Dechert Cyber Bits  

President Biden Announces a Comprehensive Cybersecurity Strategy

On March 2, 2023, the Biden administration released its National Cybersecurity Strategy (“Strategy”), which seeks to encourage long-term investments in cybersecurity, while shifting the responsibility to defend cyberspace onto the organizations that are “most capable and best positioned” to reduce risks for all. To achieve these aims, the Strategy seeks to build and enhance collaboration around five pillars:

1. Defend Critical Infrastructure: The Strategy details the need for mandatory minimum cybersecurity requirements in critical sectors. The Strategy also notes that Federal networks and systems require updating and/or replacement.
2. Disrupt and Dismantle Threat Actors: The Strategy focuses on enhancing public-private sector collaboration, increasing the speed and scale of intelligence sharing and victim notification, and preventing the abuse of U.S. based infrastructure.
3. Shape Market Forces to Drive Security and Resilience: The Strategy aims to place responsibility on those in the digital ecosystem that are best positioned to reduce risk, such as “the owners and operators of the systems that hold our data and make our society function, as well as the technology providers that build and service these systems.” The strategy suggests that this end could be achieved, for example, through shifting liability for software products and services to promote secure development practices.
4. Invest in a Resilient Future: As part of the Strategy, the United States would use strategic investments and coordinate action to prioritize cybersecurity research and development and to make the digital ecosystem more resilient.
5. Forge International Partnership to Pursue Shared Goals: To encourage responsible state behavior in cyberspace, the Strategy calls for securing trustworthy global supply chains for information, communications, and technology products and services. The Strategy also hopes to increase the capacity of partners and to leverage international coalitions to make irresponsible behavior isolating and costly.

Takeaway: While the Strategy is broadly applicable to all businesses, software developers and those involved in critical infrastructure should take particular note: (1) the Administration may press for legislation that establishes liability for software makers that fail to take reasonable precautions to make their products and services secure; and (2) the Federal Government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Such changes would significantly alter compliance obligations and attendant risks, especially in light of the government mindset noted above. Moreover, while undoubtedly well-intended, the Strategy continues a long government tradition of “blaming the victims” when it comes to cyber risk. Too often the response to victim companies for collaboration is a regulatory enforcement action, most often by those agencies with no ability or mandate to hunt down the criminals. The Strategy’s stated goal of “shifting responsibility to those best positioned to reduce risk” needs to be accompanied by an acknowledgement that government needs to provide the first line of defense to assist companies in this endless arms race against sophisticated threat actors, often themselves state sponsored.

House Committee Renews Push for National Privacy Bill

While states continue to propose and pass data privacy laws, members of Congress are once again considering federal data privacy legislation. The U.S. House Committee on Energy and Commerce (the “Committee”) recently held a hearing dedicated to privacy and propping up the proposed American Data Privacy and Protection Act (“ADPPA”). Last July, the Committee voted in favor of the ADPPA by a bipartisan vote of 53-2, but the legislation stalled before advancing to the House floor for a vote. As a result, the ADPPA will need to be reintroduced in the current Congressional session.

During a March 1, 2023 hearing, Congressional members and witnesses stressed the need for a national framework that would allow businesses to escape the burden of having to comply with a hodgepodge of state data privacy laws. The hearings also indicated that there will be no substitute or competing framework proposed in Congress at this time.

Even with this renewed activity, the ADPPA continues to face opposition, particularly from California lawmakers, due to preemption provisions that set a ceiling for privacy standards. For example, on February 28, 2023, California Governor Gavin Newsom, California Attorney General Rob Bonta, and the California Privacy Protection Agency sent a joint letter to Congress opposing preemption language in the ADPPA, which they argue could undermine California’s stringent privacy protections.

Takeaway: Although members of Congress appear to recognize the need for a federal privacy framework, continued opposition to the current proposed bill means that Congress’ ability to deliver on comprehensive data privacy legislation in the near future remains unclear. Businesses should continue their efforts to comply with the growing number of state data privacy laws. Those of us working in this area since the 1990s have been waiting that long for a federal privacy law. It looks like the wait will continue.

EDPB: Adoption of Three New Guidelines to Formalize Data Protection Provisions

On February 14, 2023, the European Data Protection Board (“EDPB”) published three sets of adopted Guidelines. The new guidelines seek to update and clarify previous versions following public consultation and to promote a common understanding of EU data protection laws. A summary is set out below.

