On December 8, 2020, the Supreme Court heard oral argument to consider the TCPA’s definition of an “automatic telephone dialer system” (ATDS) in Facebook, Inc. v. Duguid, Noah et al., Dkt. 19-511. The Supreme Court is tasked with interpreting the scope of liability under the TCPA, and its resolution may bring much needed clarity to companies struggling with the meaning of that definition, particularly in light of a current split among circuits on the question and the D.C. Circuit’s 2018 decision, ACA International v. Federal Trade Commission striking down the FCC’s own interpretation. Because the TCPA imposes significant statutory penalties for calling or sending text messages using an ATDS to cellphones in violation of the act, clarification of the meaning of an ATDS may help companies mitigate their risks and curtail potential TCPA class action lawsuits.
Many of the key policy debates that we expected to happen in 2020 seemed to be essentially frozen for the year as we all responded to the horrors of COVID and the seismic political shifts across the globe. So what does this new year hold for us? We hope for a return to normalcy as vaccinations spread across the globe, a new Administration takes the reins in DC, and the UK continues to negotiate the terms of a new relationship with the EU. Here are some of key areas in privacy and data protection where we anticipate potential developments in 2021. Continue Reading 21 Privacy and Cybersecurity Issues for 2021
On Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.
On November 30, 2020, the Supreme Court held oral argument in Van Buren v. United States to determine the scope of criminal liability under the Federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. 1030. The court’s decision may resolve a circuit split and have far-reaching implications for the scope of civil and criminal liability under the CFAA. The key point of dispute under the CFAA is whether a person “exceeds authorized access” of a computer (1) only by accessing the computer as an unauthorized person, or (2) more broadly by using the computer for unpermitted uses, even when otherwise permitted to access the computer. The First, Fifth, Seventh, and Eleventh Circuits have broadly interpreted “exceeds authorized access” to cover access that takes place for an improper purpose, whereas the Second, Fourth, and Ninth Circuits have narrowly interpreted unauthorized access to require a lack of any authorization. For example, under the broad interpretation at dispute before the Supreme Court, an employee who is authorized to access a work computer to carry out certain tasks for employment may still be liable under the CFAA if the employee uses the office computer to download confidential information for non-employment purposes.
On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).
The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing. Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice
Despite concerns expressed by regulators and privacy activists, the use of facial recognition technology appears to be on the rise and is becoming increasingly common in everyday life as a result of various different issues.
One recent example of the use of such technology involves the Southern Cooperative, which has reportedly trialed certain facial recognition technology in a number of Co-op stores over the last few months. The technology, developed by Facewatch, notifies staff of the presence in stores of individuals with past records of “theft or anti-social behaviour” and apparently has been implemented to try to combat a recent significant increase in attacks on employees by shoplifters. Continue Reading Use of Facial Recognition Technology Increasing
On November 3, 2020, Californians passed the ballot initiative for the California Privacy Rights Act (CPRA) with a 56% vote. As discussed earlier, the CPRA significantly expands upon the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020, and whose regulations were approved on August 14, 2020 with subsequent proposed amendment in October 2020.
Most CPRA provisions will take effect on January 1, 2023, but its new obligations will apply to any personal information collected from California residents on or after January 1, 2022, a little over one year from passage. Continue Reading California Privacy Rights Acts Approved by California Ballot Vote
The California Attorney General’s office (OAG) recently released a third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. This comes on the heels of the second set of modifications the Office of Administrative Law (OAL) approved just two months ago (see article here). The third set of proposed modifications restores certain provisions the OAG had previously withdrawn from its draft regulations submitted to the OAL in July, as well as clarifies and adds illustrative examples to some provisions. Overall, the modifications do not significantly alter the CCPA regulatory landscape, and if accepted, are not likely to impact businesses greatly. Nonetheless, businesses should review the changes, which address the following topics, to confirm that they would not require any adjustment in business practice: Continue Reading California AG Proposes Third Amended Regulations to CCPA
On 16 October 2020, in a long-awaited decision, the UK Information Commissioner’s Office (ICO) finally announced that it has fined British Airways (BA) £20 million for failing to protect the personal and financial details of over 400,000 customers. The ICO originally announced in July 2019 its intention to fine BA £183 million in respect of a security breach, meaning that the final amount of the fine was over 90% lower than the original suggested amount. Notwithstanding this, the BA fine is still the largest fine that the ICO has ever issued. Continue Reading British Airways Fined £20 Million by ICO for Data Breach
The Court of Justice of the European Union (CJEU) dealt a blow to transatlantic data flows in July with its decision in Schrems II, invalidating the EU-U.S. Privacy Shield while conditionally approving the continued use of Standard Contractual Clauses (SCC). In a white paper published late last month, the U.S. government responded to the CJEU’s critical appraisal of American intelligence agencies’ data-collection practices by identifying Schrems II’s shortcomings and offering guidance to companies seeking to comply with it. Schrems II is problematic in various ways, the multi-agency paper concludes, but with minor adjustments, most EU-U.S. digital dealings should be able to continue as before. Continue Reading What the CJEU Missed in Schrems II: American Agencies Respond