We’ve noticed that people seemed more determined than usual this year to really unplug during their vacations. That was no doubt a healthy reaction to months of pandemic-related stress. For those who took some true summer downtime, and anyone else who’d find a roundup useful – here are some quick notes on how the world of data strategy and security marched on over the last month or so:

  • CCPA B2B, HR Exemptions Extended: The California legislature has just passed a bill that would extend, for another year, the business to business and human resources exemptions to the California Consumer Privacy Act (CCPA). Businesses have been depending on these exemptions to omit B2B and HR data from their CCPA compliance programs – and fretting about their imminent sunset on January 1, 2021. If Governor Gavin Newsom signs the bill, the exemptions will sunset instead on January 1, 2022 – subject to possible further extension.
  • CCPA Regulations Finalized with Last-Minute Changes: The final-final version of the California Attorney General’s regulations under CCPA took effect. A few provisions present in the last draft of the regulations were withdrawn at the last minute. Although the Attorney General made no public comment about why, the changes seem to be a move in the direction of being business-friendly. Among other changes, final version eliminates the previously proposed requirements that (1) a business would need explicit consent from a consumer to use their personal information for a materially different purpose than was stated in the notice of collection; (2) businesses that substantially interact with consumers offline would have to provide notice to consumers via an offline method; and (3) a business’s methods for submitting requests to opt out would have to entail minimal steps for consumers and not be designed to subvert or impair the opt out right.
  • Collection of Metadata Held To Violate FISA: In a long-awaited decision, the Ninth Circuit U.S. Court of Appeals ruled that the U.S. government’s mass collection of telephony metadata was a violation of the Foreign Intelligence Surveillance Act, or FISA. This collection is the program that Edward Snowden disclosed to the world in 2013. The Court came close to saying, but did not ultimately rule, that the collection program was also a constitutional violation. These legal views from the court offered little comfort to the individual defendant-appellants, as the court upheld their convictions for sending, or conspiring to send, funds to Somalia to support a terrorist organization. The Court ruled that the FISA violation, and the potential constitutional violation, did not cause prejudice to the defendants.
  • Facial Recognition Used In TSA’s New Self-Service Check-In: In the latest example of how COVID-19 is pushing the boundaries of technology and privacy, the U.S. Transportation Security Administration has just launched a new program that allows airline passengers themselves (not a TSA employee) to scan their photo IDs, while a machine photographs them and uses facial recognition to match the ID to the photo. Anticipating data privacy and security concerns, the TSA maintains that it does not store the photos and in fact “there is no capacity to do so.”
  • Data Breach Class Action Filed Against Blackbaud in SC: The latest high-profile defendant in a post-data-breach class action is Blackbaud, the company that provides services to many nonprofits. When Blackbaud experienced a ransomware attack and data breach, many of the organizations it services – prominent museums, healthcare organizations, universities, and other charitable entities- found themselves issuing breach notifications and otherwise responding to the incident. The class action complaint is brought on behalf of a purported class of individuals whose information was compromised, including nonprofit donors. The complaint alleges, in particular, that Blackbaud did not adequately prepare for ransomware attacks. The complaint also asserts that class members’ data remains at risk, despite Blackbaud paying the ransom and publicly stating its view that it now believed the compromised data to be secure.
  • Claire’s Faces Data Breach Class Action: The retailer Claire’s – familiar to anyone whose tween daughter ever got her ears pierced at the mall – likewise faces a new class action complaint in Illinois state court. Plaintiffs allege a failure to meet the increasingly well-settled “reasonable security” legal standard. Claire’s previously disclosed a breach in which malware lifted customers’ personal data out of its systems during the online checkout process.
  • NIST Promotes Standards for “Explainable” AI: The National Institute of Standards and Technology (NIST) issued its draft white paper, Four Principles of Explainable Artificial Intelligence. In a nutshell, NIST proposes that (1) systems using AI should provide evidence/reasons for their outputs; (2) explanations should be meaningful to their recipients; (3) explanations should be accurate; and (4) systems should not give outputs in circumstances that go beyond the system’s design or authorization, or confidence in the output is otherwise lacking. Given NIST’s stature as creator of the highly influential Cybersecurity Framework, this paper has the potential to stand out in the sea of AI discussion documents and drive the development of law and regulation. NIST remains open for public comment on the paper until October 15.
  • FTC “Tidies Up” COPPA FAQs: The U.S. Federal Trade Commission Marie Kondo’d its FAQs under the Children’s Privacy Protection Act, or COPPA. The newly “decluttered” FAQs clear out dated references to the no-longer-new COPPA regulations. The new FAQs incorporate FTC guidance on newer technologies like the Internet of Things, modern-day enforcement actions such as the $170 million penalty imposed last year against Youtube, and the latest approved methods for obtaining verifiable parental consent.
  • Schrems II aftershocks continue: The European Data Protection Board announced that a new task force would investigate the more than 100 complaints filed against data controllers since the Schrems II ruling that invalidated Privacy Shield and cast doubt on Standard Contractual Clauses. Keep an eye out tomorrow for a post with our monthly roundup of key EU developments.
  • Egypt’s new data protection law published: Egypt published its new data protection law in the Official Gazette, setting the law on track to take effect in October. Full Arabic text available here, English summary here. Like the LGPD, the law is clearly modeled on the GDPR. Key features include the controller-processor framework; obligations of controllers to rely on statutory legal grounds, such as consent or legitimate interest, to support acts of data processing; data subjects’ rights of access and rectification; limitations on cross-border transfer; and 72-hour breach notification. Going beyond the GDPR, Egypt is establishing a new national data protection center that will issue licenses for the processing of personal data.
  • India launches proposal to regulate non-personal data: A committee formed by the government of India launched a proposal to extensively regulate non-personal data. Under the proposal, foreign companies would have to share non-personal data with the government and even with Indian competitors. “Critical” and “sensitive” non-personal data would be subject to new data localization requirements. Other proposed requirements would include obtaining consent to process anonymized data. At last report, a coalition of U.S. business interests was organizing to oppose the proposal.