1. The Guidelines on the Interplay between the application of Article 3 (territorial scope) and the provisions on international transfers as per Chapter V of the GDPR

The General Data Protection Regulation (“GDPR”) does not contain a definition for what constitutes a “transfer” of personal data to a third country (a non-EU or EEA country that has adopted a national law implementing the GDPR) or international organization. In these Guidelines, the EDPB identifies three criteria that must be met for a processing operation to be classified as a “transfer” within the meaning of the GDPR:

I. a controller or processor (“exporter”) is subject to the GDPR for the given processing;

II. the exporter makes personal data subject to this processing, available to another controller or processor (“importer”); and

III. the importer is in a third country, irrespective of whether or not the given processing falls within the territorial scope of the GDPR, or is an international organization.

If these criteria are met, the transfer must comply with Chapter V of the GDPR, which aims to ensure the continued protection of personal data after the transfer and provides that a data transfer can only take place under certain conditions, e.g. in the context of an adequacy decision from the European Commission or by providing appropriate safeguards. It is important to note that even if these criteria are not met, and Chapter V does not apply, the controller must still ensure compliance with the other provisions of the GDPR.

The Guidelines provide further practical guidance by way of various examples of data flows to third countries.

2. Guidelines on deceptive design patterns in social media platform interfaces: how to recognize and avoid them

These are designed to help social media providers comply with the requirements of the GDPR and avoid "deceptive design patterns," (i.e. interfaces and user journeys implemented on social medial platforms that encourage users to make unintended or harmful decisions about the processing of their personal data). These include: overloading users with requests and options; skipping over data protection aspects; stirring emotions to influence choices; obstructing the process of becoming informed about or managing their data; fickle design that confuses users as to the purpose of the processing; and leaving users in the dark about how their data is processed and related rights. The Guidelines give concrete examples of deceptive design pattern types, provide best practice recommendations for designing user interfaces that facilitate the effective implementation of the GDPR and contain a checklist of deceptive design pattern categories.

3. Guidelines on certification as a tool for transfers

These provide guidance on the application of Article 46(2)(f) of the GDPR, which introduces certification as a new transfer mechanism for personal data to third countries or international organizations. They clarify that compliance with the general provisions of the GDPR must be ensured before using certification as a transfer tool. The Guidelines comprise four parts (and an annex) that cover the general requirements for certification, accreditation requirements, specific certification criteria, and binding and enforceable commitments for controllers or processors not subject to the GDPR.

Takeaway: With these updated Guidelines, the EDPB has provided what amount to three sets of best practices, all intended to promote the highest standards of data protection whilst making the applicable legislation clearer and more accessible. Although the Guidelines are as a formal matter not legally binding, regulators will almost certainly frown on failures to comply with them, absent a very good reason not to do so. Therefore, data controllers, and particularly those who engage in international data transfers, should ensure familiarity and compliance with these Guidelines.

The FTC Warns Companies to Keep AI Claims in Check

On February 27, 2023, Michael Atleson, Attorney for the Federal Trade Commission’s (“FTC”) Division on Advertising Practices, published a blog post warning about the use of what he referred to as artificial intelligence (“AI”) “hype” in advertising and marketing. The blog post refers to AI as a “hot” marketing term that “some advertisers won’t be able to stop themselves from overusing and abusing.”

Specifically, the FTC is concerned that some companies may be overpromising in terms of what their AI products or services can deliver, thereby misleading consumers and harming competition. Consequently, the FTC advises companies to ensure that their claims are supported by evidence and that they do not misrepresent the capabilities of their AI-powered products or services. The FTC blog post also emphasizes the importance of transparency in AI-powered systems; companies should be clear about how their AI works, what data it uses, and how it makes decisions. This is particularly important, in the FTC’s view, where AI is used to make decisions that could affect individuals.

The FTC blog post also reminds readers of the potential risks associated with the use of AI, referencing a blog post from April 2021 that focused on data bias, racial algorithms, and the proper use of machine learning.

The FTC recommends addressing the following questions when marketing an AI-related product:

• Are you exaggerating what your AI product can do?
• Are you promising that your AI product does something better than a non-AI product?
• Are you aware of the risks?
• Does the product actually use AI at all?

Takeaway: The warning at the end of this FTC post that “[y]ou don’t need a machine to predict what the FTC might do when [AI] claims are unsupported” should encourage companies to heed the FTC’s recommendations. The warning provides a crystal ball into the cases that we are likely to see in FTC enforcement press releases in the near future. While much of the focus to date has been on the potentially biased or discriminatory impact of AI, it is clear that the FTC takes equally seriously inflated and unsupported claims about products using AI. Companies should focus on the questions set out above to ensure that any AI claims in their marketing materials are not misleading and are accurate.