Global Privacy & Security Compliance Law Blog

FCA Speaks Out on the Ethics of Big Data

Posted in Privacy, Security

FCA Chair hints that new regulation addressing data ethics in the FinTech space may be on the horizon.

By Nicola Higgs, Fiona Maclean and Terese Saplys

Will societies of the future be ruled by algocracy, in which algorithms decide how humans are governed? Charles Randell, Chair of the Financial Conduct Authority (FCA) and Payment Systems Regulator, addressed how to avoid this hypothetical scenario in a broad-ranging speech on that he delivered on 11 July 2018 in London.

Randell’s Remarks

Contributing Factors to an Algocracy

According to Randell, the following three conditions could collectively give rise to a future algocracy:

  • If a small number of major corporations were to hold the largest datasets for a significant number of individuals (as is currently the case)
  • Continuing vast and rapid improvements in artificial intelligence and machine learning that allows firms to mine Big Data sets with greater ease and speed
  • Further developments in behavioural science allowing firms to target their sales efforts by exploiting consumers’ decision-making biases

Continue Reading

California Consumer Privacy Act of 2018 May Usher in Sweeping Change

Posted in Legislative & Regulatory Developments, Privacy

Businesses active in California should promptly assess whether the law applies to their practices and start planning towards compliance with the new law.

By Jennifer Archie, Michael Rubin, and Scott Jones

Key Points:

  • A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018.
  • The Act imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents.
  • The Act was drafted, voted on, and enacted in a matter of days, but it will not go into effect for another 18 months: on January 1, 2020. Given this rushed process, changes to the law before its effective data can be expected.

Facing pressure from a significantly stronger ballot measure in the state, on Thursday, June 28, 2018, the Governor for the State of California signed into law the California Consumer PrivacyAct of 2018 (the CCPA). Effective January 2020, this law ushers in widespread changes to California’s law on the information practices for covered businesses collecting, processing, and disclosing information gathered from or about California consumers or their devices. Continue Reading

Update: California’s Consumer Right to Privacy Ballot Initiative

Posted in Legislative & Regulatory Developments, Privacy

California ballot initiative, Consumer Right to Privacy Act of 2018, gathers momentum for a November vote, spurring some telecom and internet businesses to organize opposition.

By Michael H. Rubin, Roxana Mondragón-Motta, and Scott C. Jones

Businesses are preparing to oppose a California ballot measure that could impose new data privacy and security obligations, with the threat of significant civil liability for non-compliance. Signatures are being gathered to put the Consumer Right to Privacy Act of 2018 (the “CRPA Measure”) on the November 2018 California ballot. The CRPA Measure, introduced by two California citizens, claims to give California consumers an “effective way to control their personal information” by providing them with (1) a right to request certain information about what personal information covered businesses have collected and sold or disclosed within the last year and (2) the right to opt-out from having their personal information disclosed by a covered business. The initiative also provides multiple avenues for enforcement (private civil actions; attorney general or local prosecutor enforcement; and whistleblower actions).
Continue Reading

New Home for Our Interactive GDPR Implementation Tracker – GDPR.lw.com

Posted in Legislative & Regulatory Developments

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. As an EU Regulation, it will be directly effective in each EU member state, but all member states are expected to pass national implementing legislation.

Latham’s GDPR Implementation Tracker is an interactive, web-based tool to help companies doing business in Europe stay abreast of the latest developments. The Implementation Tracker is now available at gdpr.lw.com.

 

Updates will be provided regularly, with additional informative features still to come.

National Cyber Security Centre Releases NIS Directive Guidance

Posted in Legislative & Regulatory Developments, Security

The UK agency’s principles-based guidance on cybersecurity for OES adds important detail to NIS Directive obligations.

