The Article 29 Working Party (WP29), an independent European advisory body on data protection and privacy released the results of their first review of the EU-US Privacy Shield on Wednesday (6 December 2017). The WP29 has identified several “significant concerns” with the EU-US Privacy Shield (Privacy Shield) programme, as currently operated. Though the WP29 acknowledges that Privacy Shield is an improvement over the Safe Harbor arrangement, the body has called for the European Commission (EC) and the US authorities to restart discussions on an action plan to address these concerns immediately. The review was conducted jointly between WP29 and US authorities, with feedback from US companies.
Cybercrime has become a regular feature of global news. The question is not if another attack will happen, but when. Prominent examples include the leak of millions of attorney-client documents from law firms Appleby and Mossack Fonseca, and the “Petya” attack, which brought DLA Piper’s system to a standstill.
Arbitration is also at risk. Parties, arbitrators, counsel, and institutions may be compromised, and the consequences could be serious for the target and the arbitral community as a whole. We explore the risks and consequences in our article, Is our imagination failing us? Call for cybersecurity guidelines in international arbitration.
As the first measure, we advocate a documented assessment of cybersecurity risks at the outset of each arbitration. A bespoke audit helps to avoid both an inadequate cyber security system and a more expensive and complicated system than is necessary. For a checklist of cybersecurity risks to consider at the beginning of an arbitration, see our Practice note, Cybersecurity issues in arbitration: Cybersecurity checklist. Continue Reading
Russia has adopted a new law further toughening the country’s Internet-blocking regime and introducing a number of restrictive measures applicable to intermediaries providing access to blocked websites, IT networks, and information resources (hereinafter, “Blocked Websites”).
The relevant provisions of Federal Law No. 276-FZ dated July 29, 2017 (the “Anonymizers Law”), came into force on November 1, 2017.
Due to the vague wording and ambiguities, the enforcement of and practice on the Anonymizers Law will likely be complicated.
In 2012, Federal Law No. 307-FZ was adopted (the “Law on Blocking Websites”), which established a Russian register of Blocked Websites (the “Register”) maintained by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roskomnadzor).
Pursuant to the Law on Blocking Websites:
- Websites containing information the dissemination of which is illegal in Russia (such as pornography, information about drugs, suicide, racism, copyright violations, etc.) must be included into the Register following a short remedy period, during which a website owner may remove all relevant information from the website and avoid the inclusion.
- If the website is included into the Register, access to it from the territory of Russia must be blocked.The scope of the Law on Blocking Websites only extends to blocking access to websites containing the prohibited information and does neither prohibit nor restrict any software or hardware allowing to get access to Blocked Websites and serving as an intermediary between users and Blocked Websites (such software or hardware, the “Access Tools”). As a result, users could in practice visit Blocked Websites and the Russian authorities could do nothing about it.
The EU General Data Protection Regulation (GDPR) will come into force in May 2018, changing how businesses and the public sector manage customer information. With seven months before the deadline, governments, supervisory authorities, and businesses are working in parallel on GDPR implementation.
Latham reached out to colleagues across the EU to assess the state of the union in terms of national GDPR implementation. Both Germany and Austria have already passed implementing acts, placing them ahead of other EU Member States in aligning with the GDPR. Eleven jurisdictions are in the process of drafting the implementing laws, as they make their way through the national legislative process. Fifteen jurisdictions, however, are still at the initial planning phase.
For full details of how legislation implementation is progressing at a national level, see Latham’s full updated tracker.
On October 3, 2017, the Irish High Court announced that it will make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the validity of the Standard Contractual Clauses, which allow companies in the European Economic Area (EEA) to transfer personal data outside of the EEA. In doing so, the Irish High Court acknowledged that, “there are well founded grounds for believing that the [Standard Contractual Clauses] are invalid,” but clarified that this was a question of EU law for the CJEU to decide.
What happened in the case?
Maximillian Schrems (an Austrian privacy campaigner who, in 2015, led a case that struck down the EU-US Privacy Shield’s forerunner, Safe Harbor) has a Facebook account. Schrems complained to the Irish Data Protection Commissioner (DPC) that Facebook Ireland Limited (Facebook Ireland) transferred his data to its US-parent, Facebook Inc. (Facebook US) for further processing.
