If 2022 has been any indication, the innovations of Web3—the developing, largely decentralized, autonomous internet, enabled by technologies such as blockchain, smart contracts, decentralized autonomous organizations (DAOs), and digital assets—will lead to an era of rethinking the ways that privacy, cybersecurity, and consumer protection are regulated for these technologies. Proponents of Web3 argue that Web3 will promote individual data ownership, transparency, and freedom, but over the last few years, lawmakers have struggled to keep up with the rapidly changing nature of the Web3 space and force the new technology to fit within the existing legal framework.

This year, however, authorities have called for a more harmonized approach to Web3 regulation. Several recent developments—including Executive Orders from President Biden and California Governor Gavin Newsom, invocation of a long-dormant statutory provision by the Consumer Financial Protection Bureau (CFPB), and proposed amendments to the Cybersecurity Information Sharing Act—have signaled that lawmakers and regulators are prioritizing new approaches to privacy, cybersecurity, and consumer protection in an attempt to regulate Web3.

Continue Reading Privacy, Cybersecurity, and Consumer Protection Are Set To Be Key Focus Areas For Regulators As Web3 Innovation Continues

On 30 September 2022, the Court of Justice of the European Union (CJEU) handed down two judgments in which it ruled, respectively, that Germany’s and France’s data retention laws are incompatible with EU law.

In Joined Cases C‑793/19 and C‑794/19 SpaceNet AG and Telekom Deutschland GmbH (EU:C:2022:702), the CJEU ruled that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security.  It also confirmed, however, that to combat serious crime, Member States may, in strict compliance with the principle of proportionality, provide for the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses.

Continue Reading EU Data Retention: When Member States Get It Wrong

On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.

Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight

On October 5, 2022, Joe Sullivan, Uber’s former Chief Security Officer, was convicted of “obstruction of the proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of a 2016 hack at Uber.” He faces up to eight years in prison. The conviction marks the first time that an individual company executive has faced criminal charges related to an information security breach.

While this conviction could be viewed as a slippery slope toward more cases—both civil and criminal—where Chief Security Officers or Chief Information Security Officers are found personally liable for company data breaches that happen on their watch, Sullivan’s actions went beyond simple failure to stop a breach or even failure to report it. As the prosecutor in the case, US Attorney Stephanie Hinds explained, “Sullivan affirmatively worked to hide the data breach from the Federal Trade Commission (FTC) and took steps to prevent the hackers from being caught. We will not tolerate the concealment of important information from the public by corporate executives more interested in protecting their reputation and that of their employers than in protecting users. Where such conduct violates the federal law, it will be prosecuted.” By bringing these charges the government was sending a message that it views companies as responsible for the data they collect from consumers and expects those companies to be transparent and honest when dealing with a known data breach.

Continue Reading Former Chief Security Officer of Uber Convicted for Mishandling 2016 Data Breach

On 7 October 2022, the White House issued an Executive Order, as well as an accompanying Fact Sheet, which sets out the foundations for the Transatlantic Data Privacy Framework (“Framework”).

Since the decision of the Court of Justice of the European Uon (“CJEU”) in the Schrems II case in mid-2020, organizations have not been able to rely upon the Privacy Shield Framework to transfer data from the European Union (“EU”) and other European Economic Area countries to the U.S. As a result, many have sought to rely on other data transfer mechanisms, the most common being the EU Standard Contractual Clauses (“SCCs”). However, the Framework would allow participating organizations to transfer personal data freely, removing the administrative and commercial burden of the SCCs.

The Executive Order addresses data privacy concerns raised by Schrems II through introducing, among other measures, further safeguards and oversight of personal data collection by U.S. signals intelligence (“SIGINT”) activities and provides individuals with a redress mechanism for their data protection concerns. Although the Executive Order is a positive step forward, welcomed by many, the long-term durability of the Framework remains uncertain, and the Framework is not functional until the European Commission issues an adequacy decision based on the Framework, the timing of which remains uncertain.

Click here to read Ropes and Gray’s Client Alert on the Executive Order.

Delaware’s Court of Chancery recently dismissed a derivative claim brought by an alleged shareholder of SolarWinds, claiming that the Company’s current and former directors breached their fiduciary duties by failing to ensure that SolarWinds had minimal cybersecurity protections.  A cross-practice team of Ropes & Gray litigation and data privacy attorneys represented Kevin Thompson, SolarWinds’ former CEO and one of its former board members, who had been named in the litigation. The court dismissed the claim as to all named defendants, including Mr. Thompson, in an important ruling that fills in the contours of the scope of director duties with respect to corporate cybersecurity under Delaware law. 

For more information, see the Ropes & Gray news release about the victory and the Law360 article that reported on the success.

On June 30, 2022, the Department of Justice (“DOJ”) announced four enforcement actions involving allegations of fraud in the cryptocurrency space. The enforcement actions, which collectively bring criminal charges against six individuals, demonstrate the breadth of potential conduct that may expose participants in the blockchain industry to regulatory and enforcement risk. In connection with these cases, the DOJ alleges a wide-ranging “rug pull” scheme related to non-fungible tokens (“NFTs”), a fraudulent investment fund trading on cryptocurrency exchanges, a Ponzi scheme involving the sale of unregistered cryptocurrency instruments, and a fraudulent initial coin offering. The announcement may also signal enhanced focus on potential cryptocurrency fraud in Central and Southern California, where three of the four cases were filed.

Click here to read Ropes and Gray’s Client Alert on the enforcement actions.

On June 24, 2022, the Supreme Court issued its opinion in Dobbs v. Jackson Women’s Health Organization, overturning precedent that protected access to abortion services before the point of fetal viability. Instead, the Supreme Court stated that state legislatures have the authority to regulate abortion, leading several states to enact laws banning the procedure or to enforce previously unenforceable laws banning abortion. In response to the Dobbs decision, on June 29, 2022, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) released guidance materials discussing the role that the Health Insurance Portability and Accountability Act of 1996, and its implementing regulations, as amended (collectively, “HIPAA”) plays in safeguarding the protected health information (“PHI”) of women.

Click here to read Ropes and Gray’s Client Alert on the guidance.

On July 7, 2022, the Cyberspace Affairs Commission (“CAC”) of China issued the Measures on Security Assessment of Cross-Border Data Transfer (the “Security Assessment Measures”), which sets out the security assessment framework for cross-border data transfers. The Security Assessment Measures will become effective on September 1, 2022. In conjunction with the issuance of the Security Assessment Measures, CAC also issued an interpretation guideline on the same day (the “Interpretation Guideline”). The Security Assessment Measures lay out the ground rules for a security assessment filing for cross-border data transfers that was stipulated in the Cybersecurity Law (“CSL”) and the Personal Information Protection Law (“PIPL”).

Click here to read Ropes & Gray’s Client Alert on the rules.

Last week, a group of U.S. House of Representatives Democrats introduced the RoboText Scam Prevention Act (“RSPA”). If passed, the bill would amend the Telephone Consumer Protection Act (“TCPA”). As predicted in the wake of the Supreme Court’s decision in Facebook v. Duguid, the RSPA is Congress’s attempt to clarify the TCPA by proposing modernizations that would address 21st century dialing technologies that were not in place when the law was first passed, but the bill’s broad definitions could create more confusion than clarity if it is passed without further changes.

Continue Reading Newly-Proposed TCPA Amendment Could Lead to Expansive Coverage