InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Statement of the Article 29 Working Party Regarding Schrems EU Court Decision
On October 16, the Article 29 Working Party (Working Party) released a statement regarding the October 6 Court of Justice of the European Union’s decision to invalidate the adequacy of the U.S.-EU data protection Safe Harbor framework. The EU Court recently declared that the Safe Harbor Framework fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” In response to the EU Court’s decision, the Working Party provided the following guidance on the implementation of the judgment: (i) a broad analysis of third country domestic laws and international commitments must be applied when determining if data transfers meet adequacy standards; and (ii) Member States and European institutions should hold open discussions with U.S. authorities to “find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights.” The Working Party noted that it will continue to monitor the Irish High Court for developments concerning the Schrems opinion, but that “[i]f by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.”
Illinois to Host Cyber Risk and Security Conferences; CSBS to Co-host
On October 14, the Illinois Division of Banking announced that it would host two Cyber Risk and Security Conferences on November 9 and November 16. With the growing number of threats to financial data systems, cyber and data security has become a top concern for regulators in the financial industry. Topics to be addressed at the conferences include: (i) current cyber threats; (ii) bank and credit unions’ cyber preparedness and response to threats; and (iii) existing trends and the globalization of cyber crimes. The CSBS will co-host the conferences.
FTC Releases Agenda for Start with Security Conference
On October 14, the FTC announced the agenda for its Start with Security conference, scheduled to take place on November 5 in Austin, TX. The conference is intended to provide companies, particularly start-ups and developers, with tips for implementing effective data security. The event will host the following four panels: (i) Starting up Security - Building a Security Culture; (ii) Scaling Security - Adapting Security Testing for DevOps and Hyper-growth; (iii) Third-party AppSec - Dealing with Bugs, Bug Reports, and Third-party Code; and (iv) Beyond Bugs - Embracing Security Features.
DOJ Disables Malware Designed for Bank-Theft; Unseals Indictment Against Botnet Administrator
On October 13, the DOJ unsealed an indictment against a Moldovan citizen for his alleged involvement in a criminal conspiracy to steal confidential financial information by distributing malware software through phishing emails. According to the indictment, the Defendant and his co-conspirators infected computers with malware designed to circumvent anti-virus protections and steal confidential personal and financial information from victims. The confidential information, such as online banking credentials, was used to “falsely represent to banks that the defendant and co-conspirators were the victims or employees of the victims with authority to access the victims’ bank accounts.” The investigation found that an estimated $10 million loss in the U.S. alone can be attributed to the Defendant’s scheme.
California Governor Signs Law Amending Civil Code Privacy Provisions
On October 6, Governor Jerry Brown (D-CA) signed into law AB 964/Chapter 522, which, among other things, defines “encrypted” as it pertains to data breach notification requirements for business and public agencies. Current California law provides that when a business’s security system or data is breached, the business must disclose the breach to “any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Effective January 1, 2016, the bill – for the purpose of data breach notification requirements – defines “encrypted” as “unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information technology.”
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred.
In Schrems, the CJEU, shortly following the AG Opinion, considered the following two questions:
- Are national DPAs bound by adequacy findings of the European Commission with regard to the transfer of personal data to a third country outside the EU?
- May or must a national DPA conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision if a complaint from a data subject regarding the transfer is received?
In responding to the two questions, the CJEU largely agreed with AG Bot’s opinion, though in language more temperate than the Bot opinion. The CJEU opinion states that:
a decision adopted pursuant to Article 25(6) of [the Data Protection Directive], such as [the decision on adequacy for the Safe Harbor framework], by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
The CJEU found that the “term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of [the Data Protection Directive] read in the light of the Charter.” In light of well-publicized revelations regarding intelligence gathering by U.S. government agencies and that some of that intelligence gathering involved information transferred by companies from Europe to the U.S., the CJEU found that adequate protections for personal data could not be “ensured” in the U.S. for personal data transferred under Safe Harbor.
