News & Insights


June 12, 2018

Data, Privacy & Security Practice Report – June 12, 2018

Senate Holds Hearing On Malicious Drone Legislation – On June 6, 2018, the U.S. Senate Committee on Homeland Security and Governmental Affairs held a hearing on Senate Bill 2836, the Preventing Emerging Threats Act of 2018. The focus of the hearing was “Countering Malicious Drones.”  Committee Chairman Ron Johnson (R-Wis.) and Ranking Member Claire McCaskill (D-Mo.) both noted that a massive growth in drone usage has led to a significant number of drone flights over sensitive areas or drones performing suspicious activities. Corporations have similarly experienced a rising incidence of drone flights over private property, with increasing risk of damage or corporate espionage.

The Committee heard testimony from four witnesses: David Glawe, Under Secretary for Intelligence and Analysis with the Department of Homeland Security (DHS); Hayley Chang, Deputy General Counsel for DHS; Scott Brunner, Deputy Assistant Director of the FBI; and Angela H. Stubblefield, Deputy Associate Administrator with the Federal Aviation Administration (FAA). All noted the significant growth in drone usage throughout society. Ms. Stubblefield also noted that drone technology “represents the fastest growing sector in aviation today.”

Each witness also discussed the many threats that this growth and the increase in drone capabilities present. In addition to the possibility that drones could be used to carry dangerous or contraband payloads—for example, bombs or narcotics—drones present significant threats of espionage and cyber-attacks on government and corporate targets. For example, the DHS witnesses testified that researchers recently demonstrated using a drone to gain access to and siphon information from wireless networks. An increase in drone traffic also increases the potential for negative impacts on other air and ground traffic as well as possible disruption of emergency response services.

The witnesses agreed the biggest problem is that government entities currently lack strong mechanisms to secure airspace against drones and to enforce current rules and regulations against drones. Only the Department of Defense (DOD) and the Department of Energy (DOE) currently have authority to implement counter-drone measures on their properties. Ms. Stubblefield noted that the FAA has worked with DOD and DOE to implement enforcement mechanisms, but more coordination with other government agencies is necessary for enforcement or similar purposes.

As a result of these threats and the current enforcement limitations, Senators Johnson and McCaskill introduced S.2836 on May 14, 2018. The bill, which has five other co-sponsors, provides DHS and the Department of Justice (DOJ) broad authority to detect and monitor drones, and to disrupt, seize, or destroy drones where necessary. The bill requires DHS and DOJ to coordinate with the FAA and with the Department of Transportation on enforcement activities. The bill also provides significant privacy protection, requiring that any data collection be limited to what is absolutely necessary (and within the scope of the Fourth Amendment) and requiring that any collected data be destroyed within 180 days (subject to certain limited exceptions).

To date, no activity has been taken on S.2836 beyond last week’s hearing. We will follow the progress of the bill and provide updates on any changes.

Testimony from the hearing is available here. The text of S.2836 is available here.

Reporter, Alex Yacoub, Atlanta, +1 404 572 2758,

GDPR Feature

This new feature will provide regular insights into GDPR and updates, with viewpoints from the regulators, corporations, and privacy professionals.

German Court Rules On Excessive Use Of Personal Data Under GDPR – On May 29, 2018, the German Regional Court of Bonn ruled on the principle of data minimization under Regulation (EU) 2016/679 (GDPR), which requires companies to limit the processing of personal data to what is necessary in light of the purpose of the processing. The decision focuses on the amount of personal data that domain registrars may collect upon domain name registration. It underscores the importance of ensuring that processing is limited to only that data which a company actually requires to meet its business need.

Only a few days after GDPR became effective, the Regional Court of Bonn ruled on the new EU-wide data privacy regulations. The Internet Corporation for Assigned Names and Numbers (“ICANN”) sought to force the German domain registrar EPAG to gather not only information on domain name registrants, but also on the administrative contact responsible for administrative questions and the technical contact responsible for any technical questions on behalf of the registrant in connection with the new domain. With GDPR in force, EPAG did not agree to collect this additional information as it did not appear to be necessary.

In order to force EPAG to continue collecting and processing this additional information, ICANN filed a motion for a preliminary injunction with the Regional Court of Bonn on May 25, 2018. ICANN argued that receiving the information on the administrative and the technical contact is necessary in order to properly handle any technical, legal, or administrative issues in connection with the domain name. However, in its decision of May 29, 2018, case file 10 O 171/18, the Court held that ICANN had not provided evidence that there was a sufficient need to collect and process administrative or technical contact information in compliance with Art. 6 (1) of GDPR. According to the Court, such additional information was not necessary to properly identify and contact the person responsible for content published on a website, as any issues with a website could be solved by contacting the registrant. Therefore, the Court found that collecting this additional information contradicted the principle of data minimization set out in Art. 5 (1) of GDPR.

While it remains to be seen how other European courts will interpret this provision of GDPR, this early decision in Germany demonstrates the importance of assigning a specific business purpose to each and every instance of collecting, using, and storing personal data.

Reporter, Elisabeth Kohoutek, Frankfurt, +49 (69) 257 811 401,


The K&S FinTech and Beyond Summit – The K&S FinTech and Beyond Summit will be held this Thursday afternoon at the Palace Hotel in San Francisco.  The Summit is titled “The Regulation of Payments, Cryptocurrencies and the Blockchain,” and will include a dialogue between business, legal, and regulatory stakeholders to examine the opportunities and challenges recent developments in these sectors are presenting to regulatory compliance and product innovation.  Additional details about the upcoming Summit, including registration information and the agenda, can be found here.