Posted in EU Data Protection International Privacy Privacy and Data Security

UK: Commitment to introduce new Data Protection Bill in line with GDPR principles

Yesterday the UK Government set out its legislative programme for the next Parliamentary term, through the Queen’s Speech. Whilst Brexit will dominate the legislative agenda, data protection received special mention with a commitment to introduce a new Data Protection Bill.

The Bill will reiterate the UK’s commitment to implementation of the principles of privacy enshrined in the GDPR, regardless of Brexit. It will also add further clarity on how the UK intends to apply statutory controls to those areas of the GDPR where Member States have flexibility to develop complementary legal requirements or derogations.

The speech is an important message for anyone who may have had doubt about the UKs commitment to the GDPR after Brexit. It is a clear steer to UK business to get ready for the new privacy regime and a strong sign to any detractors, whether in Europe or the wider global community, that the UK remains focussed on maintaining a robustly regulated digital environment, at the forefront of emerging global standards.

Whilst we await with interest details of the specific regulatory controls within the Bill itself, this is a welcome message of clarity in otherwise uncertain political times.

Posted in Cybersecurity

EXECUTIVE ORDER ESCALATES CYBERSECURITY TO GREATER PRIORITY – Top Points About Critical Infrastructure

President Donald Trump recently signed an Executive Order on cybersecurity, “Strengthening the Cybersecurity Federal Networks and Critical Infrastructure.”  The EO is divided into sections on:

  • cybersecurity of federal networks
  • cybersecurity of critical infrastructure (CI) to support CI at greatest risk
  • cybersecurity risks to the defense industrial base
  • strategic options for deterrence and protection of the nation
  • international cooperation and
  • workforce development.

The EO escalates CI cybersecurity to a greater priority in federal policy, tasking cabinet-level departments and sector specific agencies with identifying and utilizing capabilities to support the cybersecurity risk management efforts of CI at greatest risk. It also addresses particular sectorial cybersecurity risks and capabilities concerning the communications and information technology sectors, the defense industrial base and the electricity subsector. Additionally, the EO contains an ambitious plan for updating and upgrading federal networks, which will ultimately be subject to Congressional oversight and appropriations. See the top points about the EO and its implications for businesses that are categorized as critical infrastructure.

Posted in Cybersecurity

NTIA Request for Comment on Resilience Against Botnets

President Trump recently issued Executive Order 13800 on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which included a section on Resilience Against Botnets and Other Automated, Distributed Threats.  The Executive Order requires the Departments of Commerce and Homeland Security to produce a report on Botnets based on industry and other stakeholder input.  As part of this effort, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) issued a Request for Comment, which included seven broad questions about potential solutions and approaches to the challenge of automated, distributed attacks.  Comments are due by July 13, 2017.

NTIA has asked for input from all interested stakeholders – including private industry, academia, civil society, and other security experts – on ways to improve industry’s ability to reduce threats perpetuated by automated distributed attacks, such as botnets, and what role, if any, the U.S. Government should play in this area.  NTIA is particularly interested in how these attacks can be mitigated, and how the endpoint sources of these attacks, especially IoT devices, can be better secured.  NTIA asks:

  • What works in dealing with these attacks and what are the gaps in existing approaches? 
  • Are there incentives or other public policies that can drive change? 
  • How can solutions explicitly address the international aspects of the issue?

The Department of Commerce’s National Institute of Standards and Technology (NIST) has also announced a related cross-sector, participatory workshop to accompany the RFC on July 11-12.  The workshop titled Enhancing Resilience of the Internet and Communications Ecosystem will allow stakeholders to explore a range of current and emerging solutions to improve the resiliency of the Internet against automated, distributed threats.  NIST will produce a document summarizing the workshop, findings, and opportunities for next steps. 

The comments submitted to NTIA and the NIST workshop and summary document present an excellent opportunity for the private sector to weigh in on evolving Internet security policies as this public record will be used to inform implementation activities related to the Cybersecurity Executive Order.

