More Privacy, Please - October 2021
We would appreciate it if you would take a few minutes to share your thoughts about our newsletter. Please click here to fill out our survey. The first 20 people to fill out the survey will be entered into a drawing to win a $50 Amazon gift card!
Do you want a simple way to keep current on important privacy changes? Avoid sleepless nights wondering whether you missed a privacy speed bump or pothole between annual updates? Worry no longer. Troutman Pepper is pleased to offer More Privacy, Please — a monthly newsletter recapping significant industry and legal developments, as well as trends in the areas of cybersecurity, information governance, and privacy.
U.S. LAWS AND REGULATION
-
The Uniform Personal Data Protection Act: A New Approach to Scoping. The Uniform Law Commission (ULC) recently approved a final draft of the Uniform Personal Data Protection Act (UPDPA), hoping for widespread state adoption. The final draft deviates significantly from existing state privacy laws, most critically in its scope. Among other things, the UPDPA applies to organizations that maintain personal data, regardless of any volume or revenue threshold, unless the organization processes the data "solely using compatible data practices." Compatible data practices are determined by considering six factors, including the data subject's relationship with the controller and the type and nature of the data collected. For a more detailed analysis of the UPDPA, click here.
-
Biden To Nominate Privacy Advocate Alvaro Bedoya as an FTC Commissioner. As detailed in our recent client alert, on September 13, President Biden announced his intent to nominate privacy advocate Alvaro Bedoya to serve as a commissioner of the Federal Trade Commission (FTC). Bedoya's scholarship focuses on the idea that privacy is a civil right, the violation of which implicates civil liberties. Thus, if confirmed, he will likely focus on harms to marginalized groups, both in consumer protection and competition matters. He is also likely to join FTC Chair Lina Khan in pushing the FTC to adopt a more aggressive enforcement and rulemaking agenda.
-
Movement on All Sides Toward Broader Data Privacy and Security Oversight by FTC. This month, the House Committee on Energy and Commerce voted to appropriate $1 billion over 10 years to the FTC to establish and operate a new privacy bureau, representing a significant increase to the FTC's budget. This again signals a trend toward broader national oversight over data privacy and security issues. More information can be found here.
-
FTC Issues Policy Statement "On Breaches by Health Apps and Other Connected Devices." On September 15, the FTC issued a policy statement, " On Breaches by Health Apps and Other Connected Devices," to reiterate the scope of the FTC Breach Notification Rule and remind vendors of its prior guidance. While the FTC acknowledged that it "has never enforced the [r]ule," it cautioned that this policy statement should "place entities on notice of their ongoing obligation to come clean about breaches," signaling that it intends to bring enforcement actions in the future. For those entities not covered by HIPAA, this rule steps in and requires vendors of personal health records (PHR) to notify consumers and the FTC (and in some cases, the media) in the event of a breach or face significant civil penalties. The FTC specifically "advised mobile health apps to examine their obligations under the [r]ule, including through the use of an interactive tool" previously provided by the FTC.
-
Senate Commerce Committee Kicks Off Consumer Privacy Hearing Series. On September 29, the Senate Commerce Committee held the first of a series of hearings on consumer privacy. This hearing, titled "Protecting Consumer Privacy," covered major discussion topics, including the need for comprehensive privacy legislation and the recently proposed $1 billion dollar FTC Privacy Bureau appropriation. Senators from both sides expressed their general support for the comprehensive privacy legislation, however, it was clear that the parties still disagree on many of the major substantive provisions. Senators were also divided on the proposed FTC appropriation. The next hearing in this series, "Enhancing Data Security," is scheduled for October 6.
U.S. LITIGATION AND ENFORCEMENT
-
State Secrets Privilege Prevents Wikimedia's Upstream Surveillance Case. On September 15, the Fourth Circuit determined that the state secrets privilege required dismissal of Wikimedia Foundation's case against the National Security Agency (NSA) for allegedly spying on Wikimedia's communications via "upstream surveillance." Upstream surveillance involves collecting communications as they travel through the internet with the assistance of telecommunications service providers. In Wikimedia Foundation v. National Security Agency, Wikimedia and eight other plaintiffs argued, among other things, that the NSA's upstream surveillance violated the First and Fourth Amendments. During jurisdictional discovery, however, the NSA invoked the state secrets privilege, permitting it to withhold information if disclosure could harm national security. The Fourth Circuit determined that because there is "simply no conceivable defense" to Wikimedia's claims that would not also reveal how the NSA conducted upstream surveillance, the court must dismiss Wikimedia's claims in favor of national security.
