Center for Cyber & Homeland Security Issues Report on How the Private Sector Can Actively Defend Against Cyber Threats

Written by
Earlier this year, the Center for Cyber & Homeland Security at the George Washington University (“Center”) announced a new project on active defense against cyber threats. The Center  established a high-level task force to examine these issues.  The task force included prominent cybersecurity and industry experts, including Alston & Bird partner Michael Zweiback. The Task Force successfully released its final report in October. It is available here. The report comes at a time when cyber vulnerabilities have been exploited by hostile state and non-state actors in cyberspace [...] Read more

EU Releases Amendments to Model Clause and Country-Whitelisting Decisions – with Good News for Companies

Written by
Most privacy professionals are familiar with the European Court of Justice’s 2015 Schrems decision, which struck down the US-EU Safe Harbor mechanism.  One lesser-discussed aspect of the ECJ’s decision related to the powers of Data Protection Authorities (DPAs) within the EU’s Member States.  In the Schrems proceedings, the Irish Data Protection Commission argued that it had no authority to suspend or restrict transfers based on Safe Harbor because Safe Harbor was a decision by the EU Commission.  The ECJ rejected this argument, holding that the Commission cannot restrict DPAs’ ability [...] Read more

German DPAs to Survey Transfers in 500 Companies – with English Translation of DPA Questionnaire

Written by
Late last week, 10 of Germany’s 17 Data Protection Authorities (DPAs) announced they are planning to send written questionnaires to approximately 500 different companies regarding international data transfers.  The following provides a brief overview of the situation, as well as an English translation of the questionnaire, for companies who are potentially affected. This summary refers to the German DPA questionnaire as a “survey.”  In press releases and interviews, the German DPAs have been careful to state that the questionnaire is not an audit or enforcement action.  Additionally, [...] Read more

Bank Regulators Issue Advanced Notice of Proposed Rulemaking on Cyber Risk Governance and Management Regulations

Written by and
More regulators (apart from the FTC) are now taking note of cybersecurity issues in the financial services industry and are taking steps to protect the industry and its consumers. Earlier this year, the Consumer Financial Protection Bureau (“CFPB”) issued its first enforcement action on data security against an online payment system.   In June, the Federal Financial Institutions Examination Council (“FFIEC”), an interagency body, issued a press release advising financial institutions to review their risk-management practices.  Last month, the New York State Department of Financial [...] Read more

EU-U.S. Privacy Shield Faces Judicial Attack

Written by
The EU-U.S. Privacy Shield (“Privacy Shield”) is already under challenge before the European courts, after having been approved only some months ago by the European Commission (“EU Commission”). The European courts’ website records that an action for annulment has been brought by Digital Rights Ireland, the privacy and digital rights advocacy organization, before the General Court of the European Union.  A spokesperson for the court has confirmed that Digital Rights Ireland’s application seeks annulment of the EU Commission’s July 12, 2016 Privacy Shield decision, which found [...] Read more

The French Digital Republic Act: the New Powers of the French Data Protection Authority and Enhanced Rights of Individuals

Written by
On October 7, the French Digital Republic Act (the “Act”) was adopted following a widely-publicized consultation process.  The Act amends the French Data Protection Act, and also modifies French law in various domains, including consumer protection, electronic payment services, medical research, and intellectual property. The Act constitutes a first step in the implementation of the General Data Protection Regulation (“GDPR”), which will apply in all EU Member States as from May 25, 2018.  The Act in particular establishes (i) new powers for the French data protection authority (“DPA”), [...] Read more

ECJ Declares IP Addresses are Personal Data

Written by
Today, the European Court of Justice (ECJ) issued its long-awaited decision in Breyer v. Germany.  Breyer addresses the question of whether IP addresses are “personal data” for purposes of EU data protection law.  As is widely known, personal data is any information that would permit a particular individual to be identified, whether directly or in combination with other information.  Until the present, there has been widespread agreement that static IP addresses are personal data.  In contrast, there has been little agreement on whether dynamic IP addresses constitute personal data.  While [...] Read more

California Updates Data Breach Notification Statute for 2017

Written by
California, which has historically been one of the states at the vanguard of data breach notification issues, has made an update to its statute that takes effect on January 1, 2017. The update will require companies to notify affected individuals of a data breach of encrypted information, if “the encryption key or security credential was, or is reasonably believed to have been, acquired by an unauthorized person and the person or business that owns or licenses the encrypted information has a reasonable belief that the encryption key or security credential could render that personal information [...] Read more

D.C. Circuit Holds CFPB is Unconstitutionally Constructed; Removes For-Cause Removal Protection from CFPB Director

Written by
On Tuesday, October 11, 2016, the D.C. Circuit Court issued its opinion in PHH Corp. v. Consumer Financial Protection Bureau, holding that the Consumer Financial Protection Bureau (CFPB) was unconstitutionally structured. In the majority opinion, Judge Kavanaugh described the position of CFPB Director as, in terms of unilateral authority, “the single most powerful official in the entire U.S. Government, other than the President.” (Maj. Opinion at 27). The Court’s ruling severs the for-cause removal protection provision for the Director from the Dodd-Frank Act, repositioning the CFPB as an [...] Read more

Supreme Court Denies Cert in Leading Case on Internet Tracking and Analytics

Written by
The Supreme Court recently declined to review In re Google Inc. Cookie Placement Consumer Privacy Litigation—a consolidated class action alleging that Google and third-party advertisers evaded web browser privacy settings, causing cookies to be placed on plaintiffs’ computers. 806 F.3d 125 (3d Cir. 2015), cert. denied sub nom. Gourley v. Google, Inc., 84 U.S.L.W. 3531 (U.S. Oct. 3, 2016) (No. 15-1141). Given the Court’s denial of review, significant questions remain regarding the applicability of the Wiretap Act to internet communications. The Third Circuit’s opinion offers guidance [...] Read more