key Data Protection Considerations

In 2019, companies will need to continue to dedicate resources to identifying and managing compliance obligations related to data protection.

The European Union’s General Data Protection Regulation (“GDPR”) Six Months In

Key Challenges for Companies

• Applicability. Multinational organizations continue to grapple with the extra-territorial reach of the GDPR, which even in the absence of an EU establishment applies to data processing that involves the offering of goods or services to EU residents or the monitoring of their behavior in the European Union. Guidance on the territorial applicability of the GDPR has recently been published by the European Data Protection Board;¹ a careful, business-minded analysis (taking into account this guidance) must be undertaken to ensure that the extraterritorial applicability of the GDPR is identified.
• Ongoing Compliance Obligations. Organizations face numerous ongoing compliance obligations, including employee training, the incorporation of data protection into systems and procedures (by design and by default), and the undertaking of data protection impact assessments in connection with new processing activities.

Enforcement Action So Far

• The United Kingdom’s Information Commissioner’s Office (“ICO”) issued its first GDPR enforcement notice against Canada-based AggregateIQ on July 6, 2018 (this order was later varied and replaced by the ICO’s enforcement notice of October 24, 2018). The ICO did not impose an administrative fine, but instead ordered AggregateIQ to delete the personal data of UK data subjects from its systems, or otherwise face an administrative fine, up to the statutory maximum. The French supervisory authority, la Commission nationale de l’informatique et des libertés (“CNIL”) issued public formal notices against two marketing platform providers on June 25, 2018, for failing to obtain valid consent for the use of location data for profiling and targeted advertising and gave the companies three months to change their practices to comply with the GDPR (closing one matter after the company changed its practices). Portugal’s supervisory authority, Comissão Nacional de Protecção de Dados (the “CNPD”), issued its first administrative fine under the GDPR (of €400,000) against a hospital for failing to implement appropriate technical and organizational measures which allowed an excessive number of hospital staff to have access to patient records.

New Developments in Data Protection Laws

• CCPA. On June 28, 2018, California Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (“CCPA”) into law. Certain provisions of the CCPA have since been amended, and the law may be subject to further amendment prior to becoming operative on January 1, 2020, but notable features of the draft statute are likely to remain intact, including a broad definition of personal data, expanded rights of California consumers to access, and prohibit the sale of, their personal information, obligations on businesses to comply with such requests and penalties for non-compliance.
• Biometric Laws. Three states, Washington, Illinois and Texas, have laws that require consent in order to use biometric data for commercial purposes. The Illinois Biometric Information Privacy Act (“BIPA”) provides consumers with a private right of action to sue for alleged violations. In April, a federal judge granted class certification to a group of Facebook users to proceed with a multi-billion dollar class-action suit against Facebook for violating BIPA in its use of facial-recognition software. Companies that utilize biometric data in order to identify individuals, especially those that operate online, should reassess their processing activities as the landscape of BIPA litigation evolves.
• European Union/Japan Reciprocal Adequacy Decision. On July 17, 2018, the European Union and Japan agreed to recognize each other’s data protection systems as equivalent, allowing businesses to transfer personal data between the European Economic Area (“EEA”) and Japan without further safeguards. The European Commission has so far recognized 12 other countries as adequate, but this is the first time that the European Union has agreed to a reciprocal adequacy arrangement.
• New Data Protection Regimes. New omnibus data protection laws were introduced in Brazil and Bahrain in 2018. Brazil’s data protection law (the Lei Geral de Proteção de Dados Pessoais), which mirrors many of the GDPR’s concepts, was approved in 2018 and will come into effect in early 2020. The Bahrain Personal Data Protection Law, passed in 2018, will come into effect in August 1, 2019. This law criminalizes many acts including the processing of sensitive personal data in a manner that contravenes the law’s specific requirements.
• Data Localization. A growing number of countries, most notably Russia and China, have been placing restrictions on transfers and exchanges of data beyond territorial boundaries, and requiring that data be hosted on local servers. The requirement of data localization will need to be considered alongside the principle of “storage limitation” under the GDPR (namely, that companies should not store personal data longer than is necessary for the purpose for which such data was gathered).

Adequacy of Security

• NYDFS Enforcement. In June 2018, Equifax agreed to implement stronger data security measures under a consent order with the New York State Department of Financial Services and seven other state banking regulators.² The order does not impose any fines or monetary penalties, but requires Equifax and, notably, its board of directors to take certain corrective actions with respect to Equifax’s data security programs and to improve Equifax’s oversight of information security.
• GDPR Principles. Underpinning the GDPR are seven core “Principles,” including integrity and confidentiality of personal data (also known as the “security” principle). Member state supervisory authorities have been quick to provide guidance on the implementation of this principle. As companies continue to audit their data security procedures in 2019, this guidance should be borne in mind. In particular, consideration of such guidance may help companies to comply with the principle of “accountability” under the GDPR.
• FTC Requirements. In a ruling issued on June 6, 2018, the Eleventh Circuit vacated an FTC cease-and-desist order against LabMD, Inc. as unenforceable because it found that the order commanded an overhaul of the company’s data security program without providing a reasonably definite standard by which a court could determine compliance.³ In light of this, in 2019, we may see the FTC focus on imposing more particularized data security requirements in response to alleged violations of the FTC Act.

Vendor Management

Vendor management and liability have become increasingly important in the United States, the European Union and Brazil.

