Global Privacy & Cybersecurity Update Vol. 15

Global Privacy & Cybersecurity Update Vol. 15

Read the Global Privacy & Cybersecurity Update.


The development and use of artificial intelligence, blockchain, the Internet of Things, and other disruptive technologies elevate the importance of data as a critical business asset. As a result, companies must be able to quickly identify and address the legal constraints and challenges involved in processing data, both from contractual and regulatory perspectives.

Olivier Haas is based in Paris and leads Jones Day's Cybersecurity, Privacy & Data Protection Practice in France. Leveraging his strong scientific background, Olivier has more than 15 years of experience in advising all businesses—from start-ups to major international corporate conglomerates—on the legal aspects of technology and data-related projects and transactions.

Olivier advises on IT, cloud computing agreements, and web-related projects, as well as on data governance strategies and cybersecurity issues. He handles data protection issues, including those arising from the implementation of international data processing systems, compliance with the EU's General Data Protection Regulation, and other multijurisdictional projects. He also regularly assists with negotiating IT and business process outsourcing agreements, and the migration of IT and data to cloud-based environments.


Regulatory—Policy, Best Practices, and Standards

FTC Comments on Improvements to IoT Device Security

On June 19, the Federal Trade Commission ("FTC") submitted comments to a working group organized by the Department of Commerce's National Telecommunications and Information Administration regarding draft guidance on "key elements" to consider when informing consumers about security updates with Internet of Things ("IoT") devices. According to the FTC, such "key elements include whether the device can receive security updates, how it will receive them, and when support for the device would end." The guidance is part of a multi-stakeholder effort to enhance security updates and patchability of IoT devices.

DOJ Issues Framework for Vulnerability Disclosure Programs

In July, the U.S. Department of Justice ("DOJ") Criminal Division's Cybersecurity Unit released a framework to help public and private-sector organizations comply with the Computer Fraud and Abuse Act. The framework aims to assist organizations with instituting formal vulnerability disclosure programs to help detect security issues that could lead to the compromise of sensitive data and the disruption of services.

NICE Issues Cybersecurity Workforce Framework

On August 7, the National Initiative for Cybersecurity Education ("NICE") released Special Publication 800-181, the NICE Cybersecurity Workforce Framework. The publication is intended to serve as a standard reference to "provide organizations with a common, consistent lexicon that categorizes and describes cybersecurity work by Category, Specialty Area, and Work Role." Organizations or industries "can use the publication to develop additional publications or tools that meet their needs to define or provide guidance on different aspects of workforce development, planning, training, and education."

NIST Contemplates New Safeguards for Information Systems and IoT

On August 15, the National Institute of Standards and Technology ("NIST") issued a new draft fifth revision of its Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. According to a senior NIST policy adviser, the revised draft "covers the overlap in security and privacy for systems, as well as the ways in which they are distinct [and] also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities." The draft was "[d]eveloped by a joint task force of representatives from the civil, defense and intelligence communities" and "represents an ongoing effort to produce a unified information security framework for the federal government."

Regulatory—Consumer and Retail

FTC Provides Additional Insights on Reasonable Data Security Practices

On July 21, the FTC began publishing a series of blog posts using hypothetical examples to inform businesses on reasonable best practices to protect and secure consumer data. The examples are based on closed investigations, FTC law enforcement actions, and questions from businesses. The blog posts follow the FTC Acting Chairman's pledge to provide more information to businesses about practices that contribute to reasonable data security.

FTC Hosts Cybersecurity Roundtables with Small Businesses

On July 25, the FTC hosted its first in a series of roundtables with small business owners. The program, titled "Engage, Connect, and Protect Initiative: Small Business and Data Security Roundtable," discussed pressing challenges small businesses face in protecting the security of computers and networks.

FTC Approves Modifications to Children's Privacy Compliance Oversight Program Proposal

On July 27, the FTC approved changes to a private compliance and data security company's self-regulatory guidelines regarding children's privacy. The adopted changes require that companies in the program annually assess whether third parties collect personal information from children.

