Dechert Cyber Bits
Issue 54 - May 2, 2024
European Data Protection Board Publishes Strategy for 2024-27
The European Data Protection Board (“EDPB” - the EU body tasked with promoting consistency and cooperation in enforcement of the GDPR) has outlined its strategy for the years 2024 to 2027.
The strategy is built upon four main pillars: (i) enhancing harmonization and promoting compliance; (ii) reinforcing a common enforcement culture and effective cooperation; (iii) safeguarding data protection in the developing digital and cross-regulatory landscape; and (iv) contributing to the global dialogue on data protection.
The EDPB intends to focus on strengthening enforcement collaboration and initiating coordinated enforcement actions. It also aims to integrate data protection rights within the broader regulatory framework through guidance on the intersection between data protection and the suite of new digital regulations that are part of the EU’s “Digital Decade” strategy (such as the AI Act, Digital Markets Act and the Digital Services Act).
Takeaway: The EDPB’s strategy for the next three years reflects the changing regulatory landscape in the EU. In the early days of the GDPR, the EDPB’s priority was providing guidance on the GDPR. In its latest strategy, the EDPB acknowledges its increasing “mediator” role between national data regulators and the need for it to evolve its guidance to account for intersecting new EU regulations governing the digital space.
FTC Seeks Authority to Bring its Own Consumer Cases, Obtain Court-Ordered Monetary Awards
The United States Federal Trade Commission (“FTC” or “Commission”) recently issued a report to Congress pursuant to the FTC Collaboration Act of 2021 detailing its cooperation with state law enforcement agencies and recommending legislative initiatives to enhance further collaboration efforts. The FTC’s report contains three sections, with the section on “Legislative Recommendations to Enhance Collaboration Efforts” being the most notable because it asks Congress to expand the FTC’s authority regarding civil penalty cases and equitable monetary relief.
First, the FTC urged Congress to restore the FTC’s authority under section 13(b) of the FTC Act to directly obtain court-ordered equitable monetary relief, such as restitution or disgorgement from subjects of its investigations. The United States Supreme Court struck down this power in its 2021 AMG Capital Management v. FTC decision, holding that section 13(b), which permits the FTC to go to the courts to obtain a “temporary restraining order or a preliminary injunction,” did not authorize the Commission itself to obtain court-ordered monetary relief. In her statement on the report, FTC Chair Lina Khan characterized this change as “critical” to ensuring that “lawbreakers do not profit from lawbreaking and that victims of illegal conduct are made whole.”
Second, the FTC requested that Congress strike the existing requirement that the FTC refer civil penalty cases to the United States Department of Justice (“DOJ”). The change would allow the FTC to file its own lawsuits seeking civil penalties without having to consult with the DOJ beforehand. The report argues that an independent authority to seek civil penalties will streamline the FTC’s enforcement capabilities and improve the Commission’s ability to protect consumers from unfair or deceptive acts or practices.
Takeaway: The FTC has adopted a more aggressive approach to enforcement in recent years and this would only embolden those efforts. Many in the industry already believe that the FTC is significantly overstepping in its enforcement actions. If Congress were to comply with the FTC’s request and restore its authority to obtaining court-ordered equitably monetary relief, and bring cases involving civil penalties without having to refer those cases to the DOJ, the FTC would have significantly more authority and ability to issue monetary penalties than it does currently.
Data Accuracy in The Context of GenAI - UK Data Regulator Seeks Comments on Draft Guidance
The UK Information Commissioner’s Office (“ICO”) has initiated a new phase in its ongoing series of consultations on data protection issues relating to generative AI. This third phase focuses on the principle that personal data must be accurate - the “accuracy principle.” The ICO has previously consulted on training generative AI on web-scraped data and defining the purposes for which personal data can be used in the context of generative AI.
The ICO emphasizes that the purpose for which a generative AI model is used is critical for the purposes of the accuracy principle and encourages developers to put in place measures to prevent their generative AI systems from being used for purposes that are incompatible with the level of accuracy of the AI’s outputs. For example, an AI system designed to be used for purely creative purposes may not have the level of accuracy required for that system to be used to make decisions about individuals or to source information about individuals. The ICO also considers that businesses deploying third party generative AI have responsibilities to ensure that the generative AI is not used in a manner that contravenes the accuracy principle.
Takeaway: With no equivalent to the EU AI Act in the UK at this time, data protection law provides a key framework for regulating AI. The ICO’s consultation series and guidance to date also demonstrates that the ICO sees AI as a priority. The accuracy of personal data in AI outputs is an important issue for AI developers, deployers and users to consider. Businesses using generative AI will want to understand use restrictions imposed by their vendors, as well as measures to ensure end users use the AI only for purposes that are appropriate to the level of accuracy of the personal data involved. The ICO’s current consultation is open for responses until May 10, 2024.
UK Data Regulator Publishes Guidance on Transparency in Health and Social Care
The UK Information Commissioner’s Office (“ICO”) has issued guidance for organizations involved in providing health and social care in the UK. Highlighting the sensitivity of personal data processed in the context of health and social care, the guidance provides sector specific advice to comply with data protection requirements regarding transparency and to foster trust in the health and social care systems.
The guidance adopts a proportionate approach acknowledging that there can be circumstances in a healthcare setting where providing privacy information may not be a priority (e.g., in the case of emergency treatment). The guidance also explains that, whilst some uses of personal data may be obvious to patients, for other uses additional steps may be needed to provide privacy information, such as the use of personal data for secondary purposes (e.g., medical research).
