Privacy & Information Security Law Blog

On October 19, 2017, the White House announced that President Donald J. Trump plans to nominate two individuals to serve as commissioners of the Federal Trade Commission. President Trump selected Joseph Simons to lead the FTC as its chairman for a seven-year term, beginning September 26, 2017. Simons’ background primarily has focused on antitrust matters. From June 2001 to August 2003, he led the FTC’s antitrust initiative as Director of the FTC’s Bureau of Competition.

On October 18, 2017, the EU Commission (“Commission”) released its report and accompanying working document on the first annual review of the EU-U.S. Privacy Shield framework (collectively, the “Report”). The Report states that the Privacy Shield framework continues to ensure an adequate level of protection for personal data that is transferred from the EU to the U.S. It also indicates that U.S. authorities have put in place the necessary structures and procedures to ensure the proper functioning of the Privacy Shield, including by providing new redress possibilities for EU individuals and instituting appropriate safeguards regarding government access to personal data. The Report also states that Privacy Shield-related complaint-handling and enforcement procedures have been properly established.

On October 4, 2017, the Article 29 Working Party (the “Working Party”) revised and adopted the final version of the Guidelines on data protection impact assessments (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines were first published for comment on April 4, 2017, and the final publication of these revised Guidelines follows the public consultation that ended in May 2017.

On October 13, 2017, the Federal Trade Commission published the twelfth and final blog post in its “Stick with Security” series (the “Series”). The Series focused on the 10 principles outlined in the FTC’s Start with Security Guide for Businesses and sought to provide insights and lessons learned on data security from recent FTC cases, closed investigations and questions and comments received from businesses. The final post, entitled Stick with Security: FTC resources for your business, outlines the resources available to businesses to put the principles detailed in the Series into practice. These can be found on the FTC’s Data Security page.

Last week, at the 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong, data protection authorities from around the world issued non-binding guidance on the processing of personal data collected by connected cars (the “Guidance”). Noting the ubiquity of connected cars and the rapidity of the industry’s evolution, the officials voiced their collective concern about potential risks to consumers’ data privacy and security. The Guidance identifies as its main concern the lack of available information, user choice, data control and valid consent mechanisms for consumers to control the access to and use of their vehicle and driving-related data. Building on existing international guidelines and resolutions, the Guidance urges the automobile industry to follow privacy by design principles “at every stage of the creation and development of new devices or services.”

On October 4, 2017, the Federal Trade Commission and the Department of Education (“DOE”) announced that they will co-host a workshop to explore privacy issues related to education technology. The Ed Tech Workshop, which will take place on December 1, 2017 in Washington, D.C., will examine how the FTC’s Rule implementing the Children’s Online Privacy Protection Act (“COPPA”) applies to schools and intersects with the Family Educational Rights and Privacy Act (“FERPA”), which is administered by the DOE.

Recent judicial interpretations of the Illinois Biometric Information Privacy Act (“BIPA”), 740 ILCS 14, present potential litigation risks for retailers who employ biometric-capture technology, such as facial recognition, retina scan or fingerprint software. Federal judges in various district courts have allowed BIPA cases to move forward against companies such as Facebook, Google and Shutterfly, and retailers who use biometric data for security, loss prevention or marketing purposes may also become litigation targets as federal judges decline to narrow the statute’s applicability and additional states consider passing copycat statutes.

On October 3, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement clarifying when protected health information (“PHI”) can be shared with family, friends and others. This announcement, prompted by the recent mass shooting in Las Vegas, outlines the purposes for which PHI can be disclosed to these parties pursuant to HIPAA and the conditions that apply, which are summarized below:

On September 29, 2017 the French Data Protection Authority (CNIL) published a guide for data processors to implement the new obligations set by the EU General Data Protection Regulation (“GDPR”). The guidance addresses the extended scope of the GDPR and the new and direct obligations data processors will have when the GDPR comes into force on May 25, 2018. The guidance elaborates a three-step checklist for data processors:

On September 29, 2017, the Federal Trade Commission published the eleventh blog post in its “Stick with Security” series. As previously reported, the FTC will publish an entry every Friday for the next few months focusing on each of the 10 principles outlined in its Start with Security Guide for Businesses. This week’s post, entitled Stick with Security: Secure paper, physical media, and devices, highlights the importance of adopting a 360 degree approach to protecting confidential data. This strategy includes securing not only networks and information systems, but also paper, physical media and devices.