News & Insights

Newsletter

October 15, 2018

Data, Privacy & Security Practice Report – October 15, 2018


Cybersecurity Threats Examined At U.S. Senate Homeland Security And Governmental Affairs Committee Hearing – On October 10, 2018, the U.S. Senate Homeland Security and Governmental Affairs Committee held a hearing entitled “Threats to the Homeland,” with Federal Bureau of Investigation (“FBI”) Director Christopher Wray, Department of Homeland Security (“DHS”) Secretary Kristjen Nielsen, and National Counterterrorism Center Acting Director Russell Travers testifying before the Committee.  The purpose of the hearing was to examine existing and future threats to U.S. homeland security, focusing on the four priority areas identified by the Committee, including cybersecurity. 

In their opening remarks, both Chairman Ron Johnson (R-WI) and Ranking Member Claire McCaskill (D-MO) expressed their continued concerns with the federal government’s ability to detect and defend against cyber threats.  Senator Johnson referenced a recent Office of Management and Budget (“OMB”) report that “found that federal agencies do not possess or properly deploy capabilities to detect or prevent intrusions, or minimize the impact of intrusions when they occur.” Referring to the testimony of previous hearing witness, Senator McCaskill stated, “this new era is akin to cyber trench warfare.”

DHS Secretary Nielsen echoed these concerns in her own testimony, noting that, “cyber attacks now exceed the risk of physical attacks,” and referenced a report by research and market intelligence firm Cybersecurity Ventures estimating that, by 2021, cybercrime will result in $6 trillion in damages annually.  In addition to describing the most pressing cyber threats, Secretary Nielsen outlined the key elements of various DHS cybersecurity initiatives, highlighting DHS’s efforts to collaborate with private industry stakeholders.  Specifically, Secretary Nielsen highlighted the launch of the DHS National Risk Management Center, which “will serve as the central hub for government and private sector partners to share information and to better secure the digital ecosystem together.”  Secretary Nielsen also thanked the Committee for its recent efforts in securing Senate passage of legislation to establish a Cybersecurity and Infrastructure Security Agency (“CISA”) within DHS.  Currently, DHS’s National Protection and Programs Directorate (“NPPD”) is responsible for overseeing federal cybersecurity operations.  Under the legislation, which is expected  to come before the House for final passage during Congress’ anticipated “lame-duck” session following the November elections, CISA would serve as the lead operational agency responsible for federal cybersecurity and infrastructure protection efforts. 

FBI Director Wray’s testimony also focused on cybersecurity threats and the Bureau’s recent response efforts.  Director Wray highlighted the work of the recently established FBI Foreign Influence Task Force, which is focused, in part, on “building even stronger relationships with technology companies through classified briefings and the sharing of actionable intelligence, so that they can better secure their networks, products and platforms.” 

While Members questioned the hearing witnesses on a broad range of national security issues, it was clear that the Committee remains very much focused on the threat of cyber-attacks from both nation states and private actors, particularly with respect to public and supply chain infrastructure vulnerabilities.  Furthermore, it appears that current Administration and Congressional efforts in this space will provide additional opportunities for engagement and input from private sector stakeholders.

We will continue to monitor the Committee’s activities on these issues and provide updates on any significant developments.

Reporter, William Clarkson, Washington, D.C., +1 202 626 8997, wclarkson@kslaw.com.

Senate Holds Hearing To Discuss Federal Data Privacy Legislation – On October 10, 2018, the Senate Committee on Commerce, Science, and Transportation conducted a hearing to discuss the European Union’s recently implemented General Data Protection Regulation (“GDPR”) and California’s Consumer Privacy Act (“CPA”), and what aspects of those laws should be considered in crafting federal data privacy legislation in the U.S. 

The hearing, titled “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act,” follows an earlier hearing on September 26, 2018 where representatives from tech companies testified on current data privacy issues facing companies and the potential benefits of comprehensive federal legislation.  However, in his opening remarks, Senator John Thune (R-S.D.) made clear that “while the experience of such companies is important to consider,” “the next federal privacy law will not be written by industry.” 

Senator Thune cited the recent Cambridge Analytica and Google Plus incidents as examples of why it is time for the U.S. to finally implement federal legislation to govern how consumers’ personal information is used and protected, noting that “it is increasingly clear that industry self-regulation in this area is not sufficient.”  Looking to the recent legislative progress made in the EU in enacting GDPR, Senator Thune called for “open minds about the contours of a bipartisan bill” in light of past failures by Congress to pass comprehensive data privacy legislation. 