Regulatory—Defense and National Security

Sixth Annual Cyber Guard Exercise Simulates Destructive Cyberattacks against Critical Infrastructure

On July 5, Cybercom, the Department of Homeland Security, and the FBI co-led the sixth annual Cyber Guard training exercise. The exercise involved more than 700 cyber operators who rehearsed a whole-of-nation response to destructive cyberattacks against U.S. critical infrastructure.

Regulatory—Financial Services

Colorado Adopts New Cybersecurity Rules for Broker-Dealers and Investment Advisors

On June 19, the Colorado Division of Securities adopted new cybersecurity rules applicable to broker-dealers purchasing securities in Colorado and investment advisers who do business in the state. The rules establish general guidelines for reasonable cybersecurity practices and mandate a number of specific practices, including the establishment and maintenance of written procedures reasonably designed to ensure cybersecurity. The rules became effective on July 15.

SEC Acting Director Addresses Role of Big Data, Machine Learning, and Artificial Intelligence

On June 21, the Securities and Exchange Commission ("SEC") Acting Director and Chief Economist gave a keynote address titled "The Role of Big Data, Machine Learning, and AI in Assessing Risks: A Regulatory Perspective" at the Annual Operational Risk North America Conference. The director discussed the role of artificial intelligence in assessing risk and the spin-off field of "Regtech" to make compliance and regulatory-related activities easier, faster, and more efficient.

SEC Chairman Testifies on Planned Cybersecurity Initiatives

On June 27, the SEC Chairman testified to the Senate Subcommittee on Financial Services and General Government regarding the Commission's 2018 Budget Request, observing that the SEC's Office of Compliance Inspections and Examinations ("OCIE") planned to increase its examinations to ensure that cybersecurity infrastructure is "secure and resilient."

SEC OCIE Issues Risk Alert with Observations from Cybersecurity Examinations

On August 7, OCIE staff released a risk alert containing the staff's observations from its Cybersecurity 2 Initiative, an examination of 75 investment advisers, broker dealers, and investment companies to assess industry practices and legal and compliance issues related to cybersecurity preparedness. While the staff noted a general increase in preparedness among the firms it examined, it also observed a number of issues that firms should consider in order to improve their cybersecurity policies and procedures.

Regulatory—Health Care/HIPAA

Malware Attack of Medical Equipment Provider Targets 550,000 Patients

On June 26, a medical equipment company revealed that it suffered a breach of its network server, affecting patient health information of approximately 550,000 current and past customers, as well as 1,160 current and past employees of the company and its affiliates.

Task Force Issues Six Recommendations for Health Care Cybersecurity

In June, the Health Care Industry Cybersecurity Task Force published its "Report on Improving Cybersecurity in the Health Care Industry." The report noted the condition of health care cybersecurity and outlined six key recommendations: (i) define and streamline leadership, governance, and expectations; (ii) increase security and resilience of medical devices and health IT; (iii) develop workforce capacity to prioritize cybersecurity; (iv) improve awareness and education; (v) identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure; and (vi) improve information-sharing of industry threats, risks, and mitigations.

FDA Issues Draft Guidance on Electronic Privacy, Security, and Reliability Criteria for Clinical Trial Records

In June, the Food and Drug Administration ("FDA") published draft guidance on electronic privacy requirements for clinical trial records. The guidance details: (i) "Procedures that may be followed to help ensure that electronic records and electronic signatures meet FDA requirements and that the records and signatures are considered trustworthy, reliable, and generally equivalent to paper records and handwritten signatures executed on paper"; and (ii) "the use of a risk-based approach when deciding to validate electronic systems, implement audit trails for electronic records, and archive records…." For more information, see the Jones Day Alert.

HHS Launches Improved Online Reporting Tool

On July 25, the U.S. Department of Health and Human Services ("HHS") Office for Civil Rights ("OCR") unveiled a revised web tool that identifies recent breaches of health information and educates the industry on the occurrence, investigation, and resolution of breaches. OCR noted that the revised HIPAA Breach Reporting Tool, originally released in 2009, features enhanced functionality that highlights breaches currently under investigation, a new archive that includes the resolution of previous breaches, improved navigation, and consumer tips.

