Tune in to the first episode of Ropes & Gray’s new podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series will focus on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments
On January 28 we celebrate Data Protection Day, the anniversary of the Council of Europe’s Convention 108, the first legally binding international law on data protection, which was signed on January 28, 1981. Data Protection Day is a chance for us to raise awareness about data protection and privacy, reflect on the progress made over
We’ve been closely watching the evolution of telemarketing laws since the Supreme Court’s 2021 decision in Facebook v. Duguid, which held that most modern dialing systems are not autodialers—or “automated telephone dialing systems” under the Telephone Consumer Protection Act (TCPA). The Facebook decision led to a flurry of legislative activity at both the state and federal levels. Florida and Oklahoma enacted state-level statutes that have been interpreted to cover modern dialing systems, and Georgia, Washington, Michigan and other states have considered similar legislation. At the federal level, a new bill was proposed in July 2022 that would have amended the TCPA to cover 21st century dialing technologies—not just those using a random or sequential number generator. The federal bill has not made any meaningful progress, but a recent request from FCC Chairwoman Jessica Rosenworcel may prompt the legislature to act.
It’s that time of year again—time to deck the firewalls and leave session cookies for Santa. We are rolling out another season of the 12 Days of Data.
Over the next twelve business days, we will be roasting data chestnuts on an open fire while visions of pixels dance in our heads, as we close
If 2022 has been any indication, the innovations of Web3—the developing, largely decentralized, autonomous internet, enabled by technologies such as blockchain, smart contracts, decentralized autonomous organizations (DAOs), and digital assets—will lead to an era of rethinking the ways that privacy, cybersecurity, and consumer protection are regulated for these technologies. Proponents of Web3 argue that Web3 will promote individual data ownership, transparency, and freedom, but over the last few years, lawmakers have struggled to keep up with the rapidly changing nature of the Web3 space and force the new technology to fit within the existing legal framework.
This year, however, authorities have called for a more harmonized approach to Web3 regulation. Several recent developments—including Executive Orders from President Biden and California Governor Gavin Newsom, invocation of a long-dormant statutory provision by the Consumer Financial Protection Bureau (CFPB), and proposed amendments to the Cybersecurity Information Sharing Act—have signaled that lawmakers and regulators are prioritizing new approaches to privacy, cybersecurity, and consumer protection in an attempt to regulate Web3.
On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.
Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight
On October 5, 2022, Joe Sullivan, Uber’s former Chief Security Officer, was convicted of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.” He faces up to eight years in prison. The conviction marks the first time that an individual company executive has faced criminal charges related to an information security breach.
While this conviction could be viewed as a slippery slope toward more cases—both civil and criminal—where Chief Security Officers or Chief Information Security Officers are found personally liable for company data breaches that happen on their watch, Sullivan’s actions went beyond simple failure to stop a breach or even failure to report it. As the prosecutor in the case, US Attorney Stephanie Hinds explained, “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught. We will not tolerate the concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.” By bringing these charges the government was sending a message that it views companies as responsible for the data they collect from consumers and expects those companies to be transparent and honest when dealing with a known data breach.
Continue Reading Former Chief Security Officer of Uber Convicted for Mishandling 2016 Data Breach
On 7 October 2022, the White House issued an Executive Order, as well as an accompanying Fact Sheet, which sets out the foundations for the Transatlantic Data Privacy Framework (“Framework”).
Since the decision of the Court of Justice of the European Uon (“CJEU”) in the Schrems II case in mid-2020, organizations have not
Last week, a group of U.S. House of Representatives Democrats introduced the RoboText Scam Prevention Act (“RSPA”). If passed, the bill would amend the Telephone Consumer Protection Act (“TCPA”). As predicted in the wake of the Supreme Court’s decision in Facebook v. Duguid, the RSPA is Congress’s attempt to clarify the TCPA by proposing modernizations that would address 21st century dialing technologies that were not in place when the law was first passed, but the bill’s broad definitions could create more confusion than clarity if it is passed without further changes.
Continue Reading Newly-Proposed TCPA Amendment Could Lead to Expansive Coverage
At a meeting of the California Privacy Protection Agency (“CPPA”) on June 8, we learned additional information about the initial batch of proposed regulations (“Proposed Regulations”) to the California Privacy Rights Act (“CPRA”) that were published on May 27. The Proposed Regulations keep much of the pre-existing California Consumer Privacy Act (“CCPA”) regulations but modify and add some key provisions. Because the CPRA was drafted as an amendment to the CCPA, the Proposed Regulations reference the CCPA (as amended by the CPRA). The Proposed Regulations focus on data subject rights, contractual requirements, and obligations related to disclosures, notices, and consents. Additional proposals will cover cybersecurity audits, privacy risk assessments, and automated decision making, among other areas. While we expect significant changes as the Proposed Regulations proceed through the formal rulemaking process, which the CPPA has not yet officially started, we provide our key takeaways below:
Continue Reading Recent Activity from the California Privacy Protection Agency