Thanks to all who came by to see us at IAPP Global Privacy Summit in Washington, D.C.! Congratulations to IAPP for another successful conference.
FTC Chair Lina Khan Questions Current Data Collection Practices by Private Industry at IAPP Global Privacy Summit, Suggests New Rulemaking May Be Necessary
In her first major privacy address since taking the helm of the Federal Trade Commission (“FTC”), Chair Lina Khan called for expanded policing of data abuses to account for the vast “surveillance” enabled by modern technology. Khan sharply criticized industry’s current data practices – decrying the general lack of legal limits on what types of information can be monetized, a situation she says has incentivized “endless tracking and vacuuming up of users’ data.” The FTC Chair also critiqued current “notice and consent” practices, remarking: “I’m concerned that the present market realities may render the notice and consent paradigm outdated and insufficient.” She further opined that “notice and consent” practices sidestep more fundamental questions “about whether certain types of data collection and processing should be permitted in the first place.”
Acknowledging the current realities of how companies collect and use data in the modern economy, Chair Khan stated that “the Commission is considering initiating rulemaking to address commercial surveillance and lax data security practices. Given that our economy will only continue to further digitize, market-wide rules could help provide clear notice and render enforcement more impactful and efficient.”
Khan clearly intends for regulations to force a major paradigm shift through which she hopes the FTC – as well as Congress, which has long promised privacy legislation – will ensure that consumers do not have to give up their personal data to access essential online tools. Khan further explained: “I believe we should approach data privacy and security protections by considering substantive limits rather than procedural protections.” She observed that the focus on procedural protections fails to address whether certain types of data collection should be permitted at all.
Takeaway: Chair Khan’s remarks signaled that the FTC may fine tune its enforcement strategy to require substantive protections by empowering consumers to make informed choices about who collects their data, how it is used, and with whom it is shared. Watch for the FTC to fashion remedies it believes will cure underlying harm and “where necessary, deprive lawbreakers of the fruits of their misconduct,” such as through algorithmic disgorgement and data deletion –remedies the FTC has already implemented in recent enforcement action.
CJEU Considers Use of Phone Traffic and Location Data for Investigation of Serious Crimes
On April 5, 2022, the Court of Justice of the European Union (“CJEU”) ruled that EU law precludes the general and indiscriminate retention of phone traffic and location data for the purposes of combating crime. However, in relation to serious crimes, public authorities can use this kind of data provided it is used in a sufficiently targeted manner and subject to necessary safeguards.
The case concerned an individual in Ireland who had been convicted of murder. Evidence against him included phone records that had been obtained from telecommunications networks. The records in question did not include the contents of his correspondence but did reveal information such as the date, time, and duration of calls and the location of his device.
The CJEU stated that the general and broad retention of this kind of data interferes with the fundamental rights of private life and the protection of personal data. Even the objective of combating serious crimes cannot justify measures providing for the general and indiscriminate retention of all users’ phone traffic and location data. Only a threat to national security could justify general and indiscriminate data retention, but, according to the CJEU, even serious individual crimes do not rise to the same level as a threat to national security.
However, the CJEU also re-iterated that for the purposes of combating serious individual crime, targeted measures can be permissible. EU member states may (subject to necessary safeguards) provide for.
- The targeted retention of phone traffic and device-location data;
- the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for so long as is strictly necessary;
- the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
- the expedited retention (quick freeze) of traffic and location data in the possession of telecoms service providers.
Takeaway: The CJEU confirmed again its strict position on protection of personal data and freedom of individuals. Even a member state’s intention to combat serious individual crimes does not justify the general and indiscriminate retention of telecoms traffic and location data. Data collected in breach of such rules must not be used in criminal law or civil law cases.
Observe, Act, Report – CISA’s Guidance on Voluntary Cyber Incident Disclosures by Industry
In early April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a fact sheet encouraging government entities and operators of critical infrastructure to report cybersecurity incidents to CISA on a voluntary basis even before new legislation makes such reporting mandatory. The recently-passed U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) requires, inter alia, that covered entities report to CISA (i) any ransomware payments within 24 hours; and (ii) all covered cyber incidents within 72 hours. Covered entities include critical infrastructure owners and operators as well as federal, state, local, territorial, and tribal governments. Although these reporting requirements will not become mandatory until CISA has implemented relevant regulations, covered entities are encouraged to report cyber incidents on a voluntary basis in the interim to help mitigate cyber security threats.
The fact sheet explains why such voluntary reporting is important and provides compact guidelines about what to report and how. It identifies seven examples of incidents to report: (i) unauthorized access to a system; (ii) denial of service attacks that last more than 12 hours; (iii) finding malicious code; (iv) targeted and repeated scans; (v) repeated attempts to gain unauthorized access; (vi) e-mail or mobile messages associated with phishing attempts or successes; or (vii) ransomware attacks. CISA also identifies 10 “key elements” reporters should try to include.
- Incident date and time;
- Incident location;
- Type of observed activity;
- Detailed narrative of the event;
- Number of people or systems affected;
- Company/organization name;
- Point of contact details;
- Severity of event;
- Critical infrastructure sector; and
- Anyone else you informed.
Reports can be made using CISA’s Incident Reporting Form or by e-mail to Report@cisa.gov.