Litigation, Judicial Rulings, and Agency Enforcement Actions

FTC Settles with Loan Application Company for Unlawfully Selling Consumer Data On July 5, the FTC settled with a lead generation business for unlawfully selling consumer loan application data to "a variety of entities without regard for how the information would be used or whether it would remain secure." According to the FTC's press release, the company "promised to protect and secure the sensitive information consumers provided," but "sensitive personal and financial information was shared and sold indiscriminately without consumers' knowledge or consent." The settlement, which includes a judgment for $104 million, is suspended based on defendants' inability to pay.

Ninth Circuit Backs Gag Orders on FBI Data Requests

On July 17, the Ninth Circuit overruled a constitutional challenge to the FBI's use of national security letters ("NSLs") that bar service providers from telling users about government requests for their data, ruling that the disclosure restrictions do not violate the First Amendment. The Ninth Circuit concluded that the nondisclosure agreement contained within NSLs is a content-based restriction on speech that is both subject to and withstands strict scrutiny and therefore did not violate the Constitution.

Treasury Department Fines E-Currency Exchange $110 Million for Money Laundering

On July 27, the Department of the Treasury's Financial Crimes Enforcement Network fined one of the world's largest digital currency exchanges $110 million and charged both the exchange and one of its operators with handling payments related to criminal activity, including the recent hack against a Bitcoin exchange.

Circuit Courts Interpret Standing Post Spokeo

On August 1, a Seventh Circuit panel declined to revive Fair Credit Reporting Act ("FCRA") lawsuits against a large cable television company and student loan provider, finding that the plaintiff had not demonstrated that he suffered injury to establish standing under the U.S. Supreme Court's Spokeo decision.

  • On August 1, the D.C. Circuit revived a putative class action brought by policyholders against a large insurance company over a 2014 data breach, finding that the alleged heightened risk of identity theft and medical fraud was enough to establish standing under the U.S. Supreme Court's landmark Spokeo decision.
  • On August 15, the Ninth Circuit, on remand from the U.S. Supreme Court, ruled that the plaintiff claimed a sufficiently concrete injury against Spokeo to meet the Article III standing requirements established by the Supreme Court. The Ninth Circuit held that the plaintiff met the standing bar by alleging an intangible statutory injury without any additional harm because Congress had crafted the FCRA provisions at issue to protect consumers' concrete interests in accurate credit reporting about themselves.

Advertising Company Reaches $31 Million Settlement with Car-Listing Service

On August 3, a large classified advertising company filed a stipulated judgment of $31 million to settle and release claims against a used-car listing service that scraped contact information and other content from the advertising giant's website. According to the agreement, the listing service copied content from the advertising company's website, including users' contact information and pictures, and sent emails to the users seeking more information, which it then used to create unauthorized advertisements on its own website.

33 State Attorneys General Settle Data Breach with Major Insurance Company

On August 9, a coalition of 33 state Attorneys General announced a $5.5 million settlement with a major national insurance company and a subsidiary for a 2012 data breach that resulted in the loss of personal information belonging to more than 1.2 million Americans. The data breach was allegedly caused by the failure to apply a critical security patch, and lost data included Social Security numbers, driver's license numbers, credit scoring information, and other personal data.

FTC Settles Charges with Tax Preparation Service for GLBA Violations

On August 29, the FTC announced a settlement with a tax preparation service for violations of the Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act ("GLBA"). The FTC alleged that hackers were able to gain full access to nearly 9,000 accounts and subsequently used that information to engage in tax identity theft. The FTC cited deficient security practices, which included a failure to "conduct a risk assessment to identify reasonably foreseeable internal and external risks to security," and a failure to "implement adequate risk-based authentication measures that would have helped reduce the chances of an attack from hackers who had used stolen credentials." As part of the settlement, the tax preparation service must obtain biennial third-party assessments of its GLBA compliance.

FTC and State Attorneys General Settle with Computer Manufacturer for Security Vulnerabilities on Laptops

On September 5, the FTC and 32 state Attorneys General agreed to settle charges that a major computer manufacturer "harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers." In its press release, the FTC detailed how pre-loaded software created vulnerabilities that enabled potential hackers to access consumer information and communications. As part of the settlement, the company is prohibited from misrepresenting features about the software on its devices and must implement a 20-year comprehensive software security program subject to third-party audits.


