News & Insights


April 17, 2017

Data, Privacy & Security Practice Report – April 17, 2017

Senate Committee Advances Cybersecurity Bill For Small Businesses — The U.S. Senate will soon consider legislation aimed at providing simplified resources to help small businesses protect themselves and their customers from cyber threats.  The bill, entitled the MAIN STREET Cybersecurity Act of 2017 (an abbreviation for the Making Available Information Now to Strengthen Trust and Resilience and Enhance Enterprise Technology Cybersecurity Act of 2017), was approved by the Senate Commerce, Science, and Transportation Committee on April 5.   

As currently written, the legislation would require the National Institute of Standards and Technology (“NIST”) to develop and disseminate resources tailored to small business and their specific cybersecurity needs.  In particular, the guidance would include “simple, basic controls to assist small business concerns in defending against common cybersecurity risks.”  The guidance would also focus on tools that are “technology-neutral” and that “can be implemented using technologies that are commercial and off-the-shelf.”  NIST would also be required to consider methods adopted through the Small Business Development Cyber Strategy, which was enacted last year by Congress and aims to strengthen small business cybersecurity by enhancing infrastructure.

Senator Brian Schatz (D-HI) introduced the bill on March 29.  It is co-sponsored by a bipartisan group of senators, including Commerce, Science, and Transportation Committee Chairman John Thune (R-SD) and ranking member Bill Nelson (D-FL).  The U.S. Chamber of Commerce and the National Small Business Association both support the legislation.   

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, 

Europe’s Proposed ePrivacy Regulation Receives Support Of Member State Working Group — Last week, the European Union’s (“EU”) data protection authority, known as the Article 29 Working Party (“Working Party”), declared its support for the European Commission’s (“EC”) proposed ePrivacy Regulation (alternatively, the “Proposal”).  The Working Party’s report praised the proposed ePrivacy Regulation for broadening the coverage of existing regulations to cover metadata and the intrusiveness of cookies.  The Working Party expressed concern, however, that the proposed regulation did not do enough in some areas, such as allowing users to opt out of tracking software.

In January 2017, the EC published the proposed ePrivacy Regulation, which would replace the ePrivacy Directive of 2002 (2002/58/EC) and the Cookie Directives of 2009 (2009/136/EC).  As discussed in a previous King & Spalding newsletter, the proposal includes rules on the confidentiality of electronic communication data, the use of cookies on websites, and direct marketing practices.  The proposal also covers for the first time so-called “over-the-top” (“OTT”) providers, such as WhatsApp, Facebook Messenger, and Skype. 

The Working Party, which is made up of a representative from the data protection authority from each EU member state and provides expert advice to the member states regarding data protection, welcomed the Proposal’s “broad prohibitions and narrow exceptions, and the targeted application of the concept of consent.”  However, the Working Party noted concern regarding the Proposal’s failure to address the tracking of the location of terminal equipment, the conditions under which the analysis of content and metadata is allowed, and the default settings of terminal equipment and software with regard to tracking walls. 

The EC’s goal is to adopt the new ePrivacy Regulation by May 25, 2018, at the same time the General Data Protection Regulations are set to become effective.  As a European regulation, the ePrivacy Regulation will be directly applicable in all EU Member States once it enters into force.

A copy of the report, entitled “Opinion 01/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC)”, can be found here.

Reporter, Drew Crawford, Washington, DC, +1 202 626 5512,

House Republicans Urge FCC To Protect Online Privacy  —  In a letter to Federal Communications Commission (“FCC” or the “Agency”) Chairman Ajit Pai, 50 Republicans in the House of Representatives urged the FCC to rectify the 2015 Open Internet Order’s reclassification of broadband under Title II of the Communications Act of 1934 (the “Communications Act”).  Prior to the 2015 reclassification, online privacy was protected by the Federal Trade Commission (“FTC”).  In reclassifying broadband, the “FCC created a blind spot where the [FTC’s] common carrier exception left internet service providers without a privacy regulator,” the letter said.  The reclassification “inappropriately” removed internet service providers from the jurisdiction of the FTC.

The letter, signed by House Energy and Commerce Committee Chairman Greg Walden (R-OR), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-TN), and Consumer Protection Subcommittee Chairman Bob Latta (R-OH), further indicates that, “[t]he FTC’s time-tested approach to privacy has protected Americans’ [sic] since the dawn of the Internet.  An FCC approach that mirrors the FTC will continue to protect consumers in this tumultuous time.” 

Until the FCC rectifies the reclassification that removed internet service providers from the FTC’s jurisdiction, the lawmakers advised the FCC and Chairman Pai to continue to hold internet service providers to their privacy promises.  The authority vested to the FCC under Sections 201 and 202 of the Communications Act charge the Agency with protecting consumers against unjust and unreasonable practices.  “We believe this language provides the necessary authority to protect customers in a similar manner to how the FTC protects consumers under its authority to prevent unfair and deceptive acts and practices,” the letter said. 

The letter was sent after U.S. President Donald Trump signed a bill repealing FCC regulations adopted in October 2016 under the Obama Administration, requiring internet service providers to do more to protect customers’ privacy, including obtaining customer consent before using precise geolocation, financial information, health information, children’s information, and web browsing history for advertising and marketing purposes.  The repealed regulations were the result of the FCC’s efforts to apply the Communications Act’s privacy requirements to internet service providers after reclassifying them in 2015.

Reporter, Ahmad Asir, Silicon Valley, +1 650 422 6709,


King & Spalding’s 2017 Cybersecurity & Privacy Summit — On Monday, April 24, 2017, make plans to join the cybersecurity and privacy experts from King & Spalding and PwC, as well as representatives from the U.S. Department of Justice, the Federal Trade Commission, Georgia Institute of Technology, The Home Depot, and TSYS, to learn about the latest strategies for protecting your company against the legal and financial risks of cybersecurity breaches and other privacy incidents.  Click here for more information and to register for the Summit. 

Mobile Marketing: The Legal Guardrails — On Thursday, April 13, 2017, Stewart Haskins and Anush Emelianova presented a CLE about the legal issues surrounding marketing to consumers with mobile phones.  The presentation covered TCPA compliance, data breach response, potential legal ramifications of geofencing, and other recent data privacy and security developments and issues.