• FTC Approach. An FTC settlement with BLU Products, Inc., a Florida-based mobile device manufacturer, highlights the need for companies to oversee their service providers with respect to both collection of personal information and data security practices. BLU’s mobile devices came pre-installed with software from a service provider BLU had contracted with to issue security and operating system updates to BLU’s devices. The settlement resolved allegations that the service provider, through its software, collected consumer data that was not necessary for the relevant services. In addition, the software contained commonly known security vulnerabilities. Both practices were in violation of BLU’s privacy policy and the FTC Act. Importantly, in conjunction with this settlement, the FTC staff released guidance for companies concerned with the privacy and security risks that arise from sharing data with third-party service providers, urging them to “[k]eep a watchful eye on . . . service providers.” Specifically, the guidance encouraged companies to (i) conduct adequate due diligence on service providers in order to understand how their services work, what data they will be able to access, and what needs to be done to conform their conduct to the companies’ privacy promises; (ii) clearly set out security and privacy expectations in contracts; and (iii) build in procedures to enable ongoing monitoring of compliance with those agreements.⁴
• GDPR Vendor Management Requirements. The GDPR introduces strict requirements in connection with the engagement of third-party service providers that are “data processors.” Article 28 of the GDPR prescribes the inclusion of a number of clauses into the service agreement and requires that data controllers only use data processors that can implement appropriate technical and organizational measures that ensure the protection of the rights of the data subject. This is a high bar that requires diligence on the part of the data controller and efforts from both parties to ensure the agreement between them complies with the GDPR’s requirements.
• Brazil. The Brazilian National Monetary Council issued Resolution No. 4,658, which establishes new cybersecurity requirements for financial institutions, and notably covers third-party service providers that contract with such institutions, including those located outside of Brazil.⁵

Areas We Are Watching

While 2018 was an active year for data protection developments, there is more in store. These are some of the areas boards should be paying close attention to in 2019:

• Potential Federal Privacy Law. In 2019, we can expect to hear more about the possibility of a comprehensive federal privacy law in the United States. Over the course of 2018, several federal privacy bills were introduced in Congress. In September 2018, the Senate Committee on Commerce, Science, and Transportation held a hearing to discuss how a federal privacy law might be crafted, and in November 2018, the FTC stated that it “strongly supports” efforts for federal privacy legislation.
• New Technologies. In September 2018, the SEC’s Enforcement Division Co-Director, Stephanie Avakian, gave a speech in which she addressed the Division’s approach to dealing with cryptocurrencies.⁶ The Division’s guidance will likely come in the form of enforcement actions and other public statements rather than formal rulemaking. Distributed ledger technology, such as Blockchain, is also likely to come under scrutiny from data protection regulators; CNIL has confirmed that when distributed ledger technology includes personal data, the GDPR is applicable and has published guidance that suggests that use of these technologies will have to involve great care if the principles of the GDPR are to be complied with.⁷
• Brexit Third-Country Status. In January, 2018, the European Commission issued a Notice to Stakeholders in connection with Brexit noting that following the UK’s withdrawal, it will become a “third country” for the purpose of data transfers. This means that, unless the European Commission issues an “adequacy decision,” recognizing that the United Kingdom’s data protection regime provides for equivalent protection for personal data, personal data will no longer be freely transferable to the United Kingdom. On November 14, 2018, the United Kingdom and European Commission approved a draft withdrawal agreement that maintains the status quo with respect to data protection matters until December 31, 2020 (i.e., if the withdrawal agreement is approved by the UK Parliament, then the GDPR will continue to apply in the United Kingdom during the transition period). However, whether or not the United Kingdom will be deemed “adequate” following the end of this period remains uncertain.
• Mechanisms for Transferring Personal Data Out of the EEA
  • Privacy Shield. The Privacy Shield is the set of safeguards and compliance measures negotiated between the United States and the European Union to allow the transfer of personal data between the EEA and certified U.S. entities. On the United States side, the FTC enforces compliance with the Privacy Shield. Four companies agreed to settle with the FTC in September 2018 over allegedly falsely claimed certifications (three of these companies had simply let their certifications lapse). The FTC reiterated that “[c]ompanies need to know that if they fail to honor their Privacy Shield commitments, or falsely claim participation in the Privacy Shield framework, we will hold them accountable.” On the European Union side, the Privacy Shield is under annual review by the European Commission and in June 2018, the European Parliament called for suspension of the Privacy Shield on the basis that it did not believe that the United States was compliant with its obligations. The European Parliament advised that unless the United States could be compliant by September 1, 2018, the Privacy Shield should be suspended. The European Commission did not take this course and instead undertook its second annual review of the Privacy Shield in October 2018. In its report published on December 19, 2018 the European Commission concluded that the United States does ensure an adequate level of protection for personal data transferred under the Privacy Shield, noting that the U.S. Department of Commerce has strengthened the certification process and the FTC has taken a more proactive approach to enforcement.
  • Standard Contractual Clauses. In April 2018, following a complaint to the Irish High Court by the Irish Data Protection Commission in connection with the data processing activities of Facebook (which include the transferring of personal data of E.U. data subjects to the United States), the Irish High Court referred a number of questions to the Court of Justice for the European Union, including questions in connection with the adequacy of Standard Contractual Clauses and the Privacy Shield. This reference was challenged by Facebook and the Irish Supreme Court has agreed to hear Facebook’s appeal. In the event that the Court of Justice for the European Union is required to give its opinion on the adequacy of Standard Contractual Clauses and the Privacy Shield, these mechanisms may be invalidated causing chaos for international data flows.

• India. A government committee in India has released a draft Personal Data Protection Bill, 2018, which is currently making its way through the legislative process. The bill is modeled after the GDPR, but also introduces data localization requirements.

[1] https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en