Posted in Cybersecurity Privacy and Data Security

FTC Updates COPPA Guidance: Six-Step Compliance Plan for Your Business

Written by Michelle Anderson and Samantha Glazer

In a June 21, 2017 blog post, the FTC announced updates to its Six-Step Compliance Plan for Your Business under the Children’s Online Privacy Protection Act (COPPA). The revisions make clear that the FTC considers new business models (e.g., voice-activated devices) and products (e.g., connected toys) to be covered under COPPA. The changes also reflect two methods for obtaining parental consent that the FTC approved in the past few years: (1) asking knowledge-based authentication questions and (2) using the Face Match to Verified Photo Identification method.

In December 2013, the FTC approved use of knowledge-based authentication (KBA) questions as a verifiable parental consent (VPC) method. KBA involves the use of dynamic multiple-choice questions with a “reasonable” number of questions and an “adequate” number of possible answers to lower the probability of another individual guessing the correct answers. The level of difficulty of these questions should be such that a child 12 years or younger “could not reasonably ascertain the answers.”

In November 2015, the FTC approved the use of Face Match to Verified Photo Identification (FMVPI). This method involves a two-step process using facial recognition technology. The first step is for a parent to take a photo of his/her government issued identification using a phone’s camera or a webcam. The FMVPI system then verifies the authenticity and legitimacy of the identification document. Upon verification, the system prompts the parent to use the same phone camera or webcam to take a photo of his/her own face. The system then matches that photo with the verified government ID photo. If the photos match, consent is deemed given, and the identification information submitted by the parent should be deleted within five minutes.

 

 

Posted in EU Data Protection Uncategorized

Global reach of the GDPR: What is at stake?

This article was originally published in Privacy Laws & Business International Report, June 2017, www.privacylaws.com.

Written by Meredith Jankowski and Michelle Anderson

Companies that target EU residents must comply with the GDPR — even if they are not established in the EU.

In less than a year — on 25 May 2018 — the European Union (EU) General Data Protection Regulation (GDPR) will go into effect[1], replacing the current Data Protection Directive (the Directive).[2] Global companies and companies based in the EU are generally well-acquainted with the GDPR and are currently undertaking efforts to bring themselves into compliance within the next year. However, companies that are not established in the EU but that target EU residents should also be focusing on such compliance efforts.

Companies that are not established in the EU but that offer goods or services to EU data subjects or monitor the behaviour of EU data subjects are required to comply with the requirements of the GDPR. In this article, we explain the territorial scope of the GDPR, provide background and context on the territorial applicability of data protection law in Europe, and dis-cuss the unique requirement for companies not established in the EU to designate a representative.

WHEN THE GDPR APPLIES TO COMPANIES OUTSIDE THE EU

The broad territorial scope of the GDPR is enshrined in Article 3. Under Article 3, the GDPR applies to the processing of personal data of EU data subjects where:

  1. The controller or processor is established in the EU (even if the processing does not take place in the EU) or
  2. The controller or processor is not established in the EU but a) Offers goods or services to EU data subjects (irrespective of whether payment is required) or b) Monitors the behaviour of data subjects in the EU.

When a company is seeking to determine whether it offers goods or services to EU data subjects, the company must consider factors that would indicate that it envisages offering goods or services to EU data subjects. Such factors include the language it uses to offer goods or services to data subjects, the type of currency used in the offer of goods or services, and mention of customers or users in the EU.

Also, it should consider whether it tracks the online behaviour of EU data subjects, including whether it uses pro-filing techniques that analyse or predict the individual’s personal preferences, behaviours, or attitudes.

EXTRATERRITORIAL APPLICABILITY OF EU DP LAWS

The GDPR’s broad territorial applicability stems in part from Jurisdictional differences in implementing the Directive. The Directive — which currently governs the processing of personal data of EU data subjects — was adopted in 1995 to facilitate the free flow of personal data within the EU, while also ensuring that the fundamental rights of individuals, particularly the right to privacy, were safeguarded. Because it was a Directive, rather than a Regulation, each EU Member State implemented its own data protection law, which led to inconsistencies and fragmentation in the protections for personal data across the EU.

