News & Insights

Newsletter

June 25, 2018

Data, Privacy & Security Practice Report – June 25, 2018


FTC Announces Hearings On Consumer Protection And Competition – Beginning in September 2018 and continuing through January 2019, the Federal Trade Commission (“FTC”) will hold a series of up to 20 public hearings intended to inform its future policy approach to antitrust and consumer protection issues related to data and privacy.

In a press release, the agency noted economic changes, emerging technologies, and international developments as driving factors for potential changes to policy and enforcement agendas. As outlined in its press release, the agency invited the submission of public comments and empirical analyses on a number of topics through August 20, 2018, including, for example, the state of antitrust and consumer protection law and enforcement; the intersection between privacy, big data, and competition; and the agency’s investigation, enforcement, and remedial processes.

During a media roundtable at which this initiative was announced, FTC Chairman Joseph Simons expressed his concern over the FTC’s ability to oversee unfair and deceptive practices as it pertains to data security while noting the agency’s inability to prove the consumer harms resulting from a specific data breach at a time when most consumers have already been a part of prior data breaches. Chairman Simons further offered his belief that the FTC lacked the authority needed to inhibit lax data security practices and that he may seek a legislative fix to expand the agency’s data security and privacy authority.

In fact, at his recent confirmation hearing before the Senate Committee on Commerce, Science and Transportation, Chairman Simons was asked by Sen. Richard Blumenthal (D-CT) about the need for better protection for consumers against data breaches and, specifically, about introduced legislation – S. 1900, the Data Breach Accountability and Enforcement Act of 2017. In response the Chairman stated, “one of the things that I’m extremely concerned about is whether the FTC has sufficient authority to deal with data breaches, particularly in terms of being able to create a sufficient deterrence, and create an incentive for the companies to take care of the consumer data as they should. And right now we don’t have civil penalty authority. And I think that’s something that we should consider very carefully and take a very close look at so I’m very sympathetic to [the] bill and I look forward very much to working with [Sen. Blumenthal] on it.”

Although the date for the first hearing in this series has not yet been set, a dedicated website for electronic comment submissions, information about the scheduled hearings, and related materials can be accessed at www.ftc.gov/ftc-hearings.

Reporter, Julie C. Crawford, Washington, D.C., +1 202 661 7814, jcrawford@kslaw.com.

Canada To Update Data Law To GDPR Standard As A Minimum – The EU General Data Protection Regulation (“GDPR”) came into force on May 25, 2018. With so much recent focus on preparing for and meeting this deadline, there is no doubt that companies will have breathed a sigh of relief to have finally reached the finish line. Or so they thought.

In many ways, this is just the beginning. Among other things, GDPR has acted as a catalyst for “third countries” (i.e., non-EU Member States) to revise and update their data law. This is a logical consequence as many businesses based outside of the EU have to comply with GDPR with regard to their European customers, and some international companies are choosing to implement a single GDPR-compliant standard globally rather than battle the complications of applying different rules around the world. Argentina and Japan, for example, have already started to align their national data protection legislation with GDPR, and Canada is now looking to do the same.

There are already updates to Canada’s data protection rules coming into force in November of this year, but they are not as stringent as GDPR. For example, under Canada’s new federal data breach regulations, companies will be required to report security breaches that pose a “real risk of significant harm” to the federal privacy commissioner and consumers “as soon as feasible,” whereas under GDPR companies must notify regulators and consumers of any data breaches within 72 hours. Particularly in the wake of recent high-profile data leaks and misuse, many in Canada are calling for higher standards to be imposed.

To this end, the Standing Committee on Access to Information, Privacy and Ethics published a report titled “Addressing Digital Vulnerabilities and Potential Threats to Canada’s Democratic Electoral Process” on June 19, 2018, which proposed additional amendments to the Personal Informational Protection and Electronic Documents Act (“PIPEDA”) recommending the immediate introduction of measures to ensure that data protections similar to those applicable under GDPR are put in place for Canadians. In particular, the report suggests that Canada’s privacy commissioner should, similar to GDPR, have greater authority to impose hefty penalties, conduct audits, and seize documents should organisations fail to comply with PIPEDA. A private member’s bill regarding this specific recommendation has already been introduced to the Canadian Parliament.

Also on June 19, 2018, the Canadian government launched national consultations on digital and data transformation. The first roundtable discussion between the government and various stakeholders took place in Ottawa on the same day. These roundtables will continue as part of the consultation process across the country throughout the summer, and citizens are also invited to submit responses online. Although the consultation is still in its early days, it appears that there is an appetite in Canada to go beyond GDPR. Former Information and Privacy Commissioner for the Canadian province of Ontario, Dr. Ann Cavoukian, said that “It would be almost like a step back for us not to raise the bar,” and some industry experts are arguing for the new rules to require Canadian companies to undertake independent audits to certify compliance with the new data privacy laws, which goes beyond current GDPR requirements.

Reporter, Jessica Trevellick, London, +44 20 7551 7507, jtrevellick@kslaw.com.

GDPR Feature

This new feature will provide regular insights into GDPR and updates, with viewpoints from the regulators, corporations, and privacy professionals.

European Data Protection Board Backs Ban On “Cookie Walls” – The European Data Protection Board (“EDPB”), established under the General Data Protection Regulation (“GDPR”), said in a statement that the use of so-called “cookie walls” should be prohibited under the proposed EU e-Privacy Regulation.

The EDPB is made up of representatives of national data protection authorities across the EU and the European data protection supervisor. The body replaced the Article 29 Working Party, which previously provided opinions and guidance on matters relating to EU data protection and e-Privacy laws.

The proposed new e-Privacy Regulation, proposed by the European Commission in January 2017, has yet to be finalised by EU law makers. The proposed new e-Privacy Regulation envisages a similar future supervisory role for the EDPB as is set out under GDPR.

Relevant to the use of cookie walls, the EDPB’s statement says that website and mobile app operators should be barred from requiring consumers to agree to the collection and use of their personal data in return for gaining access to their services. The EDPB says that permitting the use of cookie walls would be contrary to the requirements under GDPR, which has clear rules around obtaining consent and the form that consent must take. The EDPB said “In order for consent to be freely given as required by GDPR, access to services and functionalities must not be made conditional on the consent of a user to the processing of personal data or the processing of information related to or processed by the terminal equipment of end-users, meaning that cookie walls should be explicitly prohibited.”

The statement from the EDPB clearly demonstrates that compliance with the consent requirements under GDPR puts extensive obligations on all service providers. The consequence of this statement is that service providers (whether website operators or app providers) will need to obtain users’ consent to access services and functionalities, employing whatever technical tools are required to obtain it.

In its statement, the EDPB also backed plans outlined by the elected members of the European Parliament to require privacy options to be turned on by default within software settings, and for software providers to offer “a technical solution for websites to obtain a valid consent.”

“[The new e-Privacy rules] should explicitly apply to operating systems of smartphones, tablets, or any other ‘user agent’, in order to ensure that communications applications can take into account the choices of their users, no matter what technical means are involved,” the EDPB said. It went on to say, “[m]oreover, privacy settings should facilitate expressing and withdrawing consent in an easy, binding and enforceable manner against all parties, and users should be offered a clear choice upon installation, allowing them to give their consent if they wish to do so. Additionally, web site and mobile applications should be able to obtain a GDPR compliant consent through privacy settings.”

The e-Privacy Regulation remains in draft form. It is currently unknown when it will become law.

Reporter, Kim Roberts, London, +44 20 7551 2133, kroberts@kslaw.com.