2018 promises to be an interesting year in the world of privacy and cybersecurity. In this article, we highlight a few of the most notable developments we expect this year, including major developments in Europe, changes and pending cases at the Federal Trade Commission (FTC), notable U.S. Supreme Court cases scheduled to be decided this year, and some areas of legislation that actually may become law in the U.S.
Big Changes Taking Effect in the European Union
One of the biggest areas where everyone in the privacy field will be looking in 2018 is the European Union (EU). On the legislative front, the General Data Protection Regulation (GDPR) will enter into force on May 25, 2018; the proposed e-Privacy Regulation is scheduled to be adopted this year; and the EU parliament will issue a report on the proposed Regulation on Non-Personal Data. Additionally, the Court of Justice of the EU (CJEU) will rule on several important data protection cases, including on third-party tracking, the right to be forgotten, and the possibility of class actions.
The GDPR takes effect on May 25, and companies and regulators are working hard to get ready. The Article 29 Working Party (WP29), the body of EU regulators, has issued guidance on a number of topics, including data breaches, transparency, and consent, and is expected to continue issuing guidance on key GDPR topics, including cross-border data transfers. This year, WP29 also will elect a new chairperson who will take over from Isabelle Falque-Pierrotin, and who will oversee WP29’s transition to the “European Data Protection Board.”
The e-Privacy Regulation, which complements the GDPR with specific rules for electronic communications services, is expected to be adopted in the second half of 2018. The e-Privacy Regulation replaces the e-Privacy Directive and significantly broadens its scope, covering over-the-top service providers such as instant messaging, VOIP, and machine-to-machine communications. By May 2018, EU member states also will have to implement the EU Directive on security of network and information systems (NIS Directive), which sets cybersecurity rules for operators of essential services.
Finally, the CJEU is expected to rule on a number of data protection cases this year. Notably, Schrems v. Facebook will determine whether a consumer can bring a class action on behalf of others, and whether the class can be EU-wide or even global (Case C-498/16); Fashion ID will clarify who is responsible for getting consent for tracking via social media plugins embedded in a website (Case C-40/17); and Google v. CNIL will outline the territorial scope of the right to be forgotten (Case C-507/17).
Changes and Notable Forthcoming Cases at the FTC
The primary privacy enforcer in the United States, the FTC, will be undergoing significant changes in 2018. President Trump has nominated three individuals to become new FTC commissioners and fill the current vacancies that have left the FTC operating with only two commissioners since the departure of Edith Ramirez in February 2017. Joseph Simons is the president’s pick to serve as the new FTC Chairman. Simons’ background is as an antitrust attorney, so his approach to privacy and data security enforcement remains to be seen. He is expected to be joined by President Trump’s other two commissioner nominees: Noah Phillips, chief counsel for Sen. John Cornyn (R-TX), and Democrat Rohit Chopra of the Consumer Federation of America. If confirmed by the Senate, Simons would replace Commissioner Terrell McSweeny, whose term expired in September 2017. The president has announced his intent to nominate Acting Chairman Maureen Ohlhausen, who has been leading the agency since February 2017, to the U.S. Court of Federal Claims.
In addition to changes at the top, two notable FTC cases are likely to make a significant impact this year on the scope of the commission’s authority to regulate data security practices under Section 5 of the FTC Act: LabMD and D-Link. Most notable is the FTC’s long-running case against LabMD, a now-defunct firm accused by the agency of inadequately protecting sensitive patient health records. The FTC’s complaint was initially dismissed by an administrative law judge in 2015, which the commission then reversed in 2016, finding LabMD liable for unfair data security practices. LabMD then appealed the FTC’s decision to the U.S. Court of Appeals for the Eleventh Circuit, which heard oral arguments on the case last June. At issue is whether the FTC has the authority to bring actions under the unfairness prong of Section 5 against companies that, in the commission’s view, fail to implement reasonable security measures to protect consumer data. During oral argument, the Eleventh Circuit justices particularly focused on whether the exposure of patient data that triggered the FTC’s investigation and complaint actually caused or was likely to cause any harm to consumers sufficient to meet the unfairness standard under Section 5. The resolution of this case has the potential to either cement the status quo (that the FTC has broad authority to bring data security actions under the unfairness standard) or significantly upend the FTC’s approach to data security enforcement.
Another notable and rare FTC case regarding data security issues is the commission’s suit against D-Link Systems, in which the FTC alleged that the company failed to adequately secure the routers and IP cameras that is sells to consumers. The complaint alleges five counts for deceptive marketing practices and one count for unfair practices under Section 5 of the FTC Act, but in September 2017, the U.S. District Court for the Northern District of California issued a mixed ruling dismissing two of the deception counts and the unfairness count. On the unfairness count, the court held that the FTC had failed to allege any actual consumer injury and had only alleged “likelihood” of “risk” to consumers’ data. The court further held that FTC’s allegations about potential injury were “conclusory” and that the complaint “lack[ed] . . . facts indicating a likelihood of harm.” While the court left open an avenue for the FTC to replead its unfairness claim, the agency has since apparently decided not to amend its complaint and the case will proceed on the remaining three deception counts. A bench trial for the case is currently scheduled to take place in October 2018.