One way in which the Directive is inconsistent is how each jurisdiction determines when its data protection law applies. Under the Directive’s Article 4, the Directive applies to the processing of personal data where “the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.” However, how to determine when a company is “established” in a particular country varies depending on each jurisdiction’s interpretation of the term “established,” meaning the analysis of when a country’s data protection law applies can vary by country.

The European Parliament and Council of the EU sought to patch such discrepancies by ensuring that under the GDPR the personal data of EU data subjects would be protected more consistently and broadly (i.e., not only by controllers or processors established in the EU). In Recitals 23 and 24, the Parliament and Council stated:

“In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment. The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.”

WHAT DO NON-EU COMPANIES NEED TO DO?

Comply with the GDPR broadly: In line with Article 3, companies that are not established in the EU, but that nonetheless target EU data subjects by offering them goods or services or by monitoring their behaviour, must comply with all of the GDPR’s provisions. This means that they are required to comply with the GDPR’s data breach notification requirement, appoint a Data Protection Officer, update their privacy notices, implement measures to address expanded individual rights, document the bases for their processing of personal data, and ensure that appropriate contractual provisions are in place with vendors, among many other obligations. While companies may opt to take a risk-based approach and not comply with the GDPR altogether (or only implement compliance measures that address certain requirements) they are nonetheless technically subject to the GDPR as to all EU personal data they receive, including to its heightened sanction provisions.

Select and appoint a representative: In addition to complying with the GDPR’s broad requirements, companies that are not established in the EU are subject to one additional and unique provision: under Article 27, except in certain circumstances, companies must designate in writing a representative in the EU.

A “representative” is defined in Article 4 as “a natural or legal person established in the [EU] who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under [the GDPR].” The GDPR’s requirements for representatives differ from those for Data Protection Officers: most notably, DPOs must perform duties such as advising on data protection impact assessments and monitoring compliance with the GDPR, but the GDPR assigns no substantive responsibilities to representatives. Rather, the requirement to appoint a representative appears to be more form than function. Under Article 27, the representative must be established in one of the EU Member States where the data subjects whose personal data the company processes are located. In addition, the company must appoint the representative without prejudice to legal actions that could be initiated against the company itself — and the representative must be subject to enforcement proceedings in the event of non-compliance by the company (i.e., both the company and the representative could be subject to enforcement proceedings). By focusing on form for the representative and function for the DPO, the GDPR seems to contemplate that the representative and DPO will be separate persons.

One potential area of overlap between representatives and DPOs, however, appears in Article 27, which says that the representative must serve as the contact point for all issues related to the company’s processing of personal data under the GDPR, including as a contact point for supervisory authorities. This is similar to requirements in various Articles that the DPO be listed as a company’s point of contact (see Article 14) and interface with supervisory authorities (see Article 39). These points suggest that companies may want to consider having the representative and the DPO be the same person, to ensure a consistent point of contact.

A representative is not required when a company’s processing of EU personal data is (1) “occasional,” (2) does not include large-scale processing of special categories of personal data or personal data relating to criminal convictions and offences, and (3) is unlikely to result in a risk to the rights and freedoms of natural persons. The GDPR’s wording is vague, and thus far no regulators have offered guidance as to what is considered “occasional” processing, but this exception likely means that companies that do not target EU data subjects are not required to designate a representative. For example, a company that has one global marketing website (e.g., www.company.com) that is accessible by EU data subjects but does not specifically direct goods or services to EU data subjects (e.g., does not have country-specific websites such as www.company.fr) and whose customer base is 98 percent from the United States and only 2 percent from Europe may not be required to designate a representative.

Consider these key points: A company that is not established in the EU but that offers goods or services to, and/or monitors the behaviour of, EU data subjects must therefore consider the following:

  • The best jurisdiction for its representative, which may be the jurisdiction in which it has the most EU data subjects, where it focuses its targeting of EU data subjects, or where it conducts the most extensive monitoring;
  • The person that would be the most appropriate EU-facing representative for the company, considering the person’s understanding of data protection laws, legal or compliance background, and experience inter-facing with regulatory authorities;
  • If that person is not a company employee but a third party, the appropriate contractual arrangement for engaging a third party to serve as the company’s representative;
  • Whether the company will or should appoint a DPO and, if so, who the company has identified as the DPO; and
  • The company’s potential liabilities in the EU.

