Arent Fox Privacy Report

Headlines that matter for privacy and data security.

US News

FTC submits statement re: FTC oversight

In its prepared statement to the Commerce Committee, the FTC stated that privacy and data security will continue to be an enforcement priority at the FTC and it will use every tool at its disposal to address consumer harm. However, because of the limitations of the FTC’s Section 5 authority, the FTC reiterated its longstanding call for comprehensive data security legislation. It urged Congress to consider enacting federal privacy legislation that would be enforced by the FTC.

House Flip may boost privacy policy push

November’s midterm elections put Democrats with significant appetites for digging deeper into privacy and cybersecurity issues in charge of key oversight committees in the US House. Efforts to enact federal privacy legislation are likely to receive even greater attention. Both Democrats and Republicans were interested in seeing the next Congress make it a top priority to pass measures that better protect consumer data, and lawmakers on both sides of the aisle have proposed data security, breach notification and privacy standards during the past decades.

FTC submits privacy comments to National Telecommunications and Information Administration (NTIA)

In September, NTIA issued a request for comments on a proposed approach to consumer data privacy designed to provide high levels of protection for individuals, while giving organizations legal clarity and the flexibility to innovate. According to the FTC’s comment, the FTC is uniquely situated to balance consumers’ interests in privacy, innovation, and competition; in particular, the FTC’s dual mission of protecting competition and consumer protection gives the FTC a deep understanding of the benefits and costs to consumers associated with the use of their data. The comment calls for a balanced approach to choice, where the level of control would depend on consumer preferences, context, and risk. It also notes that the FTC should continue to be the primary enforcer of laws related to information flows in the marketplace, whether under the existing or a new privacy and security framework. The comment adds that the FTC will be examining its current authority related to privacy and data security as part of its series of hearings on Competition and Consumer Protection in the 21st Century.

EU News

ICO prosecution results in first-ever prison sentence

An employee of an accident repair firm accessed personal data using his colleagues’ credentials to log-in to a software system that estimates the cost of vehicle repairs. He continued to do this after he started a new job at a different car repair organization which used the same system. The man’s employer contacted the ICO when they saw an increase in customer complaints about nuisance calls and assisted the ICO with their investigation. ICO prosecuted under S. 1 of the Computer Misuse Act which refers to causing a computer to perform a function with intent to secure access to any program or data held on that computer. It carries a custodial sentence of up to two years. The ICO usually prosecutes cases like this under the Data Protection Act, however, in appropriate cases, it can prosecute under other legislation to reflect the nature and extent of the offense and for the sentencing Court to have a wider range of penalties available.

ICO warns Washington Post about invalid cookie consent

The UK data protection authority informed the Washington Post that its online subscription options do not comply with the GDPR. The Post allows users to pay $9/month to turn off trackers and cookies. Since there is not free alternative for accepting cookies, ICO found that consent was not freely given. As the newspaper is based in the US, ICO can only issue a warning. They told the Post that users should have the option to access all levels of subscriptions without having to accept cookies.

ICO releases encryption guidance

In newly published guidance from the UK data protection authority, current forms of encryption in use are outlined, as well as scenarios when encryption can help protect an entity’s sensitive data. The guidance also includes several recommendations, namely that where a company is storing or transmitting personal data, it should use encryption due to its widespread availability and relatively low cost of deployment.

British and Dutch fine Uber for data hack

Regulators fined Uber for failing to protect customers’ personal data during a 2016 cyberattack involving millions of users. “This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” ICO Director of Investigations Steve Eckersley said in a statement. “At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable.” ICO in Britain fined the company £ 385,000 ($490,760) while the Dutch Data Protection Authority (DPA) imposed a € 600,000 ($678,780) fine.

CNIL offers blockchain guidance for GDPR compliance

The French data protection authority released guidance on blockchain and the GDPR. The CNIL recognizes that not all blockchain projects involve personal data processing, but they do classify two categories of personal data: participants' and miners' identifiers, as well as additional data contained within a given transaction - for example, a diploma or property deed, the CNIL notes. "Using this distinction," the CNIL noted in its report, "the usual GDPR analysis applies: identification of the data controller, enforcement of rights, implementation of appropriate safeguards, security obligations, etc." Some additional big takeaways: Organizations should carefully determine whether they need blockchain in the first place, particularly a public one; if the organization chooses to go forward, it should practice data minimization when registering data on a blockchain; and the CNIL considers participants in the blockchain as data controllers.

German DPA in Baden-Wurttemberg administers first GDPR fines

A € 20,000 fine was imposed on a social media provider for a violation of its data security obligations under the GDPR. The company contacted the German data protection authority with a data breach notification following a hacker attack in the summer of 2018. The attack resulted in the unauthorized access to and disclosure of personal data of around 330,000 users, including passwords and email addresses. During the subsequent investigation, the German data protection authority became aware that the Company had stored passwords in plain text and in an unencrypted format, which helped facilitate the attack. The Company was found to have knowingly infringed its obligation to appropriately encrypt personal data pursuant to Art. 32. The Company’s very good cooperation with the German data protection authority was key to avoiding a higher level of fines.

