The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:
Focus on Cybersecurity
A new cybersecurity framework will be published in February 2014 by the National Institute for Standards and Technology (“NIST”) pursuant to President Obama’s Executive Order. New EU standards are also in process. Additionally, numerous data breaches are likely to trigger more legislation and class action litigation. Finally, courts are developing negligence standards for cybersecurity breaches.
- Corporate boards of directors and CEOs should direct legal, compliance and IT staff to review, conduct and enhance (i) cybersecurity safeguards, (ii) data vulnerability assessments (which are mandated in the healthcare sector, (iii) incident response and reporting protocols, (iv) review insurance coverage and (iv) service provider commitments.
- Companies should consider mapping their corporate cybersecurity standards to their industry's evolving standards being shaped by state law requirements (e.g., Massachusetts), NIST and ISO standards, recommendations of the European Network and Information Security Agency (“ENISA”), safeguards mandated by HIPAA and Gramm-Leach-Bliley, Payment Card Industry Standards, etc.
New International Privacy Laws
New privacy and data protection laws continue to be adopted around the world. Significant legislative developments will be in force in 2014 in China, Kazakhstan, Malaysia, Russia, South Africa, etc.
- Multinational companies should assess how new laws – including new international data transfer restrictions – might apply to their operations.
- Companies without global privacy and data protection compliance programs should consider implementing such processes.
Do Not Track Developments
California’s “Do Not Track” disclosure requirement goes into effect in January 2014. Federal and international regulators are also focused on Internet tracking, but the likelihood of new rules is unclear.
- Website privacy policies should be updated for all sites that collect personal information about California residents.
- Companies must understand how their organizations are collecting, using, sharing, and disposing of information as reliance on form policies can be worse than no policy at all.
Forced Data Localization Requirements and Cloud Computing
Numerous countries have recently implemented (China, Greece, Malaysia, Russia, South Korea, Venezuela, Vietnam, etc.) or are actively considering (Argentina, Brazil, India, Indonesia, etc.) local data server requirements.
- Global companies should review potentially relevant local data requirements and restrictions on cloud computing.
- Multinationals with sufficient interest should consider monitoring and participating in international trade policy initiatives to challenge forced localization as a technical barrier to trade.
EU data protection authorities continue to update their enforcement policies and guidance regarding required disclosures and consents for the use of website cookies.
- Companies with internationally directed websites should evaluate their compliance with and amenability to the jurisdiction of EU cookie requirements.
- In the U.S., companies with child-directed websites, or with actual knowledge that children under 13 use their websites, should determine how the FTC’s amended children’s privacy (“COPPA”) rule applies to their cookie, tracking and “plug-in” practices.
Disequilibrium for Safe Harbor and Cross-Border Data Transfers
Following Snowden revelations, the EU Commission issued a report supporting retention of the U.S.-EU Safe Harbor, but recommending significant revisions, including required disclosure of cloud computing and other service provider contracts relied upon by Safe Harbor members.
- Safe Harbor member companies should monitor possible new requirements or scrutiny by the U.S. Commerce Department, FTC and EU data protection authorities.
- Multinationals relying on EU-approved standard contractual clauses (“model contracts”) and binding corporate rules (“BCRs”) should also prepare for increased scrutiny.
- Companies should assess their systems for responding to law enforcement and national security requests and demands and ensure these align with their posted privacy policies
Anticipating Big Data, Internet of Things and New Technologies
Companies are rushing to invest significant resources to collect, analyze and monetize vast new arrays of transactional, locational and technical data from and about customers, device users, equipment sensors, etc.
- Companies with data-driven agendas should implement information governance controls incorporating privacy and security “by design” to anticipate possible FTC, State Attorneys General and consumer actions.
- New data collection, profiling and analytic initiatives should be tracked, controlled and justified within companies.
- Companies adopting new data collection technologies like facial recognition and drones should anticipate privacy considerations.
New EU Data Protection Regulation
It is unclear whether the current Parliament will vote on and approve a new General Data Protection Regulation, and if so, whether the EU Council of Ministers will take up the same draft. Significant revisions to EU data protection standards are inevitable, however, even though the precise timing and contours of such changes are not entirely predictable. Regardless, very substantial new penalties and citizen remedies are almost certain to be a part of the EU’s new Data Protection Regulation, including fines of up to 5% of annual worldwide turnover or €100 million, whichever is the greater.
- International companies should prepare their international privacy and data protection compliance programs for inevitable increased stringency.
- BCRs may be an increasingly attractive option for promoting global compliance.
Granular State Privacy Legislation and Aggressive Enforcement
States like California and Texas have adopted specific new health privacy standards, and Attorneys General around the US are increasingly aggressive about enforcing consumer protection statutes with respect to online marketing, data breaches, HIPAA, collection of consumer information, etc.
- Companies should carefully survey state law requirements regarding all privacy sectors, information security requirements and consumer protection standards.
- Document compliance efforts to mitigate risks of possible AG enforcement.
Who Is in Charge and What Jurisdiction Applies?
- Companies should map their international and domestic privacy and data protection obligations and develop a clear understanding about which authorities could assert jurisdiction over their operations.
- Choice of law and private dispute resolution clauses should be made clear and balanced so as to enhance their enforceability.