Readers may also be interested in our August posts on Artificial Intelligence and Consumer Protection Risks; Updating the Safeguards Rule; Cybersecurity Requirements for Insurance Companies; The UK School Algorithm Debacle: 5 Lessons for Corporate AI Programs;Are Antitrust and Data Protection Rules Converging? and Schrems II: Where Are We Now?

Welcome back to work!

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Stephanie Cipolla is an associate in Debevoise's Litigation Department who is a member of the Debevoise Data Strategy & Security practice. She can be reached at smcipolla@debevoise.com.

Author

Christina Heil is a corporate associate and a member of the Mergers & Acquisitions Group at Debevoise, based in Frankfurt. She can be reached at cheil@debevoise.com.

Author

Christopher Garrett is an English-qualified international counsel in the Corporate Department and a member of the Data Strategy & Security practice, practising employment law and data protection. He has significant experience advising employers on all aspects of employment law and advising companies on compliance with UK and EU data protection law. Mr. Garrett has substantial experience in advising on the employment aspects of mergers & acquisitions transactions, including transfers of employees or other issues arising under TUPE/the Acquired Rights Directive. Mr. Garrett has a wide range of experience advising on other matters such as boardroom disputes, senior executive contracts and terminations, disciplinary and grievance matters, a variety of employment tribunal claims (including high-value discrimination claims), advising employers faced with industrial action, consultation on changes to occupational pension schemes and policy and handbook reviews. Mr. Garrett also has a particular focus on handling privacy and data protection issues relating to employees, as well as online privacy, marketing and safety practices, regular advice to clients on privacy policies, online marketing practices and related matters.

Author

Fanny Gauthier is an associate in Debevoise's Litigation Department, based in the Paris office. Ms. Gauthier is a member of the firm’s International Dispute Resolution Group, as well as the firm’s Data Strategy & Security practice. Her practice focuses on complex commercial litigation, international arbitration and data protection. She can be reached at fgauthier@debevoise.com.

Author

Robert Maddox is International Counsel and a member of Debevoise & Plimpton LLP’s Data Strategy & Security practice and White Collar & Regulatory Defense Group in London. His work focuses on cybersecurity incident preparation and response, data protection and strategy, internal investigations, compliance reviews, and regulatory defense. In 2021, Robert was named to Global Data Review’s “40 Under 40”. He is described as “a rising star” in cyber law by The Legal 500 US (2022). He can be reached at rmaddox@debevoise.com.

Author

Dr. Friedrich Popp is an international counsel in the Frankfurt office and a member of the firm’s Litigation Department. His practice focuses on arbitration, litigation, internal investigations, corporate law, data protection and anti-money laundering. In addition, he is experienced in Mergers & Acquisitions, private equity, banking and capital markets and has published various articles on banking law.

Author

Julia Wang is an associate in Debevoise's Litigation Department. She can be reached at cwang1@debevoise.com.

Author

Mengyi Xu is an associate in Debevoise's Litigation Department and a Certified Information Privacy Professional (CIPP/US). As a member of the firm’s interdisciplinary Data Strategy & Security practice, she helps clients navigate complex data-driven challenges, including issues related to cybersecurity, data privacy, and data and AI governance. Mengyi’s cybersecurity and data privacy practice focuses on incident preparation and response, regulatory compliance, and risk management. She can be reached at mxu@debevoise.com.