By Gail Crawford, Mark Sun, Fiona Maclean, and Malika Sajdik

The National Cyber Security Centre (NCSC) has published introductory guidance for operators of essential services (OES) on the new cybersecurity rules under the EU’s Security of Network and Information Systems Directive (NIS Directive). The NIS Directive is the first EU-wide legislation on cybersecurity and must be transposed into member state domestic legislation by 9 May 2018. (Additional information on the NIS Directive, and the UK’s approach to implementation, is available in this blog post.) The NCSC’s guidance, released 28 January 2018, aims to help OES improve their security infrastructure and reduce their likelihood of suffering a cyber incident. Continue Reading

Cybersecurity: UK Government Releases Response to Public Consultation on NIS Directive

Posted in Legislative & Regulatory Developments

Proposed changes provide indication of the yet-to-be-published contents of the NIS Directive’s implementing regulation.

By Gail CrawfordMark Sun, Fiona Maclean, and Malika Sajdik

The UK government moved closer to implementing the Security of Network and Information Systems Directive (NIS Directive) with the release of its consultation response.

The NIS Directive is the first EU-wide legislation on cybersecurity that aims to enhance network and information system security across vital business sectors within the EU. The UK government launched a public consultation in autumn 2017 to obtain feedback on its proposed approach to implementation. Although the consultation response indicated broad support for the proposals, the UK government has proposed changes to address certain areas of concern. The consultation response, which was released on 28 January 2018, focuses on the following topics.

Continue Reading

Updated: Latham’s GDPR National Implementation Tracker

Posted in Legislative & Regulatory Developments

By Gail Crawford and Mark Sun 

With the assistance of colleagues across the EU, Latham & Watkins has updated its GDPR National Implementation Tracker.

With just over three months to go until the GDPR go-live date on 25 May 2018, two EU member states (Belgium, Slovakia) have joined Austria and Germany in successfully implementing the GDPR in their national laws.

Since our last update in October 2017:

  • Six additional member states have published draft implementing legislation for a total of 16 member states with legislation in progress.
  • Eight member states, however, still have yet to publish any draft.

As the various member state legislation take shape, we will provide further updates on the implementation process. We will also compile an analysis of key areas of derogation from the GDPR for each member state in relation to bases for processing special personal data, exemptions to data subject rights or notice requirements, additional sanctions for breach, and others. Get updates on this and other key data privacy insights by subscribing to our e-mail in the sidebar.

US Government Contractors Face New Cybersecurity Requirements

Posted in Legislative & Regulatory Developments, Security

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux

As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.

On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.

Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance. Continue Reading

Article 29 Working Party Publishes Privacy Shield Review: Better, but Needs Work

Posted in Privacy

By Gail Crawford and Mark Sun

The Article 29 Working Party (WP29), an independent European advisory body on data protection and privacy released the results of their first review of the EU-US Privacy Shield on Wednesday (6 December 2017). The WP29 has identified several “significant concerns” with the EU-US Privacy Shield (Privacy Shield) programme, as currently operated. Though the WP29 acknowledges that Privacy Shield is an improvement over the Safe Harbor arrangement, the body has called for the European Commission (EC) and the US authorities to restart discussions on an action plan to address these concerns immediately. The review was conducted jointly between WP29 and US authorities, with feedback from US companies.

Continue Reading

Call for Cybersecurity Guidelines in International Arbitration

Posted in Security

By Hanna Roos and Jennifer Archie

Cybercrime has become a regular feature of global news. The question is not if another attack will happen, but when. Prominent examples include the leak of millions of attorney-client documents from law firms Appleby and Mossack Fonseca, and the “Petya” attack, which brought DLA Piper’s system to a standstill.

Arbitration is also at risk. Parties, arbitrators, counsel, and institutions may be compromised, and the consequences could be serious for the target and the arbitral community as a whole. We explore the risks and consequences in our article, Is our imagination failing us? Call for cybersecurity guidelines in international arbitration.

As the first measure, we advocate a documented assessment of cybersecurity risks at the outset of each arbitration. A bespoke audit helps to avoid both an inadequate cyber security system and a more expensive and complicated system than is necessary. For a checklist of cybersecurity risks to consider at the beginning of an arbitration, see our Practice note, Cybersecurity issues in arbitration: Cybersecurity checklist. Continue Reading

LexBlog