Data, Privacy & Security Practice Report – December 5, 2016

EPIC Recommends Privacy Standards For Automated Vehicles – On November 23, 2016, the Electronic Privacy Information Center (“EPIC”) issued a 17-page comment document to the National Highway Traffic Safety Administration (“NHTSA”) to highlight the privacy risks of automated vehicles and to recommend revisions to NHTSA’s Federal Automated Vehicle Policy (the “Policy”).  EPIC is a public interest research group established in 1994 to “focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age.”

NHTSA published the Policy on September 19, 2016, as a “starting point that provides needed initial guidance to industry, government, and consumers” over how best to address the variety of challenges posed by automated vehicle technology.  (See Request for Comment on “Federal Automated Vehicles Policy,” 81 Fed. Reg. 65,703 (Sept. 23, 2016).)  The Policy added definition to NHTSA’s future handling of automated vehicles in several areas, for example, by classifying vehicles according to their level of automated function.  Public comments to the Policy were due by November 22, 2016.  (Id.) 

In making its comments, EPIC urged NHTSA to revise the Policy to mandate compliance with the Consumer Privacy Bill of Rights (“CPBR”), establish new oversight authority, and protect state privacy rules for autonomous vehicles.  EPIC cited the “troves” of sensitive personal data that automated vehicles collect and disclose and how such data can be used by advertisers:  “advertisers are eager to know, for example, how long a car has been running to determine ‘from the navigation system, they’re about to pass a McDonald’s, the car’s been running for three hours and the child’s probably hungry.’”

EPIC continued by citing what it views as deficiencies in the notices provided by car manufacturers to consumers regarding data collection practices, stating that notices “fail to inform consumers about the true scope of data collection, and none give consumers true control over their data.”

Noting that NHTSA endorsed the CPBR, EPIC recommended that NHTSA revise the Policy in a manner consistent with the CPBR:  “Specifically, NHTSA should remove references to [‘]data privacy notices/agreements[’] in order to restore substantive rights to consumers and limit carmakers’ ability to hide behind incomprehensible privacy policies.  Most importantly, NHTSA should promulgate mandatory, legally enforceable privacy rules for automated vehicle manufacturers.  Voluntary codes of conduct and industry self-regulation simply cannot provide realistic privacy  protections when they are not supported by enforceable legal standards.”

The NHTSA Federal Automated Vehicle Policy can be found here. The request for comments can be found here. The EPIC comments can be found here.

Reporter, Stephen Abreu, San Francisco, CA, +1 415 318 1219, sabreu@kslaw.com.

UK Surveillance Bill Becomes Law – On November 29, 2016, the United Kingdom’s controversial surveillance bill received royal assent and officially became law.  The nearly 300-page law, known as the Investigatory Powers Act 2016, replaces and expands upon the Data Retention and Investigatory Powers Act 2014 (“DRIPA”), which is set to expire on December 31, 2016.  The new law has been heavily criticized by civil liberties groups and tech companies.  The UK’s Home Secretary, Amber Rudd, however, referred to the new law as “world-leading legislation” that provides “unprecedented transparency and substantial privacy protection.”

According to the UK’s Home Office, the government department responsible for immigration and counter-terrorism, the new law is necessary so that law enforcement and security and intelligence agencies have the powers they need in a digital age to disrupt terrorist attacks.  The Home Office describes the law as “world-leading” due to the fact that its most intrusive elements require the issuance of a warrant approved by both the Secretary of State and a senior judge – referred to as a “double-lock” approval system.  Additionally, a new Investigatory Powers Commissioner will oversee how the powers are used, and tough criminal sanctions can be imposed for misuse.  When the legislation was introduced, former Home Secretary (now Prime Minister) Theresa May emphasized that the proposal did not compel overseas companies to comply with domestic retention obligations.

The Investigatory Powers Act’s most hotly debated provisions permit authorities to access individuals’ web browser histories without a warrant and force companies, subject to a warrant, to decrypt customer devices and data.  Specifically, the law requires internet service providers and telecommunications providers to retain users’ “internet connection record,” which includes a user’s web browser history, for up to 12 months.  Authorities may then access a user’s internet connection record with the approval of a “designated senior officer” within the government.  The law also requires companies to maintain the ability to remove any encryption of its devices or data and to assist authorities in circumventing encryption.  The threshold for requiring companies to decrypt data is high, however; it can only be achieved by obtaining a warrant through the “double-lock” system, which requires approval from both the Secretary of State and a senior judge.

Leading up to its passage, the Investigatory Powers Act was heavily criticized by civil liberties groups and tech companies.  The UK civil liberties group, Liberty, said the law had “eye-wateringly intrusive powers and flimsy safeguards” and called the law “world-leading – but only as a beacon for despots everywhere.”  In December 2015, shortly after the draft legislation was announced, Apple submitted an 8-page letter to the joint select committee considering the draft bill.  Apple argued that weakening encryption would diminish security protections for hundreds of millions of law-abiding customers just so authorities could decrypt data for the very few who pose a threat. 

The law may complicate the UK’s data transfer agreements with members of the European Union.  The United States and the EU negotiated a new basis on which international data transfers from the EU to the US are permissible – the Privacy Shield.  Agreement on the Privacy Shield was reached over the summer following the EU Court of Justice striking down the existing Safe Harbor data sharing agreement out of concern that it did not provide an adequate level of protection for EU citizens’ data.  However, having voted to leave the EU, the UK may find itself in a position that it has to negotiate with the EU with respect to its own ability to share data within the EU.

The Investigatory Powers Act, particularly the provisions permitting bulk data collection, may face future legal challenge, as has been the case with DRIPA, which is currently subject to a challenge before the EU Court of Justice.  A decision on this matter is expected by the end of the year.  Although DRIPA will be repealed on December 31 and replaced by the Investigatory Powers Act, a decision adverse to DRIPA likely would impact future challenges to the Investigatory Powers Act.  

Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com. 

Proposed German Law Could Curtail Privacy Rights—Although Germany has tended to advocate relatively strict data protection laws, a recently released draft law could call into question the extent to which Germany will protect privacy rights in the future.  The stated purpose of the proposed law, which was drafted by Germany’s Interior Minister Thomas de Maizière, is to help implement the tougher European Union privacy rules that take effect in 2018.  However, commentators have criticized some of the law’s provisions for failing to adequately protect citizens’ privacy.  

Commentators have identified a few controversial provisions in the proposed law.  For example, under one of those provisions, Germans would not have to be informed about the kind of data collected on them if revealing such information disadvantages the well-being of Germany or might seriously endanger business activities.  Other provisions of the proposed law would also greenlight facial recognition software for video surveillance and prevent data protection commissioners from either sanctioning security agencies for breaches or fully investigating suspected breaches of people’s medical and legal records.  While commentators have been quick to react to the proposed law, it is important to note that the proposed law is only an initial draft, and it is likely to undergo significant revisions before it is adopted. 

The draft law was released roughly one week after Germany’s 10th IT Summit in Saarbrucken.  During that Summit, German Chancellor Angela Merkel pushed for a new way of thinking about data protection laws.  In her remarks, Merkel noted while it is important to protect personal data, it is also important to enable new developments.  Therefore, she cautioned that countries must be careful not to apply the EU General Data Protection Regulation too restrictively lest it interfere with big data management.  De Maizière, who also spoke at the Summit, echoed Merkel’s comments.  Taken together, the draft law and Merkel’s and de Maizière’s comments could suggest that a shift may be taking place in the German government’s approach to online privacy and data protection. 

Reporter, Ashley B. Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.