REFERENCES

[1]  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (L 119/1, 4.5.2016), available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2 016.119.01.0001.01.ENG&toc=OJ L: 2016:119;TOC
[2]  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of Individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995), available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L 0046

Posted in Internet of Things US Federal Law

IOT Devices: Just Hardware or FCC Powder Keg?

Written by Eric W. DeSilva and Michael A. Lewis

With the meteoric proliferation of “Internet of Things” (IOT) devices, there are an increasing number of innovators and inventors bringing “smart” products to market that capitalize on connectivity in ways never before imagined. While a great deal of resources are typically applied to research and development, marketing, production, distribution and customer awareness, the essence of most IOT devices is wireless communications so attention must be given to the Federal Communications Commission (FCC) regulations on radio emissions.  Each year the FCC levies tens of millions of dollars in penalties for violations of its rules—rules that encompass activities and devices in ways that may not be immediately obvious.  We have set forth some basic guidelines to help start-ups, investors, and even established manufacturers make sense of the FCC’s requirements.

Without further ado, ten things the FCC cares about:

Things that intentionally emit radiofrequency (“RF”) energy.  This may seem obvious, but the FCC regulates devices that use RF intentionally, such as cellphones, walkie-talkies, and Wi-Fi, Bluetooth and Zigbee transmitters.  Such devices must comply with the FCC’s equipment authorization procedures that ensure that the device conforms with specified technical standards that help limit the potential for interference to other spectrum users.  Compliance with the FCC’s equipment authorization rules is most often demonstrated by a permanent label affixed to the device showing the FCC’s mark and the products FCC identifying number.

Things that unintentionally emit RF.  It’s fairly obvious that the FCC would have jurisdiction over the manufacture and marketing of wireless communications devices.  Less obvious is its authority to control the importation and marketing of devices that emit RF energy unintentionally.  Nearly all devices with digital componentry are implicated – computing devices, smart appliances, video monitors, power supplies, and similar products.  These devices must be tested by an accredited test lab facility to ensure compliance with applicable technical standards before they can be imported and marketed in the United States.

Things that incidentally emit RF.  There’s even a third category of devices that fall within the FCC’s purview.  Incidental radiators include devices that are not designed to intentionally use, generate or emit RF energy over 9 kHz.  Devices  such as AC motors and fluorescent lighting are exempt from FCC test requirements but manufacturers must still use good engineering practices to limit, to the extent possible, the interference effects from such devices.

Importation of RF devices.  While it is tempting to assume that someone else in the supply chain has ensured conformity with the FCC’s rules, companies need to be proactive regarding FCC compliance when importing radio products.  With only very limited exceptions, the FCC rules require that devices brought into the U.S. have appropriate FCC equipment approvals.  Failure to do so may result in critical components being seized at the border.  Even if the products are not stuck in a customs warehouse–with the amount of offshore manufacturing that is done today, there may be instances where products without appropriate approvals are delivered in the U.S. and escape customs notice–the subsequent sale of those devices in the U.S. will violate FCC regulations and may subject the seller to fines.

Modification of OEM RF devices (triggering new approvals).  Even where a company has obtained an equipment authorization from the FCC, appropriate attention has to be paid to the evolution of the product over time, since certain changes can require the manufacturer or seller to obtain a new authorization.  As a rule of thumb, changes that alter the physics of the RF emissions should be carefully reviewed under the FCC’s rules, as they often trigger the need to seek new approvals.  Complicating matters even further is the practice of integrating components that have received their equipment authorization as stand-alone modules.  The final assembled product may have its own testing and labeling requirements even though it is comprised of approved parts.

Marketing of RF devices.  Today, speed to market often means that companies would like to pre-market products—whether to support a crowd-funding initiative or as a means to capture market share.  In general, however, the FCC greatly restricts the marketing of RF devices before they complete the approval process.  The FCC has been known to walk the floors at trade shows to inspect whether new products are being displayed to potential customers impermissibly prior to receiving proper approvals.