Several experts fielded questions from Congress at the hearing, including Laura Moy, Executive Director of the Center on Privacy & Technology at Georgetown Law.  In her prepared testimony, Ms. Moy called for legislation that would “rein in the problematic ways in which Americans’ data is being collected and stored without meaningful limitations.”  Ms. Moy noted that many consumers feel “powerless” in terms of their ability to control the privacy of their personal information, and that legislation must be implemented to regain that control.

Andrea Jelinek, Chair of the European Data Protection Board, wrote in prepared testimony that that GDPR may be able to serve as an inspiration for U.S. legislation, as it is “carefully calibrated so as not to hinder economic development, while keeping in mind the fundamental right of the individuals.”  The core philosophy of GDPR, according to Ms. Jelinek, “is to put individuals at the cent[er] of privacy practices,” and to force companies to “take a closer look at what data they are collecting, what they use it for, and how they keep and share it.”  Ms. Jelinek concluded with saying that “European data protection authorities . . . stand ready to share [their] experience” in the event Congress moves forward with designing similar legislation in the U.S. 

Reporter, Robert D. Griest, Atlanta,  +1 404 572 2824, rgriest@kslaw.com.

International News

European Court Backs Greater Access To Personal Data For Law Enforcement – In a ruling handed down on October 2, 2018, the Court of Justice of the European Union (“CJEU”) held that law enforcement agencies are entitled to access certain categories of “non-serious” personal data held by mobile phone companies and other communications providers.  Notably, the court found that the right to access this type of personal data—which includes first and last names and addresses—does not infringe the right to private life set out in Articles 7 and 8 of the European Charter of Fundamental Rights (the “Charter”). 

The case originated from a police complaint lodged by a Spanish man, a Mr. Hernandez Sierra, in which he sought to recover a stolen cell phone.  In February 2015, Mr. Hernandez Sierra had been the victim of a violent mugging during which he was injured and his wallet and phone were stolen.  With no obvious leads, the Spanish police asked the local court to order several phone companies to provide details of any new telephone numbers associated with Mr. Hernandez Sierra’s handset, as well as data revealing the identity of the users of any newly activated SIM cards, including first names, last names and addresses.

The Spanish court refused to make the order, ruling that Spanish law limits the ability of the police to access personal data retained by electronic communications providers to the investigation of “serious offences” only.  In Spain, “serious offences” are defined as those punishable by five or more years’ imprisonment, and the theft of Mr. Hernandez Sierra’s phone did not appear to constitute such an offence.  The ruling was appealed, and, because the case appeared to engage fundamental rights under the Charter, the appeals court asked the CJEU for a preliminary ruling.

In its ruling, the CJEU confirmed that any accessing of personal data by law enforcement constitutes “interference” with the fundamental right to private life enshrined in Article 7 of the Charter, and with the fundamental right to the protection of personal data guaranteed in Article 8 of the Charter.  In order to be lawful, the court ruled that any such interference had to be “proportionate.”  As such, and in accordance with the principle of proportionality, “serious” interference could be justified only in the prevention, investigation, detection and prosecution of “serious” criminal offences.  Whilst this generally reflected the Spanish court’s position at first instance, the CJEU took its analysis of proportionality a step further, holding that when the interference in question is not serious, law enforcement may be justified in accessing personal data in the context of investigating all criminal offences, including low-value theft.

The CJEU was very careful to draw a line between different categories of personal data based on how much information about a person’s private life such data might reveal.  In this case, the Spanish police had limited their requests to the names and addresses of individuals linked to Mr. Hernandez Sierra’s phone.  The CJEU thought that access to this kind of data represented a “non-serious” level of interference.  By contrast, the court suggested that if the requested information had included location data and details of calls and text messages, that would constitute “serious interference” and would only be proportionate in the context of a serious offence.

Under the EU’s new General Data Protection Regulation (“GDPR”), companies which process personal data (such as mobile phone service providers) are required to undertake a risk assessment and assign a risk rating to different types of personal information.  The CJEU’s categorisation of personal information as “serious” or “non-serious” could therefore serve as a helpful guide for privacy professionals seeking to assess the risk profile of personal data processed under the GDPR.

Reporter, Edward Perkins, London, + 44 (0) 7739098082, eperkins@kslaw.com