Privacy, Technology, and Law Enforcement Before the U.S. Supreme Court
Last fall, the Supreme Court heard arguments in a case that will have repercussions for how tech companies that collect location data respond to law enforcement requests for that information. The case, Carpenter v. United States, centers on defendant Timothy Carpenter’s conviction for multiple armed robberies. As part of the evidence admitted against Carpenter, the prosecutors introduced 127 days of Carpenter’s cell phone records, which confirmed that his cellphone was in the vicinity of where the multiple robberies took place during the commission of the crimes. The records were obtained from Carpenter’s cell phone provider without a warrant under the Stored Communications Act (SCA).
The question before the Court is whether a warrant should be required for 127 days of locational data, even when such data is held by a third party. The United States argues, under the third party doctrine established in Smith v. Maryland, that the records are merely third-party business records. The ACLU, on behalf of Carpenter, counters, however, that location data should be subject to heightened requirements under the Fourth Amendment because of the uniquely private and intimate nature of the data, particularly when it spans a large time period.
Court watchers doubt that the case will be resolved in favor of the United States. At oral arguments, many of the justices appeared to agree that the data at issue should not be treated the same as other business records. But how the justices will draw the line is unclear. It is possible that the Court will find that a limited amount of data can be collected without a warrant, or it may carve business records of location data out of the third party rule.
In another notable case, in February 2018, the Supreme Court will hear arguments regarding another effort by federal law enforcement officials to obtain data from a tech company. In United States v. Microsoft, Inc., the United States obtained a search warrant under the Stored Communications Act for the contents of a non-U.S. citizen’s msn.com email account. Microsoft moved to quash the warrant, arguing that search warrants do not have extraterritorial application, and the content data at issue is stored outside of the U.S. in Ireland. The Second Circuit agreed with Microsoft; the United States appealed to the Supreme Court.
Generally, when records are located in another country like Ireland, the United States has to make a request for the information through its Mutual Legal Assistance Treaty (MLAT) with that country. MLATs have long been the standard for obtaining criminal evidence abroad, with governments cooperating to meet the standards required under the law of the country where the records are located.
In this case, however, the United States argues that the SCA has no textual geographic limitation, and because Microsoft is located in the U.S. and the electronic data at issue is under Microsoft’s “control” (that is, could be electronically transmitted back to the U.S.), prosecutors should be able to obtain the data using United States legal process in the U.S.
A team of WSGR attorneys, led by Brian Willen, has filed an amicus brief on behalf of Privacy International and 25 other digital and human rights NGOs. The brief, in support of Microsoft, argues that the potential conflict with the laws and interests of Ireland and the EU, as evidenced by their comprehensive privacy legislation, should cause the Court to deny extraterritorial effect to the SCA, as it was not explicitly granted by Congress.
Regardless of the decision by the Supreme Court, this issue is likely to only be another chapter in the long-running clash between the U.S. and the EU regarding access to user data held by technology companies.
Both cases will be decided before the Supreme Court’s July 2018 recess.
Significant security breaches in 2017 triggered renewed interest in enacting federal data security legislation, though whether any of the currently proposed laws will actually make their way through both houses of Congress and past the president’s desk remains highly uncertain. Nevertheless, there are a couple subject areas worth monitoring in the new year. First among these are proposals to unify the current patchwork of state data breach notification laws that make current breach notifications so cumbersome for businesses and potentially confusing for consumers. Federal data breach notification laws have been proposed and have failed for years, and 2018 may be no different, but there remains a chance that the outsized impact of the Equifax data breach and the delay in disclosure of Uber’s data breach may provide the political motivation necessary to move the needle. One such bill, the Data Security and Breach Notification Act was proposed by three Democratic U.S. senators at the end of November 2017. In addition to the bill’s broad notification requirements, notable other features include a directive to the FTC to issue data security rules, a requirement that breaches be reported within 30 days, and criminal penalties for any individuals who knowingly conceal a data breach.
Another piece of legislation to watch that is much closer to becoming law is federal autonomous vehicle legislation. In September, the U.S. House of Representatives passed the SELF DRIVE Act, which aims to create a framework for the development and regulation of autonomous vehicles. Under the act, companies deploying autonomous vehicles would have to implement a “privacy plan” outlining the company’s collection, use, sharing, and storage of information about vehicle owners or occupants. On the U.S. Senate side, the Senate Commerce Committee approved the similar AV START Act in October 2017, though the bill is currently held up by holds in the full Senate. The Senate bill would require the National Highway Traffic Safety Administration (NHTSA) to create an online database of vehicle manufacturer privacy policies, and would require manufacturers of autonomous vehicles to implement plans for identifying and reducing cybersecurity risks vehicle safety. Despite its current holdup in the Senate and differences with the House bill, autonomous vehicle legislation remains one of the rare areas with bipartisan support in both houses of Congress, so some form of this legislation has a good chance of being signed into law this year, likely with some variety of privacy and security provisions included.