WSJPro Cybersecurity Symposium

Metaverse Law to Speak at WSJ Cybersecurity Symposium

Metaverse Law will be one of the speakers at the Wall Street Journal’s Cybersecurity Symposium and will focus on the applicable laws and regulations per business type.

It is a two day event in San Diego, CA from Thursday, January 9 to Friday January 10, 2020. The agenda for both days includes breakfast and registration, several speakers, networking breaks, lunch, a cocktail reception on the ninth, and a cybersecurity strategy development bootcamp on the tenth.

A detailed itinerary as well as registration details can be found at https://cybersecurity.wsj.com/symposium/san-diego/#schedule

Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Currently, the CCPA is ambiguous as to whether cross-context behavioral advertising—that is, the collection of a consumer’s activities across different websites or even different devices for the purposes of personalized and targeted advertising—constitutes a sale of personal information. Some affiliates, such as Google, have categorized themselves as a service provider providing marketing and advertising services to the business in order to fall out of the definition of sale. Some other affiliates have put forth the position that they never “sold” personal information, because they only allow advertisers to target broad categories of demographics without identifying a specific individual to the advertiser.

The CPRA is quite clear that such activity requires an opt-out regardless whether it is a sale of information or not. Should CPRA come into effect, businesses should expect to present consumers with three opt-out choices in total (subject to further clarification from the Attorney General):

  1. A global opt-out from sale and sharing of personal information
  2. A choice to “Limit the Use of My Sensitive Personal Information”
  3. A choice for “Do Not Sell/Do Not Share/Do Not Share my Personal Information for Cross-Context Behavioral Advertising”

3. Employee and Business-to-Business (B2B) Data

Both employee and B2B data are currently exempted from general CCPA coverage, although these exemptions are set to expire January 1, 2021. Under the CPRA, these exemptions would be extended until January 1, 2023.

However, this does not mean that businesses do not have any obligations with respect to employee data under CCPA (and under CPRA). For data belonging to job applicants, employees, and independent contractors, businesses must disclose the categories of personal information that were collected and what purposes the information was collected for, typically within a separate employee privacy notice. CPRA also extends anti-discrimination rights to employees who exercise their rights and then face retaliatory action from their employer.

4. Children’s Data

Children’s privacy and data collection is a particularly sensitive area of regulation. Tik Tok is commonly scrutinized due to its predominantly younger userbase, and settled with the FTC for $5.7 million in 2019 over allegations that it collected children’s data without parental consent.

Under CPRA, fines may be tripled for violations involving children’s information. Currently, businesses are fined $2,500 for each violation and $7,500 for intentional violations under CCPA. Per the amended Section 1798.155 in CPRA, businesses would be fined $2,500 for each violation and $7,500 for intentional and children’s data violations. Given that violations can potentially involve hundreds of thousands of records for medium sized enterprises and in the millions for large companies, the fines can be staggering when multiplied.

5. Removal of Notice-and-Cure

Previously, under CCPA, businesses were allowed a thirty (30) day period to cure violations following notice by the California Attorney General’s office. CPRA has quietly removed this notice-and-cure provision through its changes to Section 1798.155. The notice-and-cure is often criticized as a “get-out-of-jail-free” card that prevents any real enforcement of CCPA outside of a consumer’s private right of action. If CPRA passes, the removal of this provision means that businesses will need to be more vigilant about getting privacy compliance and privacy implementation correct on the first try.

6. CPPA: New State Enforcement Agency

CPRA will allocate $10 million per year to a new state agency, the CPPA, to investigate and enforce against violations of consumer privacy laws, similar to European data protection authorities. Some portion of this cost will be offset by the proceeds of enforcement actions.

Currently, the California Office of the Attorney General (OAG) enforces the CCPA as part of the office’s functions for protecting consumer rights and prosecuting consumer crimes, amid a host of other duties.

The CPPA being an agency dedicated solely to privacy regulation would relieve much of the strain of enforcement previously on the OAG. If CPRA passes, expect to see more enforcement actions.

