Privacy & Information Security Law Blog

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

On September 8, 2015, representatives from the U.S. Government and the European Commission initialed a draft agreement known as the Protection of Personal Information Relating to the Prevention, Investigation, Detection and Prosecution of Criminal Offenses (the “Umbrella Agreement”). The European Commission’s stated aim for the Umbrella Agreement is to put in place “a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.” The Umbrella Agreement has been agreed upon amid the ongoing uncertainty over the future of the U.S.-EU Safe Harbor, and was drafted shortly before the release of the September 23 Advocate General’s Opinion in the Schrems v. Facebook litigation. The content of the Umbrella Agreement is in its final form, but its implementation is dependent upon revisions to U.S. law that are currently before Congress.

On September 23, 2015, Advocate General of the European Court of Justice Yves Bot issued his Opinion in the case of Max Schrems, which is currently pending before the Court of Justice of the European Union (the “CJEU”). In the opinion, the Advocate General provided his views concerning two key issues related to the U.S.-EU Safe Harbor Framework: (1) the powers of national data protection authorities to investigate and suspend international data transfers made under the Safe Harbor Framework and (2) the ongoing validity of the European Commission’s Safe Harbor adequacy decision (Decision 2000/520).

On September 15, 2015, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.

On September 17, 2015, Prime Minister David Cameron issued a Written Ministerial Statement, announcing that policy responsibility for data protection issues and the UK Information Commissioner’s Office (the “ICO”) will both be transferred from the Ministry of Justice (the “MoJ”) to the Department for Culture, Media & Sport, (the “DCMS”) with the changes taking effect on the same date. Existing data protection policy teams at the MoJ also will move to the DCMS.

On August 20, 2015, the Bavarian Data Protection Authority (“DPA”) issued a press release stating that it imposed a significant fine on a data controller for failing to adequately specify the security controls protecting personal data in a data processing agreement with a data processor.

On September 2, 2015, the Information Commissioner’s Office (the “ICO”) announced an investigation into the data sharing practices of charities in the United Kingdom. The announcement follows the publication of an article in a UK newspaper highlighting the plight of Samuel Rae, an elderly man suffering from dementia. In 1994, Rae completed a survey, which resulted in a charity collecting his personal data. The charity, in turn, allegedly shared his contact details with other charities, data brokers and third parties. Over the years, some of those charities and third parties are reported to have sent Rae hundreds of unwanted items of mail, requesting donations and, in some cases, attempting to defraud him. The legal basis on which Rae’s details were shared remains unclear, although the ICO has noted that the distribution may have resulted from a simple failure to tick an “opt-out” box on the survey.

The APEC Cross-Border Privacy Rules (“CBPR”) system for information controllers received a significant boost during the recent APEC privacy meetings in the Philippines when APEC finalized a corollary certification scheme for information processors, the APEC Privacy Recognition for Processors (“PRP”). As we previously reported, the PRP allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations related to the processing of personal information. In addition, the PRP enables information controllers to identify qualified and accountable processors, as well as assist small or medium-sized processors that are not widely known to gain visibility and credibility. Combined, the CBPR for controllers and PRP for processors now covers the entire information ecosystem, promising to motivate additional APEC economies to join both the CBPR and PRP systems, as well as incentivizing larger numbers of controllers and processors to seek certification.

On September 2, 2015, the French Data Protection Authority (“CNIL”) published the results of an Internet sweep of 54 websites visited by children and teenagers. The sweep was conducted in May 2015 to assess whether websites that are directed toward, frequently used by or popular among children comply with French data protection law. As we previously reported, the sweep was coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”). The CNIL and 28 other DPAs that are members of the GPEN participated in the coordinated online audit. A total of 1,494 websites and apps were audited around the world.