German DPAs issue new rules for whistleblowing hotlines

The general EU position before GDPR was that whistleblowers were not encouraged to file anonymous reports. In some countries, anonymous reporting was even prohibited. The German DPAs have issued guidance on this point, reversing their previous opinion, and providing that employees must be encouraged to submit reports anonymously. Additionally, when an employee wishes to identify himself as the whistleblower, the employee must be informed that his/her identity will be disclosed to the individuals mentioned in the report and that the employee’s consent is required for this disclosure.

Greece issues warnings to companies under GDPR

The Hellenic data protection authority (HDPA) issued four decisions against companies for infringement of the GDPR. In particular, the HDPA issued a decision against Pitsoulakis-Rompogiannakis OE for unlawful ldirect marketing under Art. 5, against DIMERA GROUP SPORTS TRADE MEPE for failure to secure processing activities according to Art. 32, and against Alpha Bank AE and Eurobank Ergasias AE for failing to notify personal data breaches within 72 hours, as provided by Art. 33. (Data Guidance News Tracker).

Italian DPA implements violations registry

The Italian DPA will begin to publish the enforcement measures it has taken on its website. These measures include (i) warnings given to controllers or processors where processing is likely to, or does violate the GDPR, (ii) instances where a controller or processor is ordered to satisfy data subjects rights, inform data subjects of a personal data breach, and suspend or cease international data flows, and (iii) administrative sanctions issued under both the GDPR and the Italian Data Protection Code.

Lithuanian DPA urges companies to meet minimum requirements

The Lithuanian DPA provided guidelines for organizations regarding minimum requirements for data security measures. The guidelines touch on organizational, technical and physical data security measures, and data destruction. Among other recommendations, they stated that to ensure security of personal data, certain measures must be implemented such as (i) defining roles and responsibilities, (ii) having standard procedures in place to ensure business continuity and training staff on data protection and legal obligations, (iii) access control systems must be put in place to allow creation, validation, revision and removal of user accounts, and (iv) access to personal data records must be monitored.

Netherlands releases DPIA on Microsoft Office

A DPIA conducted for the Dutch Ministry of Security and Justice found that Microsoft has been collecting vast amounts of personal data. While Microsoft is considered a data processor, the report warned that the way it collects data from users for diagnostics means it should be classified as a joint controller as defined in article 26 of the GDPR. The report recommends disabling any settings in Microsoft Office 2016 that sends data to Microsoft servers. It also recommended IT administrators periodically delete the Active Directory account of some VIP users, and create new accounts for them, to ensure Microsoft deletes the historical diagnostic data.

Asia News

US delegation cites burdens imposed by China Cybersecurity law

China’s Cybersecurity Law’s draft implementing measures impose requirements concerning data localization and security assessments, which are both onerous and negatively impact cross-border transfers. The US delegation to the World Trade Organization asked China a series of questions, including asking it to further clarify its definition of "important data for the nation" and the application of the measures (e.g., only to network operators or all companies that operate a network), and asking whether China intends to release additional new draft implementing measures. The delegation urged China to consider the adoption of a less burdensome measure for transfers (such as APEC CBPR).

Chinese government obtains location data from car manufacturers

Using local laws, the Chinese government pushes alternative energy car manufacturers within the country to send the location data of their users. More than 200 manufacturers deliver location information and other data points to government monitoring centers, often without the users’ permission. The information is purportedly used to improve public safety and industrial developments, but privacy advocates believe the real purpose is to know what people are up to at all times.


Australia: press freedom in question in new row over encryption law

Australia’s federal government is being asked to redraft the country’s encryption bill to protect press freedom, as concerns mount over how authorities could gain more power to track individuals without a warrant. Home Affairs Minister Peter Dutton insists that rather than expand powers, the bill “modernizes” the way security agencies collect information. While the government hopes to fast-track the bill for the end of 2018, a Parliamentary committee is currently conducting an inquiry.

Analysis You Can Use

2018 State of Privacy and Security Awareness Report

MediaPRO released its Privacy and Security Awareness Report, after surveying over a thousand US employees, from a number of different industries and job levels, to test their cybersecurity and data privacy know-how. Notable findings include:

  • 75% of respondents struggled with identifying best practices related to correct behaviors in cybersecurity and data privacy.
  • Employees in the finance sector performed the worst of the industries analyzed.
  • Employees in management roles or above showed riskier behaviors than entry-or mid-level employees.
  • 14% of employees lacked the ability to correctly identify phishing emails.
  • 26% of employees made poor decisions involving the secure use of social media.

Mozilla adds breach alerts for consumers

Mozilla recently announced that it is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has reported a data breach in the last 12 months. A pop-up notification informing the user of some basic details of the breach will appear and suggest that the user check to see if their information was compromised. In addition to this new security feature, Mozilla has also rolled out an evaluation of the security of certain popular products for the upcoming holiday shopping season. This guide, which features reviews of 70 products across six categories, is designed to help users identify which connected devices provide robust privacy and security features.

Continue Reading