EU-U.S. Privacy Shield Passes First Annual Review

On October 18, 2017, the European Commission (EU Commission) published its report on the first annual review of the EU-U.S. Privacy Shield Framework (Privacy Shield). The EU Commission confirms that the Privacy Shield ensures an adequate level of protection for EU personal data that is transferred to the U.S., but calls on the U.S. government to implement a number of recommendations.

Certified companies can continue to rely on the Privacy Shield to receive EU personal data in compliance with EU data protection law. This is an important validation of a key mechanism used by EU and U.S. companies transferring data to the U.S., particularly in light of the current uncertainty around data transfers arising from court challenges to the Standard Contractual Clauses and the Privacy Shield.

For more information, please see our complete WSGR Alert on the new report.

European Court of Justice to Rule on Validity of Standard Contractual Clauses

On October 3, 2017, the High Court of Ireland issued its decision in Data Protection Commissioner vs Facebook and Schrems concerning the validity of the EU Standard Contractual Clauses (SCCs)—a mechanism used by a very large number of companies to transfer personal data outside of the European Union.

The Irish High Court referred this question to the Court of Justice of the European Union (CJEU). This is the second time that the CJEU has been asked to determine the validity of a data transfer mechanism. In 2015, the CJEU invalidated the EU-U.S. Safe Harbor Framework. If the CJEU invalidates the SCCs, thousands of companies that rely on this data transfer mechanism could be left without a legal basis for the data transfers on which their businesses rely.

Click here to read our complete WSGR Alert discussing the background of the court’s decision, today’s ruling, and next steps.

Lenovo Settles FTC Charges Regarding Pre-Installed Software That Compromised Consumers’ Cybersecurity and Privacy

On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo regarding the company’s practice of pre-loading software on its laptops that compromised consumers’ cybersecurity and privacy. As part of the settlement, Lenovo agreed to pay $3.5 million in penalties to the states, and per an agreement with the FTC, Lenovo will be required to implement a comprehensive software security program for most consumer software preloaded on its laptops for the next 20 years. The settlement highlights the ongoing interest by the FTC and state attorneys general regarding cybersecurity vulnerabilities in software and makes clear the FTC’s position that hardware manufacturers have an obligation to evaluate the security of third-party software they preinstall on their devices.

Click here to read our complete WSGR Alert about Lenovo’s settlement with the FTC.

Key New Takeaways from Uber’s Privacy and Data Security Settlement with the FTC

On August 15, 2017, the Federal Trade Commission (FTC) announced that it had reached an agreement with Uber Technologies to settle allegations that the ride-sharing company had deceived consumers by failing to live up to its privacy and data security promises.1 Specifically, the FTC levied two deception counts against Uber: (1) that the company had failed to consistently monitor and audit internal access to consumers’ personal information, despite public promises to do so; and (2) that the company had failed to provide reasonable security for consumers’ personal information stored in its databases, despite its security promises. Under the resulting proposed consent order, Uber will be prohibited from misrepresenting how it monitors or audits internal access to consumers’ personal information and how it protects and secures that data. Uber will also be required to implement a comprehensive privacy program that will be subject to independent biennial audits for the next 20 years, and will need to comply with the standard set of consent order recordkeeping and compliance reporting and monitoring requirements. Continue Reading

FTC Cracks Down on Lead Generation Company’s Indiscriminate Sharing of Consumers’ Sensitive Data

On July 3, 2017, the Federal Trade Commission (FTC) announced that it had settled charges that defendants Blue Global, an operator of dozens of consumer loan lead generation websites, and its founder and CEO, Christopher Kay, violated the FTC Act. The FTC alleges that the defendants had, among other practices, misled consumers about Blue Global’s data security practices and shared information characterized by the FTC as consumers’ “sensitive personal information” with a variety of potential bidders after promising to disclose such information only to “trusted lending partners” meeting specified criteria. As part of the settlement, the defendants are subject to a judgment for more than $104 million,1 must maintain stringent oversight of third-party recipients of consumers’ sensitive personal information, and are enjoined from disclosing a consumer’s sensitive personal information other than when specified conditions, including having obtained that consumer’s express, informed consent, are met. Continue Reading

Status Update on the EU e-Privacy Regulation Proposal Discussions

On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) relating to privacy rules for the electronic communications sector. The Proposal will impose new, more rigorous privacy regulatory obligations on nearly all companies doing business in the EU over the Internet. It will address a host of important issues including the processing of communications content and metadata, and the use of Wi-Fi and Bluetooth tracking for Internet-based services and technology providers.  Once enacted, the Proposal will replace the e-Privacy Directive and will complement the EU General Data Protection Regulation (GDPR).

As part of the legislative process, the European Parliament Committee (one of two legislative bodies charged with reviewing the Proposal) issued a Draft Report  in June 2017 and is reviewing more than 800 proposed amendments to the Proposal. In addition, the Article 29 Working Party (WP29)—the body of EU data protection authorities—published a non-binding opinion (the Opinion) on the Proposal in April 2017, urging a number of revisions that would impose even more obligations on covered companies.

This article provides a status update about the Proposal, including the main requirements currently under discussion at the European Parliament and an overview of the next steps. Read our previous WSGR Alert for more information about the Proposal and the Draft Report. Continue Reading