In order to transfer personal data to a third country outside of the EEA, that third country (in this case, the US) should offer guarantees ensuring an adequate level of protection for personal data essentially equivalent to the level of protection ensured within the EEA. The European Commission (EC) has not considered the US to provide this adequate level of protection for personal data, so companies that wish to transfer data must rely on other data transfer mechanisms, including the Standard Contractual Clauses. Continue Reading
On September 19, 2017, Judge Donato of the Northern District of California ruled on Defendant D-Link System Inc.’s (D-Link) Motion to Dismiss, which challenged claims by the Federal Trade Commission (FTC) that D-Link’s conduct constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act.
The FTC’s complaint alleges that D-Link failed to implement adequate data security with respect to router and IP cameras it marketed and sold to the public. According to the FTC’s complaint, D-Link’s router and IP cameras were susceptible to well-known exploits and other vulnerabilities that left consumers at risk of compromise by hackers. The FTC alleged that these practices were both deceptive (contrary to D-Link’s representations about the security of their products) and unfair (caused or were likely to cause substantial injury to consumers). Continue Reading
The Federal Law No. 87-FZ of May 1, 2017, on Amendments to the Federal Law on Information, Information Technologies, and Information Protection (the Law) came into force on July 1, 2017. The Law introduces the definition of an audiovisual service owner and regulates their activities, including imposing ownership restrictions.
The Notion of Audiovisual Service Owners
According to the Law, an audiovisual service owner is an owner of a website, a page of a website, an information system, and/or software (an Audiovisual Service):
- Used for collating and providing access to audiovisual content
- By paid subscription and/or funded by advertising
- To users located in the territory of Russia
- With more than 100,000 users a day (on average)
The following are not regarded an Audiovisual Service:
- Information resources registered as online media in accordance with the Federal Law No. 2124-1 of December 27, 1991, on Mass Media (e.g., online media, TV-channels, TV/radio/video programs, etc.)
- Search engines
- Information resources which focus on hosting user-generated content under the criteria to be set by the Federal Service for Supervision in the Sphere of Telecom, Information Technologies, and Mass Communications (Roscomnadzor) (e.g., YouTube, RuTube, Vimeo).
The State Duma, Russia’s lower chamber of Parliament, has adopted amendments to the Federal Law on Information, Information Technologies and Information Protection of the Russian Federation (the Law) in its first reading. Under the proposed amendments, messaging apps would be required, among other things, to verify users through their telephone numbers and to distribute certain text messages at the request of government agencies. The amendments would also allow the Russian government to block messaging apps which continue to allow users to register anonymously.
The proposed amendments still have to go through the remaining stages of the legislative process, including two further readings in the State Duma, approval by the Federation Council (the upper chamber of the Russian Parliament) and signing by the President. Amendments are still possible during these later stages. If adopted, the amendments will come into force on 1 January 2018. By broadly defining both “information and communication service” and “instant messaging information and communication service,” the amended Law imposes new obligations on all messaging applications and operators. Under the amended Law, messaging apps would be required to: Continue Reading
The General Data Protection Regulation (GDPR or Regulation) will become applicable in one year, as of May 25, 2018. A lot has happened since we set out the key provisions of the Regulation last year. As companies implement compliance programmes in efforts to protect data subjects and avoid hefty enforcement penalties, each EU Member State government has to pass implementation laws. Furthermore, regulators are slowly providing guidance on how to apply and interpret the GDPR.
What is happening in the EU Member States?
The GDPR was drafted to “harmonise the protection of fundamental rights and freedoms of natural persons in respect of processing activities and to ensure the free flow of personal data between Member States” (Recital 3). Yet the GDPR itself provides a lot of leeway for Member States in its implementation, including room for derogations from at least 50 articles. This “margin of manoeuvre” (Recital 10) creates a degree of uncertainty for data controllers and data processors, and there are some areas where companies (especially those processing sensitive personal data, where Member States have the most flexibility) will need to wait and respond to what Member State governments are proposing. Continue Reading
The Trump Administration has issued a much anticipated Executive Order (EO),“Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” directing federal executive agency heads to undertake various cyber-related reviews and to report findings back to the White House within prescribed timetables. Unlike some of the Trump Administration’s executive orders receiving much attention in recent weeks, this new cybersecurity EO does not aim to unwind policies put in place or initiatives undertaken by the Obama Administration. In fact, subsequent steps by the Trump Administration following the new EO may likely build upon the previous Administration’s efforts, which had assigned responsibilities to various executive departments serving as “sector specific” agencies for different sectors (energy, communications, transportation, and so on) with critical infrastructure. Continue Reading