-
CFPB Requests Comments on Plans to Study Electronic Disclosure on Mobile Devices. On September 10, the period to comment on the Consumer Financial Protection Bureau's (CFPB) information collection initiative, " Electronic Disclosure on Mobile Devices" closed. The CFPB issued the original request on August 11, in advance of seeking formal approval for the initiative from the Office of Management and Budget. The CFPB intends to conduct several studies using methodologies rooted in psychology and behavioral economics to understand electronic disclosure on mobile devices.
-
CFPB Issues Long-Awaited Notice of Proposed Rulemaking on Small Business Lending Data Collection. On September 1, the CFPB issued a 900+-page notice of proposed rulemaking (NPRM) to implement the small business lending data collection requirements under Section 1071 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. This rule applies to "covered financial institutions," which is broadly defined and includes a variety of entities that engage in small business lending. Financial institutions must consider this rule when determining what types of customer information to collect and retain. To read a more detailed summary of the proposal, click here.
-
Tims v. Black Horse Carriers, Inc. Ruling Clarifies Statute of Limitations Periods for BIPA Claims. On September 17, the Illinois Appellate Court provided its long-awaited decision in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), addressing the applicable statute of limitations for claims asserted under Illinois' Biometric Information Privacy Act (BIPA). The question before the court asked which limitations period should apply to BIPA claims: Illinois' "catch-all," five-year limitations period or the one-year limitations period utilized in actions involving a publication "violating the right to privacy." The court ultimately concluded that claims under Sections 15(c) and (d) of BIPA follow the one-year limitations period, while claims under BIPA Sections 15(a), (b), and (e) enjoy the longer five-year limitations. For more detailed information about the recent ruling, please see our Troutman Pepper legal alert found here.
INTERNATIONAL REGULATION AND ENFORCEMENT
-
New UK Standards for Children's Digital Services Take Effect, Providing Framework for New US Law. On September 2, the U.K.'s Age-Appropriate Design Code (also known as the "Children's Code) took effect. The Children's Code denotes a set of 15 flexible standards that apply to online services — such as apps, online games, and web and social media sites — likely to be accessed by children. Notably, U.S. lawmakers have urged online businesses, such as Microsoft, Walt Disney, and Nintendo, to comply with the Children's Code within the United States. In fact, Rep. Kathy Castor recently introduced an updated Protecting the Information of Our Vulnerable Children and Youth Act (the Kids PRIVCY Act), which incorporates key elements of the Children's Code to amend the Children's Online Privacy Protection Act (COPPA). If enacted, the Kids PRIVCY Act would create a protected class of teenagers beyond COPPA's application (i.e., children ages 13-17) and apply to all sites "likely to be accessed by children and teens," not just "child-directed" services. The Kids PRIVCY Act would also repeal safe-harbor regulations allowing for industry self-regulation. To read more about the Children's Code's 15 flexible standards, click here.
-
New EU SCCs Go Into Effect September 27. Beginning September 27, all new data transfer agreements under the General Data Protection Regulation (GDPR) must use the new standard contractual clauses (SCCs) updated in June to reflect the European Union Court of Justice's Schrems II Organizations have until December 27, 2022, to migrate existing SCC arrangements to incorporate the new SCCs. To read more about the new SCCs, click here.
-
EMSA Fines Trade Repository €238,500 for Data Breaches Occurring Over Two-Year Period. The European Securities and Markets Authority (ESMA), the EU's securities markets regulator, imposed a fine of €238,500 against UnaVista Ltd., a UK-based trade repository, for eight violations of the European Market Infrastructure Regulation (EMIR). The EMIR requires trade repositories like UnaVista to regularly provide information to regulators concerning various aspects of their business. According to an ESMA public notice, over a two-year period, UnaVista (1) incorrectly processed data that resulted in incorrect or unreliable regulatory reports, and (2) failed to provide regulators with direct and immediate access to required information. This fine highlights the importance of maintaining adequate data integrity and providing prompt regulatory access.