Takeaway: This is another step in a long line of recent actions by the Biden Administration to encourage U.S. companies, here critical infrastructure-related, to report cyberattacks. Like the Act’s reporting requirement, this request does not include a report to the FBI, and therefore would be subject to the same criticism that this critical agency is being left out of the reporting loop. The timing of the requested reporting may interfere with a company’s steps to fend off cybercriminals in the early hours of an attack. Nonetheless, until CIRCIA reporting becomes mandatory with the issuance of formal regulations, CISA is encouraging covered entities (government agencies and providers of critical infrastructure) to share information about cyber incidents with CISA on a voluntary basis.
U.S. Department of Commerce Appoints Experts to Advise President on AI Issues
On April 14, the U.S. Department of Commerce appointed 27 members to the Artificial Intelligence Advisory Committee (“NAIAC”). The NAIAC was established pursuant to the National AI Initiative Act of 2020. The NAIAC’s interdisciplinary membership consists of AI experts from the technology sector, universities, and non-profit organizations. The NAIAC, which is chaired by Miriam Vogel of Equal AI, will hold its first meeting on May 4, 2022, and the first report is currently scheduled for release in May 2023.
Congress mandated the NAIAC to make recommendations to the President on a number of issues, including the current state of U.S. AI competitiveness, the state of science around AI, AI-related workforce issues, adequacy of AI to address social issues, and how AI can enhance opportunities for diverse geographic regions, among others. The committee will also provide advice on the management, coordination, and funding of activities under the National AI Initiative Act. In the Commerce Department’s press release, Deputy Secretary Don Graves identified “strategic competition with China” as an area of particular focus.
The NAIAC is directed to establish a subcommittee that will focus on the use of AI in law enforcement. Topics within the subcommittee’s purview will include bias, security of data, adoptability of AI for security or law enforcement, and legal standards to ensure that the use of AI does not infringe privacy rights, civil rights, civil liberties, and disability rights.
Takeaway: The appointment of an impressive cross section of AI experts to the NAIAC is an important step towards accelerating consistent federal policy on the application of AI and machine learning for a broad range of commercial, societal, security and government uses. It is anticipated that the NAIAC will enable the U.S. to be better positioned as a key global leader on AI.
European Medicines Agency Issues Draft Guidance on Protection of Personal Data and Confidential Information in the Clinical Trial Information System
On April 7, 2022, the European Medicines Agency (“EMA”) published draft guidance on how to approach the protection of personal data and commercially confidential information in documents uploaded to and published in the Clinical Trial Information System (“CTIS”). EMA is inviting comments until September 8, 2022.
CTIS is a database in which EU-related clinical trial information is stored. It was created by the EU’s Clinical Trials Regulation (“CTR”) as a single database for submitting data and documents about clinical trials where the public at large can review that information. In principle, all CTIS submissions are publicly available, but the CTR allows redactions on limited grounds, including redaction of personal data and commercially confidential information. EMA is now consulting on guidance in relation to these two exceptions. The draft guidelines include, inter alia:
- Confirmation that no personal data should be publicly accessible but should be anonymized. The guiding principle is that when submitting data to CTIS, users must eliminate the risk of re-identification. The need to protect personal data is not limited to personal data from trial participants but also includes others such as sponsor staff or marketing authorization holders. Guidance is also provided on the principle of pseudonymization.
- Anonymization of documents should be done outside of the CTIS system, and the users who upload the documents are solely responsible for the task, since the CTIS platform has no mechanism to implement anonymization or redaction.
- Similar guidance is also provided on the protection of commercially confidential information which covers non-public information that could be damaging to sponsors’ competitive positions or business interests if shared. The draft guidance considers that CTIS users should have a strong grasp of what information is already in the public domain and advises, to the extent possible, to avoid the inclusion of commercially confidential information in CTIS documentation to reduce the need for redactions.
Takeaway: The CTR, including the requirement that any CTIS information is public by default, became applicable on January 31, 2022. EMA’s draft guidelines provide important guidance for the pharmaceutical industry on how to balance the protection of personal data and commercially confidential information with information sharing requirements. The period for public consultation on the draft is in progress, and the final guidance may only be published in 2023. Privacy issues are critical throughout the clinical trial process, but the public nature of the CTIS requires particular attention.
U.S. State Department Launches Bureau of Cyberspace and Digital Policy
On April 4, 2022, the State Department announced the launch of the Bureau of Cyberspace and Digital Policy (“CDP”). The CDP has been established to lead and coordinate the State Department’s work on cyberspace and digital diplomacy. It aims to encourage responsible state behavior in cyberspace and advance policies that protect the integrity and security of the infrastructure of the Internet, serve U.S. interests, promote competitiveness, and uphold democratic values,
The CDP includes three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom. The CDP will add more personnel across multiple cyber-related issues than existed under previous cybersecurity offices at the State Department – potentially up to 100 personnel by the end of 2022. The CDP will be led by a Senate-confirmed Ambassador-at-Large, Jennifer Bachus, a career member of the Senior Foreign Service. The CDP ultimately reports to the Deputy Secretary of State, demonstrating the Biden administration’s efforts to make digital issues an intrinsic part of U.S. foreign policy.
Takeaway: The launching of the CDP, a mere six months after its announcement, is a clear signal that the Biden Administration continues to prioritize cyber issues. Importantly, the CDP will give the State Department more clout in interagency discussions about high-profile cyber issues, potentially leading to (i) greater use of technology in U.S. foreign policy, such as technological export controls, and (ii) increased efforts to establish agreement among allies regarding cybersecurity norms, combating cybercrime, and what the democratic internet looks like.