Experimenting with RF devices.  Development of new products invariably requires experimentation, and when that experimentation involves radiation of radio energy, an FCC license is typically required.  While the FCC generally freely grants experimental licenses for private testing, the experimental rules impose added limitations on what can be done with experimental products when it comes to market tests and trials, which require special authorizations.

Spectrum compatibility.  Most innovators today would like to capitalize on a global product market, but RF regulations differ from country to country.  That being said, there are radio bands that are more or less standardized from region to region, and considering global regulatory issues at the initial stages of product development may save headaches down the road.  With its global telecommunications capabilities, DLA Piper’s telecom practice is able to assist with international compatibility and market entry surveys.

Transfer of RF manufacturing assets.  Whether you are an investor looking to fund a IOT venture, a business acquiring a start-up, or an innovator looking for equity backers, FCC regulated companies require special considerations.  To the extent a company has licenses, FCC consent or notice may be required—in some cases prior to closing—for transactions that involve transfers of control or assignment of assets.  In addition, FCC regulated companies implicate specialized due diligence in transactional scenarios.

Devices that create networks. As a final matter, even if the RF components of a device are not FCC regulated—or are FCC regulated but the company taken appropriate actions—the FCC might be implicated in other ways.  Specifically, in addition to regulating radio, the FCC also regulates telecommunications—communications networks and network providers.  This becomes important because if IOT or connected products are sold bundled with communications capabilities acquired from third parties, the seller may be subjecting itself to regulation as a carrier—that may result in the need to obtain special authorizations, to pay into carrier-funded social programs like the Universal Service Fund, or other regulations.

Posted in EU Data Protection International Privacy New Privacy Laws Privacy and Data Security

AUSTRALIA: Increased focus on global privacy and data protection for Australian organizations

By GSC Marketing

Authors: Sinead Lynch and Jessica Noakesmith

Regulators around the world are, and will be, taking a much closer look at rules on the protection of individual personal data and the security of their citizen’s information. The onslaught of the new and arduous General Data Protection Regulation (GDPR) regime in Europe, the recent ‘protectionist’ changes to the PRC Cybersecurity Laws in China on 1 June 2017, anticipated changes in Singapore’s data privacy regime, as well as rumblings from other Asia-Pac countries in this area, all confirm that these are issues where national regulators are sitting up and taking action. Recent cyber events, including the much-reported ‘Wannacry’ cyber-attack, add to global unrest in this area.

Traditionally to date, Australia has adopted a more transparent and conciliatory approach to privacy and security. However, this is a position that is likely to face challenge now in light of international developments in this area. The introduction in Australia of the long awaited new mandatory Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB) in February 2017 commencing from, at the latest, February 2018, as well as the Government’s budget confirmation of the Productivity Commission’s new law on personal data sharing and release go some way to support Australia’s renewed focus in this area.

The Office of the Australian Information Commissioner (OAIC) has also just released their updated resource, General Data Protection Regulation Guidance for Australian Businesses (the Guide) to confirm that Australian businesses should, as a matter of priority, review the extent of their compliance obligations under the GDPR and take steps now to ensure their handling practices comply, prior to its commencement from 25 May 2018. At a conference hosted last month by the OAIC, the Privacy Commissioner, Timothy Pilgrim, expressly underlined the importance of GDPR for Australian businesses, and advised that the OAIC will be taking a closer look at compliance in this area.

Therefore, to the extent that an Australian company handles or processes EU individual data in the course of its operations and this processing falls within the scope of the extra-territorial reach of the GDPR (as described further below), this company will be required to comply with the onerous requirements of GDPR and may be subject to its sanctions.

The Guide

The Guide confirms that Australian businesses “of any size” may need to comply with the GDPR if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

The guide helpfully compares the GDPR and Privacy Act 1988 (Cth) principles in an easy to read comparison table. Certain similarities are highlighted and both laws contain a shared focus on fostering transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.

However, there are notable differences in the GDPR. In addition to the myriad of broadly defined terms and wide scope of personal data, there are enhanced rights for individuals to their data, data portability obligations, a right “to be forgotten”, enhanced consent requirements and a 72 hour mandatory data breach requirement in certain cases, not to mention the unwieldly fines and sanctions.

