*This post originally appeared in Law360 on January 7, 2016.
While 2015 was a big year in data, 2016 may prove to be even bigger. Many hot button and game changing topics are being debated in legislative bodies and campaign trails, regulators are focused, and privacy-related litigation continues to rise. Below, we count down the top ten cybersecurity, data protection and privacy issues to watch in 2016.
- Data Localization Laws
In September 2015, Russia announced the implementation of what is broadly considered the world’s most onerous data localization law applicable to personal data of its citizens. Recently, Russia’s data protection authority announced that it will conduct more than 1,000 data localization audits or “inspections.” Media reports indicate that many major American technology companies have taken steps to comply with its provisions, but details regarding these compliance efforts (which include the advent of “regional clouds”), as well as regulatory enforcement, remain to be seen. In particular, the issue remains whether all of the data or merely a copy of the data will need to remain in country. Data localization bills are driven by a myriad of policy goals, including furthering law enforcement\intelligence community access to data, a desire to ensure a purportedly higher standard of privacy or security, and even rank economic protectionism. Data localization is one of the most popular such proposals – and 2016 may indeed see many more. The pressure for data localization heightens the importance of the Microsoft case pending in the Second Circuit challenging the federal government’s warrant for data stored in Ireland, and of ongoing efforts to update and streamline the process for requests under Mutual Legal Assistance Treaties (MLATs).
- Internet of Things and Ubiquitous Computing
The Federal Trade Commission issued a significant report in early 2015 on Internet of Things (“IOT”) technologies and is expected to scrutinize the use of such technologies that collect sensitive personal information, particularly health data. So far, the Commission has brought only one IOT enforcement action of note (back in 2013) against TRENDnet Inc., which sold video cameras allowing consumers to remotely monitor their homes. But the FTC has stated that it plans to continue focus on IOT technologies in the coming year. Particularly as the Internet of Things compounds the creation of potentially useful data, we expect this to be a significant topic for regulatory, self-regulatory and potentially legislative interest. Companies should particularly consider evolving standards regarding IOT technologies that implicate ubiquitous data collection, unexpected uses of consumer data, and/or heightened security risks. Industrial internet applications also need to be considered. While they would not necessarily trigger consumer protection obligations or consequences, they could implicate data ownership, contractual rights, putative duties to warn or notify as well as other statutory or common law considerations. The FTC and other regulators continue to focus on the collection of personal information via mobile device and apps. In particular, the Department of Health and Human Services launched a new platform for mobile health developers and others interested in designing mobile technologies that comply with HIPAA. We expect to see further regulatory guidance (and enforcement actions) in this space for the new year. In the meantime, companies need to carefully examine the commitments they make to consumers and consider how mismanagement or breach of the personal information they collect could impact consumer trust and their bottom line.
- The FCC Awakens
In February of this past year, the FCC approved the Open Internet Order, which re-classifies broadband providers as a “telecommunications service” under Title II of the Communications Act and applies most of Title II’s consumer protection obligations to broadband providers. While the bulk of the proposal focuses on proposed “net neutrality” broadband provisions, the FCC indicated that Section 222’s consumer privacy protections will apply to mobile broadband providers. The agency is expected to engage in rule-making process this year and should be issuing a proposed regulation in the coming months. Outside of the net neutrality context, the agency has engaged in high-profile personnel additions to its enforcement staff and issued significant enforcement actions including a $595,000 fine to Cox Communication over a breach involving 54 Cox customers.
- Government Surveillance and Encryption
Continued debate about the appropriate role and capability of government surveillance and interception of communications will remain a top priority as governments around the world seek to renew, expand, and clarify their authorities amid a dynamic technological landscape. In a United States election year, Congress faces the key issue of whether to confront the long-needed amendments to modernize the Electronic Communications Privacy Act, and it may turn its attention to Section 702 of the FISA Amendments Act, a provision criticized by Edward Snowden that is due to expire at the end of 2017. Even as privacy and civil liberties advocates continue to focus on surveillance conducted by the United States government, countries such as the United Kingdom are considering sweeping changes – and potential expansions – to their surveillance framework. A corollary to this discussion is governments’ ability to compel decryption of encrypted communications, a debate which looks certain to continue through 2016 as a front-page global issue. Increasing consumer use of encryption technologies have led governments to call for technical solutions (including much-criticized “mandatory back door” proposals) or legal authorities that would permit access to such communications – despite the obvious harm to consumer information security. China’s counterterrorism law, enacted in December 2015, may be used to compel decryption of communications, and other recently enacted laws require companies to use “secure and controllable” technologies; and the United Kingdom is currently considering an overhaul of its investigatory authorities that could require technology companies to make communications available in decrypted form. At the same time, the United States has announced that it is not currently seeking such authorities, and countries such as the Netherlands have reaffirmed their support for “strong encryption.”