Negotiations are underway for a new Safe Harbor. The Obama Administration stated that it is “deeply disappointed” with the CJEU decision with Commerce Secretary Prizker noting that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”
Impact to Clients
Business entities currently relying on Safe Harbor as a transfer mechanism for personal information will need to evaluate alternative transfer mechanisms. Model contracts (contracts containing standard contractual clauses approved by the European Commission) are a viable alternative, however, multiple contracts may be required to effectively cover all of the transfers addressed by a single Safe Harbor certification. While data subject consent is another option, businesses should be aware that Data Protection Authorities and the Article 29 Working Party (which provides guidance on implementing EU Data Protection requirements) generally do not approve of consent as a transfer mechanism for large volume or repeating transfers of EU-sourced personal information. Binding Corporate Rules (BCRs) may provide a longer option, but their scopes of implementation and requirement for national DPA approval make them impractical as an immediate solution.
While the consensus appears to be that there will be some grace period for business entities to adjust to the ruling, those individuals responsible for compliance with privacy and data protection requirements should move swiftly toward an acceptable method for moving personally identifiable information from the EU to the U.S.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Elizabeth E. McGinn, (202 349-7968
European Court of Justice Ruling on Validity of U.S.-EU Data Sharing Agreement Scheduled for October 6
Following up on an opinion issued on September 23 by the European Court of Justice Advocate General Yves Bot, the European Court of Justice is scheduled to issue its ruling on the validity of the U.S.-EU Safe Harbor Program on October 6. The High Court’s swift decision to issue judgment follows an opinion from the Advocate General advocating that the 2000 data sharing agreement between the U.S. and the European Union is invalid and inadequately protects Europeans’ personal data. Previous InfoBytes coverage can be seen here. The case is Schrems v. Data Protection Commissioner.
DOJ Assistant Attorney General Stresses Public-Private Cooperation In the Event of a Cyber Breach
On September 30, U.S. Assistant Attorney General John Carlin delivered remarks at the 2015 Cybersecurity Summit hosted jointly by the U.S. Chamber of Commerce and the American Gaming Association. In his remarks, Carlin highlighted a variety of “tools,” including the use of sanctions, the DOJ may employ on individuals or entities that engage in malicious cyber-enabled activities against the U.S. Notably, Carlin discussed certain advantages for increased collaboration among the private sector and government to share information and best practices “to help defend against or disrupt [cyber] attacks before they happen or in real time,” adding that “law enforcement can also enlist the assistance of international partners to help retrieve stolen data or identify a perpetrator.” Concluding his remarks, Carlin urged companies to adopt a strong cybersecurity risk management program.
European Union Advocate General Calls For High Court to Rule U.S.-EU Data Sharing Program Invalid
In an opinion that has the potential to seriously disrupt how U.S. companies can share data from Europe, on September 23, Advocate General (AG) Yves Bot of the Court of Justice of the European Union (CJEU) declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” This is because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolutions have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies.
The EU’s 1995 Data Protection Directive (“Directive”) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the European Commission, U.S. companies participating in the U.S.-EU Safe Harbor Framework for personal data protection have been deemed to be compliant with that requirement. AG Bot’s opinion, however, calls that 2000 decision invalid. “To my mind, the existence of a [Commission] decision” on the sufficiency of a country’s personal data protection regime “cannot eliminate or even reduce” the powers of each EU member state’s Data Protection Authority, under Article 28 of the Directive, to independently assess the sufficiency of that country’s personal data protection regime. This opinion thus turns the power back over to individual EU countries to assess U.S. companies’ personal data protections, potentially leading to a fractured and technologically daunting state of digital commerce in Europe.
Negotiations are underway for a new U.S.-EU Safe Harbor Framework, but if AG Bot’s opinion is followed, no Framework would prevent country-by-country determinations of the sufficiency of a U.S. company’s personal data protections.
SEC Penalizes Investment Adviser over Inadequate Cyber-Risk Program Prior to Data Breach
On September 22, the SEC ordered a Missouri-based investment adviser to pay a $75,000 penalty, settling allegations that the investment adviser failed to implement required written cybersecurity policies and procedures prior to a data breach affecting the firm’s clients. According to the SEC, in July 2013, the investment adviser’s third party-hosted web server was hacked by a then unknown source compromising the personally identifiable information of more than 100,000 individuals. Subsequent investigations determined that the breach originated in China, and, to date, the firm’s clients have suffered no financial injury. In addition to the $75,000 penalty, the firm was censured and agreed to cease and desist from committing or causing any future violations of the Safeguards Rule.
To coincide with the announcement, the SEC also issued an Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts,” which provides actions retail investors can take to protect their investment accounts in the event of a data breach or identity theft.