While some Australian businesses may already have certain measures in place that will be required under the GDPR, the Guide recommends that all organizations should begin taking steps to evaluate their information handling practices and governance structures, seeking legal advice where necessary, to implement the necessary changes well before commencement of the GDPR.

We take a closer look here at the GDPR and its implication for Australian businesses processing EU personal data / global organizations operating in Australia with the required relationship to the EU, who handle personal information of EU/UK citizens.

So, what is GDPR?

You will no doubt have read multitudes of reports and analysis on this new legislation and what it may mean for both European and global organizations. In brief, the GDPR is a wide-ranging piece of (directly applicable) privacy legislation recently adopted by the EU institutions, which mandates a significant rise in personal data protection compliance obligations for all organizations coming within its reach – both inside and outside the EU.

Notably, due to its new extra-territorial effect, a large number of global organizations operating across borders who were not previously caught by the existing regime will be affected. This will also be directly applicable in the UK for a period, despite Brexit considerations. It is widely accepted that the same / a similar regime will apply in the UK post-separation.

The GDPR was adopted on 26 April 2016 and is due to come into effect on 25 May 2018. As the legislation took over five years of intense lobbying and debate (inside & outside the EU) prior to its adoption, there are a number of interpretative issues and unanswered questions (including extra-territorial issues). Although only less than a year to go, guidance to date has been relatively sporadic from the EU.

Why is GDPR so important?

There are some key reasons:

  • The significantly increased fines for personal data breach for all organizations caught by GDPR (of up to €10-20mil or 2-4% of global annual group turnover) means that it is a group board-level issue for many organizations. Non-compliance in even smaller companies in a group may lead to significant ramifications where GDPR applies to that group / company within the group
  • A host of new obligations on data controllers and data processors (for the first time) are introduced, which include enhanced rights for individuals to their data, data portability obligations, the right to be forgotten, enhanced consent requirements to name only a few
  • Underpinning the GDPR are ‘accountability’ and ‘transparency’ obligations which require a holistic approach to be taken to privacy compliance – around the world. Getting prepared may require internal re-organization of each group member business activities and procedures – on a wholesale group basis
  • Even where a group / company may not currently fall within the scope of GDPR, continuous review and re-organization may still be required so as to avoid company activities falling under its scope in the future
  • A group / company’s partners and third party suppliers and customers may be caught by the GDPR and additional compliance requirements / contractual obligations on companies may be forthcoming from such organizations
  • Fundamentally, protecting the reputation and brand of the wider group where any breach or suspected data breach / security / information governance issues arise remains an ever-present and key driver

Why does GDPR concern Australian operations?

In determining whether activities fall within its geographical reach, the GDPR considers not only the location of where information is being processed (as was the case under the old EU Data Protection Directive), but now also the location of the individual whose data is being processed.

Under the existing regime, non-EU businesses only fall within the scope of the Directive if processing took place using equipment in the EU (e.g., using servers/ employees located in the EU). This will no longer be the test, and the ambit of the GDPR seeks to capture all processing of EU individual data, regardless of where such processing takes place.

The GDPR will apply to any Australian business who processes personal data:

  • “In the context of the activities of an establishment of any organization in the EU”
  • “Of EU individuals where the processing activities relate to the:
    • Offering of goods or services to individuals in the EU (including where no payment is required); or
    • Monitoring the behavior of individuals in the EU (where such behavior takes place in the EU)”

Both “personal data” and “processing” under GDPR are broadly interpreted and go much further than the analogous definitions of “personal information” and “handling” under the Privacy Act /APPs in Australia.

A review of your existing use, handling and processing of EU individual personal data and the targeting of services outside of Australia to the EU is recommended. Reviewing both existing and anticipated data flows (e.g., which may arise as a result of group company acquisitions, disposals or new third party contracts) is also recommended.

Referencing specific GDPR recitals, the OAIC provides some examples of GDPR application on Australian businesses that may fall under this test in its recently published Guide .