Takeaway: The ICO’s guidance provides practical and detailed explanations of its expectations regarding transparency for organizations involved in delivering health or social care services or handling health and social care data. The ICO emphasizes that complying with the transparency principle under the UK GDPR is not limited to providing the specific privacy information that is listed in the UK GDPR. According to the ICO, transparency, in particular in the health and social care sector, involves a more rounded approach that goes beyond publishing a privacy notice on an organization’s website. This will be context-specific but may include actions such as publishing policy documentation that is not specifically required to be provided under the UK GDPR.
White House/HHS publish HIPAA Privacy Rule to Support Reproductive Health Care Privacy
On April 22, 2024, the White House and United States Department of Health and Human Services (“HHS”) Office of Civil Rights announced the HIPAA Privacy Rule to Support Reproductive Health Care Privacy (the “Rule”). The Rule bolsters the existing Privacy Rule in the Health Insurance Portability Act of 1996 (“HIPAA”), prohibiting certain disclosures of individuals’ protected health information related to lawful reproductive health care.
According to HHS Secretary Xavier Becerra, the Rule protects individuals “seeking lawful reproductive health care regardless of whether the care is in their home state or if they must cross state lines to get it.” Under the Rule, the HHS Office of Civil Rights will administer and enforce protections that prohibit healthcare providers, health plans, healthcare clearinghouses, and their business associates from using or disclosing a patient’s protected health information to: (1) “conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided;” or (2) to identify “any person for the purpose of conducting such investigation or imposing such liability.”
Takeaway: The Rule is a reaction to rising concerns over the sharing of information concerning reproductive health care and the potentially chilling effect such exchanges may have on individuals’ healthcare decisions. As courts and government bodies at all levels continue to wrestle with the issue of reproductive health care, especially in a post-Dobbs world, companies processing health information should be hyper vigilant in complying with current laws and regulations and in monitoring potential legal and regulatory changes.
Dechert Tidbits
FTC Finalizes Probe of X-Mode
On April 12, 2024, the U.S. Federal Trade Commission (“FTC”) finalized an order with the data broker Outlogic (formerly X-Mode), addressing allegations that Outlogic sold raw location data in combination with users’ mobile ad identifiers that enabled recipients to track individuals’ visits to specific locations, such as medical and reproductive health clinics and places of worship. The FTC order prohibits the company from sharing or selling any sensitive location data and requires, among other things, that Outlogic (i) delete or destroy all the location data it previously collected and any products developed from this data and (ii) “implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual.” Please see our discussion of the FTC’s proposed order with Outlogic here.
House Passes Bill to Limit Personal Data Sales to Intelligence Agencies, Law Enforcement
The United States House of Representatives passed The Fourth Amendment is Not For Sale Act (“HR 4639”) last month, marking a victory for privacy advocates. HR 4639 would prohibit law enforcement and intelligence agencies from purchasing personal information about customers or subscribers of electronic and remote computing service providers (e.g., social media, cell phone, email, and cloud computing companies) without first obtaining a court order.
CFPB Focuses Attention on Data Brokers
In a speech at the White House, Consumer Financial Protection Bureau (“CFPB”) Director Rohit Chopra outlined the CFPB’s initiatives to rein in the activities of companies that buy and sell consumer data. Of note, the CFPB is considering whether to define a data broker as a “consumer reporting agency,” which would require data brokers to comply with the Fair Credit Reporting Act (“FCRA”). If adopted, these proposals would ban data brokers from sharing certain consumer data with entities unless the entities serve a particular, FCRA listed, purpose.
We are honored to have been recognized in The Legal 500 2023, Chambers USA 2023, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.
Recent News and Publications
- Tribunal Overturns UK ICO’s Enforcement Action Against Clearview AI (Dechert OnPoint published November 8, 2023)
- 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
- Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
- US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
- SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
- SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
- Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
- EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Visit Dechert's California Consumer Privacy Act Resource Center
-
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
Content Editors
Dylan Balbirnie, Connor Bisset Flannery, Daniel Murdock, Anna Ziegler
Production Editors
Hilary Bonaccorsi and Madeleine White
Senior Editor
Partner Committee Editors
Dechert Cyber Bits Partner Committee
Brenda R. Sharton
Partner, Chair, Privacy & Cybersecurity
Boston
brenda.sharton@dechert.com
Timothy C. Blank
Senior Counsel
Boston
timothy.blank@dechert.com
Kevin F. Cahill
Partner
Los Angeles
kevin.cahill@dechert.com
Dr. Olaf Fasshauer
National Partner
Munich
olaf.fasshauer@dechert.com
Vernon L. Francis
Partner, Senior Editor
Philadelphia
vernon.francis@dechert.com
Paul Kavanagh
Partner
London
paul.kavanagh@dechert.com
Laura Rossi
Partner
Luxembourg
laura.rossi@dechert.com
Benjamin Sadun
Partner
Los Angeles
benjamin.sadun@dechert.com
"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."
"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500, 2023
Dechert’s global Privacy & Cybersecurity practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
-
- Issue 53 - April 18, 2024
- Issue 52 - March 28, 2024
- Issue 51 - March 14, 2024
- Issue 50 - February 29, 2024
- Issue 49 - February 19, 2024
- Issue 48 - February 1, 2024
- Issue 47 - January 18, 2024
- 2024 Crystal Ball Edition - January 5, 2024
-
- Issue 46 - December 14, 2023
- Issue 45 - November 16, 2023
- Issue 44 - November 2, 2023
- Issue 43 - October 19, 2023
- Issue 42 - October 5, 2023
- Issue 41 - September 21, 2023
- Issue 40 - August 31, 2023
- Issue 39 - August 17, 2023
- Issue 38 - August 3, 2023
- Issue 37 - July 20, 2023
- Issue 36 - June 29, 2023
- Issue 35 - June 15, 2023
- Issue 34 - May 25, 2023
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
-
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
-
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021