- The Development of Cybersecurity Standards
The Cybersecurity Act of 2015, signed into law in December 2015 as part of an omnibus spending bill, establishes a long-contemplated information sharing framework for cyber threat indicators and certain liability shields for information sharing and certain other cybersecurity actions. The Department of Homeland Security has been tasked with developing guidelines to protect privacy and other civil liberties guidelines by mid-February 2016, which will likely spur significant public debate and commentary regarding the potential impact of such public-private information sharing. The NIST Cybersecurity Framework continues to expand rapidly in its adoption, and the counter-part privacy standard still waits in the wings. While the cyber threat protection standards and information sharing remain ostensibly voluntary, litigation and regulatory inquiries in the aftermath of a cybersecurity incident may give rise to a de facto standard of care that would require companies to participate in such efforts to mitigate cyber risks. In the EU, a new network security directive has also mandated the development of new cybersecurity and incident reporting standards for critical infrastructure industries including finance and other standard CI sectors, but also covering search engines, ecommerce platforms and cloud computing. The directive will require implementation into national law by each of the EU member states.
- Regulators Flexing Enforcement Powers on Data Protection and Privacy Issues
HHS, the FTC and state AGs have for many years been the key regulators in the US privacy arena. This is changing with a proliferation of additional regulatory authorities emerging as data protection regulators and even extracting serious enforcement penalties. Expect to see expanding enforcement and oversight on these issues from a wide range of regulators such as the FCC, SEC, CFPB, and state insurance regulators. And following on the FTC’s notable $100 million settlement with LifeLock and DOJ’s criminal HIPAA enforcement against an employee of a pharmaceutical manufacturer, we may also see increased aggressive enforcement by the FTC, HHS, and state AGs to maintain their leading roles. Further, the increase in potential penalties under the European General Data Protection Regulation is likely to spur an increase in activity from data protection authorities across Europe.
- Big Data
Big Data continues to be an emerging issue across industries and will continue to be at the forefront of discussion globally in 2016. On January 6, the FTC kicked off the new year by releasing a new report with recommendations to businesses on the growing use of big data: Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues. Rather than focusing on prior themes of notice, choice and security, the 2016 Big Data Report focuses on the big data life cycle, and considerations to mitigate consumer harm or discrimination from big data uses. On January 14, the FTC will hold PrivacyCon, a conference for researchers, industry representatives, consumer advocates, and regulators to discuss big data and consumer privacy. Big Data issues are also a key focus of the EU Digital Agenda initiative, particularly on open access to public sector information and facilitation of scientific research. Big Data use is expected to grow in 2016 as data becomes increasingly agile and widespread, and technologies and related algorithms continuously add new ways to collect, observe, and measure information. While public perception of Big Data is often mixed due to fear of unknown implications and concern over discriminatory use, it also holds potential for hugely beneficial advances, such as in transportation, health care, and retail applications. Government entities often reflect a similar ambivalence, though guidance thus far has remained technology neutral.
- A New Transatlantic Data Transfer Framework
Fallout continues over the invalidation of the US-EU Safe Harbor framework in October 2015. In November, the European Commission issued guidance on the transatlantic transfer of European citizens’ data with an emphasis on contractual solutions, though intense work continues towards a new Safe Harbor agreement. A new framework is expected to be revealed early in 2016, and Florence Raynal, an EU Article 29 Data Protection Working Party official, has said that EU data protection authorities should be ready to evaluate Safe Harbor alternatives by the end of January 2016. Through the fall of 2015, EU data protection authorities were evaluating the impact of the October 2015 invalidation of Safe Harbor, and issuing a range of warnings related to EU-US transfers. Even with a new framework, transatlantic data transfers face a period of continued uncertainty, as challenges to such a framework as well as to alternative mechanisms like Model Clauses make their way through data protection authorities and the EU judicial system. Some of the more aggressive data protection authorities and parliamentarians in the EU have called the latter options into question too, and the Article 29 Working Party has indicated it will take up the issue.
- Class Actions, Statutory Standing and the Spokeo Decision
The Supreme Court is expected to issue its decision in Spokeo, Inc. v. Robins, which presents the issue of whether violation of the Fair Credit Reporting Act, standing alone without evidence of concrete damages, confers an injury in fact under Article III of the Constitution and establishes sufficient grounds for standing. The case illustrates the difficulty in defining particularized harm when one’s privacy is invaded without resulting in clear economic damages. The Court’s decision could provide important precedent for the pleading necessary to survive a motion to dismiss statutory claims. The case could have implications for claims brought under not only FCRA but also the Telephone Consumer Protection Act, the Children’s Online Privacy Protection Act, the Electronic Communications Privacy Act, state data breach statutes to the extent they offer statutory rights of action, and myriad other federal and state laws.
- The EU General Data Protection Regulation
In 2016, the European Commission plans to unify, streamline and strengthen EU data protection law with a single General Data Protection Regulation (GDPR). After nearly four years of debate, the EU Council of Ministers and European Parliament reached a tentative agreement on the proposed EU General Data Protection Regulation which is expected to be formally adopted in the first half of 2016. The Regulation will provide for significant fines—up to 4% of gross annual turnover—for noncompliance. Other critical provisions will broaden the scope from the current application of EU data protection law, simplify business’ compliance processes through lead data protection authorities, establish new data protection rights and enhanced accountability principles, require the appointment of corporate data protection officers, and mandate certain 72-hour data breach reporting. Big Data applications and consumer profiling may also be more challenging under the new EU regime. The draft Regulation contains a two-year transition period after it takes effect to allow data protection authorities time to implement the new oversight provisions and for companies to review and expand their data protection compliance programs. This European policy overhaul will surely keep privacy professionals hopping through 2016 and beyond.
Good luck to all and best wishes for the new year!