To determine if GDPR impacts your business, the fundamental question to ask at the outset is “Do you target EU individuals or organizations and if so, what percentage of personal information is processed related to such activities?” If you are likely to be at risk, the time to act to ensure compliance is now.

Enforceability?

This extra-territorial effect of GDPR has been well publicized (and criticized) and organizations outside of the EU are now taking stock to review their privacy compliance obligations.

While there are still question marks over the practical enforceability of the GDPR regime and its sanctions outside of the EU (with ongoing discussion of extra-territorial cooperation agreements with EU supervisory authorities), the OAIC has confirmed that it will continue to use its enforcement powers under the Australian Privacy Principles (APPs) where a privacy breach arises.

It has also recently confirmed that it is committed to internationally coordinated approaches to privacy regulation, recognizing that APP entities carry on their business globally and that personal information is regularly disclosed, handled and stored overseas. The OAIC also participates in several international forums and arrangements to promote best privacy practice internationally, address emerging privacy issues in Australia and cooperate on cross-border privacy regulation and enforcement matters.

As such, if an Australian business is found to contravene the GDPR in respect of data / security breach (for example) this may be sufficient to bring it to the attention of the OAIC, who may take action under the APPs in respect of that data / security breach (without prejudice to any EU enforcement capability).

While we have yet to see the full impact that GDPR will have on non-EU businesses, for market-leading organizations operating in Australia, reviewing your privacy compliance obligations with the GDPR will be crucial to ensure the protection of your reputation and brand and to minimize any risks of exposure to exponential fines and sanctions for breach.

As the Privacy Commissioner has confirmed, privacy and data protection is an area that is likely to see further change in the coming years for Australian companies. This is one area where organizations can get ahead of the game by applying additional measures under the GDPR (even where not mandatory / required) to enhance privacy practices, engage consumer trust and ensure consistent internal privacy practices, procedures and systems across all businesses.

We are currently completing GDPR gap analysis, data flow mapping and risk compliance audits for our clients and would be delighted to answer any questions you may have on this area and on whether GDPR is likely to impact your business in Australia.

Please see our resources which include key requirements and some practical tasks for implementation which can assist you to understand and comply with this new and significant impending legislation.

Posted in Uncategorized

Breach of Credit Card Numbers and CVV Numbers

Written by Anne Kierig and Jim Halpert

In a move that affects businesses that suffer breaches of credit card data, 15 State Attorneys General took the position in a letter released Monday that a data breach of state resident name plus payment card number alone without acquisition of the card’s CVV number is “personal information” sufficient to trigger a notification obligation in their states.  This clarification by the 15 state AGs may affect the way companies secure financial account number data.

In the letter to Aptos, Inc., in response to a “FAQ” circulated by the company, the AGs of New York, Connecticut, Colorado, Pennsylvania, Virginia, Mississippi, Illinois, North Carolina, Kentucky, Oregon, Iowa, Arkansas, Washington, Maryland, and Minnesota wrote that Aptos was incorrect in its view that “there is no obligation to notify in those states – ‘the account number plus CVV’ states – if your customers’ CVV data was not exposed”. The AGs clarified unequivocally, “The CVV number does not have to be disclosed to trigger our states’ notification obligations.”

As an example, the Attorneys General cited New York data breach law, which provides for notice when personal information plus an “account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account” is acquired by a unauthorized third party.[1]  The AGs stated, “A CVV code is not ‘any required security code’ because a credit card owner, and thus an identity thief, can use a credit card without it.”  While this is typically not true of remote transactions in the U.S., the AGs provided examples of several popular websites that they say do not require a CVV to make a purchase.

Many businesses have held the view that identity theft or fraud could not occur absent acquisition of the credit card number and the CVV.  Accordingly, if the CVV was not acquired, they had thought a notification obligation would not be triggered.  Companies expend substantial resources securing personal information that could potentially cause harm if acquired by a bad actor.  The AGs’ letter may change the way companies protect payment card data elements without CCV code with regard to customers in these 15 states and elsewhere.

 

 

[1] N.Y. Gen. Bus. Law § 899-aa(1)(b)(3) (emphasis added).  The fourteen other states whose AGs signed the letter have virtually identical language in their data breach statutes.

LexBlog