Likelihood of Prop 24 Passing

Prop 24 is divided in its support among reputable consumer and civil rights organizations, which can make it harder to gauge how likely Prop 24 will pass. Democratic Presidential candidate Andrew Yang as well as the NAACP has come out in support of Prop 24. However, the ACLU has opposed Prop 24 in official election materials. Other organizations remain neutral, such as the Electronic Frontier Foundation, which has come out as neither endorsing nor opposing Prop 24.

According to recent polling conducted by Redfield & Wilton Strategies, 60% of respondents indicated that they would vote ‘Yes’ on Prop 24, with 17% opposing and 23% undecided. Even if Prop 24 fails to pass, businesses should not breathe a sigh of relief and assume that the trendlines are moving toward deregulation. In fact, the greatest opposition to CPRA is centered on the fact that the law is not protective enough of consumer privacy and has too many loopholes that cater to big tech companies collecting large amounts of data. The pattern is moving toward greater privacy regulation, and CPRA is an experiment in seeing how far the boundary can be pushed.

Blue EU flag fluttering in the wind

Schrems II: No Privacy Shield for EU-US Data Transfers, but Don’t Put Your Eggs into Standard Contractual Clauses Either

Image Credit: Capri23auto from Pixabay

On July 16th, 2020, privacy professionals scrambled after the Court of Justice of the European Union (CJEU) handed down its decision in Schrems II. The ruling invalidated the US-EU Privacy Shield agreement, which authorized transfers of data from the EU to the US for Privacy Shield-certified companies. Though the ruling on Privacy Shield was unexpected given that it was not directly at issue, such a decision is not without precedent or historical pattern. Privacy Shield itself was a replacement for the Safe Harbor framework that was invalidated in 2015 in Schrems I.

Now that the Privacy Shield framework has been invalidated, both data controllers and data processors are likely concerned about the next steps to take to ensure that any data transfers integral to its operations can continue. Although the U.S. Department of Commerce has indicated that it will continue processing Privacy Shield certifications, affected companies such as U.S. data importers and EU data exporters should quickly explore and adopt other transfer legitimizing mechanisms with their service providers and vendors in order to prevent any gaps in compliance.

Alternative Mechanism: Standard Contractual Clauses

Under the GDPR, data transfers to “third countries” outside the EU and international organizations are restricted unless validated by an approved mechanism to ensure that GDPR protection will follow.

Under GDPR Article 45, data transfers may be valid on the basis of an “adequacy decision,” where the European Commission has previously evaluated and determined that a third country provides “an adequate level of protection.”

GDPR Article 46(1) provides that, in the absence of an adequacy decision for the third country, other possible transfer mechanisms include Standard Contractual Clauses (SCC). SCCs, also known as “model clauses,” are sets of pre-approved and non-negotiable contractual provisions that both the importer and exporter must agree to.

SCCs are the primary mechanism for data transfers between EU and non-EU entities. This is because binding corporate rules (BCR) are traditionally reserved for intraorganizational transfers of data within multinational corporations, Article 49 derogations should typically only be used for limited, non-repetitive situations, and the other mechanisms listed under Article 46(1) (codes of conduct and certification mechanisms) have not yet been tested.

Evaluate on a “Case-by-Case” Basis

Even if using SCCs, the importer and exporter must complete a “case-by-case” analysis to determine if the laws of the third country provide an adequate level of protection or whether additional safeguards are necessary to meet the standards of the GDPR or the Charter of Fundamental Rights.

For instance, laws that allow presumptively broad law enforcement surveillance of personal data without a judicial review process will likely be non-compliant with the GDPR.

Given China’s recently enacted Cryptography Law, which provides for an encryption backdoor accessible to government actors, China may serve as an example of a third country where SCCs might not be able to automatically validate a cross-border data transfer. Since businesses operating in China may be legally required to provide data to government without requiring judicial approval, such a legal obligation would defeat the adequacy of SCCs as a transfer mechanism. The reliance on SCCs to validate data transfers might fail in such instances.

A similar analysis may have to be completed for US service providers. For instance, many cloud providers may fall under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, both of which govern surveillance programs like PRISM and UPSTREAM. The CJEU heavily scrutinized these programs in its decision to strike down Privacy Shield, finding that these programs were not subject to adequate judicial oversight and that EU citizens would be especially vulnerable given that the protections of the Fourth Amendment of the U.S. Constitution do not apply to EU citizens.