TROUTMAN PEPPER TEAM SPOTLIGHT: TIM BUTLER
Frequently described as a top-notch trial attorney, Tim Butler focuses his practice on data privacy and technology matters, as well as matters involving financial services firms. His experience working for the Federal Trade Commission (FTC) and various state attorneys general gives Tim a distinct advantage in protecting his clients and guiding their business activities. For more than a decade, Tim has helped clients navigate complex regulatory regimes, prevail in business disputes and class action litigation matters, and obtain favorable outcomes in investigations and enforcement actions brought by the FTC, the Consumer Financial Protection Bureau (CFPB), the U.S. Department of Justice (DOJ), and the various state attorneys general.
Leveraging his regulatory expertise and his experience working as an FTC prosecuting attorney and as a senior official in the Georgia Attorney General's Office, Tim regularly advises clients across many industries on compliance with existing and emerging data privacy and security laws, including the FTC Act, the Gramm-Leach-Bliley Act (GLBA), the Children's Online Privacy Protection Act (COPPA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Colorado Privacy Act (ColPA), and the Virginia Consumer Data Protection Act (VDCPA). Tim is a Certified Information Privacy Professional (CIPP/US) and a Certified Information Privacy Manager (CIPM).
When not practicing law, Tim enjoys spending time with his three children Eppie (6), Jed (3), and Joe (1), who have their mom's beauty and Tim's intensity. Tim also plays adult league soccer, where he's become his team's leading goal scorer. Lastly, Tim spends some of his leisure time biking — a hobby inspired by a former mentor who bought Tim his first road bike, which Tim honorarily named "Claude" after his mentor.
WEBINARS
-
How 2020 Has Blurred Attorney Client Privilege in Incident Response | Tuesday, October 5, 2021 | 11:40 a.m. PT
As part of the NetDiligence Cyber Risk Summit, Troutman Pepper Partner Ron Raether will moderate a panel discussion on "How 2020 Has Blurred Attorney Client Privilege in Incident Response." Held at the Loews Santa Monica Beach Hotel in California, this conference features two full days of panel discussions by leading cyber experts who will share their insights on hot topics, trends, and cybersecurity concerns. For more information, please click here. -
Trade Secret Theft and Protecting Sensitive Information in the Age of COVID-19 | Thursday, October 14, 2021 | 2 - 3:30 p.m. ET
With the increase of remote work due to COVID-19, companies need to identify ways to mitigate the risks of trade secret theft and the misappropriation of sensitive company data now more than ever.
Please join us for a multidisciplinary, collaborative webinar with members from our Labor and Employment; Cybersecurity, Information Governance, and Privacy; and Intellectual Property teams as they share best practices and discuss recent legal developments on these issues. The webinar will provide practical tips for companies to safeguard critical assets, protect themselves against bad actors, and if the need arises, respond to a data breach. To register, please click here. -
Financial Privacy and Data Security | Thursday, October 21, 2021 | 3:10 - 4:10 p.m. ET
Troutman Pepper Partner Ron Raether will serve as a featured speaker during panel discussion "Financial Privacy and Data Security" at the American Bar Association's Consumer Financial Services Basics Virtual Conference. Presenters will discuss key restrictions on the use and disclosure of consumer financial information, including the Gramm-Leach-Bliley Act's privacy provisions and the Affiliate Marketing Rule. The panel will also examine federal and state laws requiring financial institutions to safeguard consumer information, and the impact of data security breaches on the financial services industry. For additional information or to register, please click here.
RECENT TROUTMAN PEPPER PUBLICATIONS
-
Sued for a Data Breach Out of State? Don't Forget a Personal Jurisdiction Defense
-
Hoping for a One-Year Statue of Limitations Under Illinois BIPA?
-
New UK Standards for Children's Digital Services Take Effect – Provides Framework for New US Law
-
Movement on All Sides Toward Broader Data Privacy and Security Oversight by FTC
-
The Uniform Personal Data Protection Act: A New Approach to Scoping