Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Cybersecurity & Data Breaches, Financial Privacy

SEC Issues New Interpretive Guidance on Cybersecurity Disclosures

On February 21, the Securities and Exchange Commission (SEC) published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. The Commission’s release follows shorter cybersecurity “disclosure guidance” issued in 2011 by the staff of the SEC’s Division of Corporation Finance. The new guidance was prompted by the agency’s concern over the increase in the risks and frequency of data breach incidents and other cyber-attacks affecting public companies. The Commission’s release addresses many of the matters raised in the staff’s guidance, while expanding the discussion to cover additional disclosure and compliance considerations.

Continue Reading

Posted in Consumer Privacy

Hogan Lovells Represents Sears in Achieving First-Ever Modification to FTC Privacy Consent Order

The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order.  The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order (the “Order”), which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers.  After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.”  Hogan Lovells Partner Michelle Kisloff, Senior Associate Paul Otto, and Associate Joe Vladeck represented Sears in its petition.

Continue Reading

Posted in International/EU Privacy

New Fee Charging Structure to Fund the UK Information Commissioner’s Office

The UK Government has announced a new three-tier charging structure for data controllers to ensure the continued funding of the Information Commissioner’s Office (ICO) to come into effect on 25 May 2018 to coincide with the GDPR coming into force.

Currently, organisations that are controllers of personal data are legally required to register details of their processing activities with the ICO and pay a notification fee of £35 or £500, unless they are exempt.

This two-tier structure will be replaced by a three-tier annual fee structure based on the relative risk to the data that an organisation processes.  This will be measured according to a number of factors, including size, turnover, and whether an organisation is a public authority or charity.

Continue Reading

Posted in Consumer Privacy

Is Artificial Intelligence the Ultimate Test for Privacy?

Nothing challenges the effectiveness of data protection law like technological innovation. You think you have cracked a technology neutral framework and then along comes the next evolutionary step in the chain to rock the boat. It happened with the cloud. It happened with social media, with mobile, with online behavioural targeting and with the Internet of Things. And from the combination of all of that, artificial intelligence is emerging as the new testing ground. 21st century artificial intelligence relies on machine learning, and machine learning relies on…? You guessed it: Data. Artificial intelligence is essentially about problem solving and for that we need data, as much data as possible. Against this background, data privacy and cybersecurity legal frameworks around the world are attempting to shape the use of that data in a way that achieves the best of all worlds: progress and protection for individuals. Is that realistically achievable?

Continue Reading

Posted in News & Events

Privacy and Cybersecurity March 2018 Events

Please join us for our March 2018 Privacy and Cybersecurity Events.

March 6
Standing Post-Spokeo
Hogan Lovells will host a webinar aimed at highlighting strategies companies can employ to defend against consumer, privacy, or data breach lawsuits in the post-Spokeo world. The speakers include Michelle Kisloff, Mark Brennan, Adam Cooke, and Alicia Paller.
Location: Washington, D.C.

 

March 6
Infosecurity Leadership Summit 2018
Eduardo Ustaran is leading a presentation entitled, “Lightening Talk Last Chance Saloon: Are You Ready & Prepared for EU GDPR?,” at the 5th Infosecurity Leadership Summit at the Savoy Hotel.
Location: London

 

March 21
Autonomous Vehicle Privacy
Tim Tobin will present on autonomous vehicle privacy and cybersecurity issues at an autonomous vehicle event at the University of Virginia Law School.
Location: Charlottesville, Virginia

 

Continue Reading

Posted in International/EU Privacy

Russia: Main Takeaways from Roskomnadzor’s Open Doors Day

Recently, the Russian Data Privacy Authority (Roskomnadzor) organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. We summarize the key takeaways below.

Continue Reading

Posted in International/EU Privacy

European Commission and Article 29 Working Party Urge Respect for International Law in Data Cases

Territoriality will continue to be one of the most vexing problems for data regulation in 2018.  One aspect of this debate relates to whether a U.S. judge can compel the disclosure of personal data located in Europe without using international treaty mechanisms.  This issue is currently being considered by the United States Supreme Court in the case United States v. Microsoft.  The case involves the question of whether a U.S. statute relating to search warrants can be interpreted as extending to a search for data located outside the United States; in this case, the data is located in Ireland.  The U.S. Court of Appeals found that, in the absence of express wording in the statute relating to extraterritorial application, the statute should be interpreted as being limited to searches conducted within the territory of the United States.  The Supreme Court is currently reviewing the case.  In December, 2017, the European Commission filed an amicus brief urging the Supreme Court to give due consideration to the principles of international comity and territoriality when interpreting the U.S. statute.

Continue Reading

Posted in International/EU Privacy

Misunderstandings, Panic and Priorities in the Year of the GDPR

It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity Upcoming 2018 Events

Please join us for our Upcoming 2018 Privacy and Cybersecurity Events.

February 1
Challenges for GDPR Implementation
Mark Brennan will moderate a panel on GDPR issues at the FCBA CLE: International Privacy: U.S. Perspectives on EU Privacy Frameworks.
Location: Washington, D.C.

 

February 21
Privacy, What Does That Look Like?
Joke Bodewits will participate in a speaking engagement on accountability at the Institute for International Research on GDPR countdown congress.
Location: Amsterdam

 

February 27
GDPR Challenges for Artificial Intelligence and Machine Learning
Eduardo Ustaran will speak on artificial intelligence, machine learning, and the GDPR at the International Privacy+Security Forum.
Location: Washington, D.C.

 

Continue Reading

Posted in International/EU Privacy

Thinking Strategically About Brexit and Data Protection

To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.

Continue Reading