Moving Forward

What’s next on the horizon? Perhaps the third time is the charm.

It is foreseeable that the European Commission and U.S. Department of Commerce might again negotiate a third agreement. This new agreement will need to provide additional checks and balances and reassurances for EU individuals whose data is transferred to the US for processing, beyond the level provided for in the stricken-down Privacy Shield.

In an Opinion dated April 13, 2016, Article 29 Working Party (WP29), the predecessor to the current European Data Protection Board (EDPB), had already determined that one of Privacy Shield’s deficiencies was its failure to address “massive and indiscriminate collection of personal data originating from the EU” by US intelligence agencies. WP29 also expressed concerns that the Privacy Shield Ombudsperson was not sufficiently independent and powerful enough to be an adequate tribunal. It concluded by urging the Commission to improve Privacy Shield to provide equivalent protections as in the EU. Given that these concerns were telegraphed well in advance of Privacy Shield’s actual invalidation, the next framework must absolutely address these issues if it wishes to survive scrutiny. In the meantime, businesses should review their data transfer flows, remain agile and flexible in responding to developing law, and ensure that transfers are validated by multiple mechanisms as a contingency.

Chinese Go Board

China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime

[Originally published as a Feature Article: China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime, by Carolyn K. Luong, in Orange County Lawyer Magazine, April 2020, Vol. 62 No.4, page 31.]

By Carolyn Luong

U.S.-China relations have been a trending topic throughout the past year due to several conflicts involving the alleged encroachment upon free speech principles and perceived threats to U.S. national security. The NBA and Activision-Blizzard, both U.S.-based organizations, fielded criticisms in October of 2019 for supposed political censorship motivated by the fear of losing Chinese customers. Furthermore, as the U.S. races to build out its 5G infrastructure, the U.S. government has explicitly restricted U.S. corporations from conducting business with Chinese technology manufacturer Huawei upon apprehension that Huawei equipment may contain backdoors to enable surveillance by the Chinese government.[1]

Dr. Christopher Ford, Assistant Secretary of the U.S. State Department’s Bureau of International Security and Nonproliferation remarked in September that, “Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party ‘no’ if officials decide to ask for their assistance—e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties . . . .”[2] These Chinese firms in response firmly deny any allegations of contemplated or actual instances of required cooperation with the Chinese government to compromise user information or equipment.

Continue Reading China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime
Computer screens against skyscraper backdrop

Should Bar Associations Vet Technology Service Providers for Attorneys?

[Originally published in GPSOLO, Vol. 36, No. 6, November/December 2019, by the American Bar Association. Reproduced with permission. All rights reserved.]

Image Credit: Gerd Altmann from Pixabay1

Bar associations across the country have similar goals: advance the rule of law, serve the legal profession, and promote equal access to justice. Technology can easily support these goals. From online research and billing software, to virtual receptionist and SEO services, technology vendors improve the efficiency and accessibility of attorneys. It is no wonder then that bar associations around the country are promoting technology solutions for their members.

Despite the obvious benefits, bar associations need to be diligent about vetting technology vendors. By promoting one technology provider over another, bar associations could run afoul of advertising laws, tax requirements, and software agreements. In addition, bar associations and their members need to pay close attention to technology vendors’ cybersecurity safeguards to protect client confidences.

This article will briefly address each of these issues in turn and provide a non-exhaustive checklist of considerations before choosing a legal technology provider.

Bar Associations as Influencers

When we think of product endorsements today, we think of social media influencers, bloggers, and vloggers—not bar associations. Yet, bar associations wield incredible influence over the purchasing decisions of their members. Given this influence, bar associations should stay mindful of laws addressing unfair and deceptive advertising, such as Section 5 of the Federal Trade Commission Act (FTC Act), state false advertising laws, and state unfair trade practices acts (little FTC acts).

Continue Reading Should Bar Associations Vet Technology Service Providers for Attorneys?
1 2 3 7