House Passes DHS Reauthorization Bill with New Cybersecurity Provisions

On July 20, the House of Representatives passed the Department of Homeland Security Reauthorization Act, which contains new cybersecurity directives and Department functions that were absent from the original 2002 legislation. The bill, which awaits consideration in the Senate Committee on Homeland Security and Governmental Affairs, reorganizes the department's cybersecurity policy office, promotes information-sharing, and requires the department to implement a cybersecurity risk model for the airline industry.

House Passes SELF DRIVE Act

On September 6, the House of Representatives unanimously approved the Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution ("SELF DRIVE") Act. The bill is the first piece of federal legislation that aims to regulate the manufacture, testing, and use of autonomous, or self-driving, cars in the United States. For more information, see the Jones Day Alert.


New Mexico Data Breach Notification Law Takes Effect; Virginia and Delaware Amend Laws

On June 16, New Mexico's data breach notification law became effective, leaving Alabama and South Dakota as the only states without such laws. The law governs data breach notification requirements for entities storing and using personal identifying information about New Mexico residents and also establishes requirements for securing and disposing of that information. The bill generally requires notification to affected consumers in the event of a breach within 45 days of discovery of the breach.

Virginia and Delaware Amend Laws

Virginia amended its data breach notification law effective July 1, adding a requirement that employers or payroll service providers give notice to the Attorney General's office if payroll information is compromised. Delaware likewise amended its data breach notification law. Among other requirements, the law expands the definition of "personal information" to include medical history, health insurance policy numbers, and unique biometric data. It also requires, subject to certain exceptions, that the data collector notify the Delaware Attorney General if the affected number of residents exceeds 500 and that notice be made no later than 60 days after the data breach. Finally, if the data breach included a Social Security number, the data collector must offer, at no cost to the Delaware resident, credit monitoring services for a period of one year. The amendment becomes effective on April 14, 2018.

New Jersey Adopts Law to Limit Retailers' Use of Identification Data

On July 21, New Jersey Governor Chris Christie signed a bill to restrict how retailers collect and use consumers' personal information stored on identity cards. The law will limit the purposes for which retailers may scan identification cards to verifying identity for credit card purchases or for other credit approval purposes, verifying age for age-restricted goods, carrying out contracts, preventing fraud, or as required by law. Retail stores may collect only a person's name, address, and date of birth; the state that issued the ID card; and the ID card number. The law goes into effect on October 1.


Canadian and Chinese Governments Agree to Refrain From State-Sponsored Hacking

On June 22, the Canadian Prime Minister's Office issuedJoint Communique summarizing the second meeting of the Canada-China High-Level National Security and Rule of Law Dialogue. During the discussion, the two countries reached an agreement that neither "would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors."

Ministers and Attorneys General Issue Joint Communique Recognizing Cooperation to Address Cyber Threats

On June 27, the Interior Ministers, Immigration Ministers, and Attorneys General of Australia, Canada, New Zealand, the United Kingdom, and the United States met in Ottawa to discuss national security challenges facing their nations. In a subsequent Joint Communique, the Ministers and Attorneys General noted "the robust cooperation underway between our five countries on cyber issues" and the countries' "collective efforts to study and assess key emerging issues and trends in cyber security to prevent, detect and respond to cyber threats."

Information Technology Association of Canada Releases Cybersecurity Recommendations for 2018 Canada Budget

On August 4, the Information Technology Association of Canada released a submission outlining 24 recommendations across nine areas for the federal government's 2018 budget. The submission listed cybersecurity as one of nine areas of focus and made a number of recommendations, including that the government "[a]ppoint an externally focused Chief Information Security Officer for Canada" to act as a liaison between the government, businesses, and the public, and "centralize cyber security leadership within the federal government and provide Shared Services Canada with the necessary investments to protect the Government of Canada's cyber perimeter and critical infrastructure."

The following Jones Day lawyers contributed to this section: Jeremy Close, Jeff Connell, Steve Erkel, Tyler Harris, Jay Johnson, Tyson Lies, Dan McLoon, Mary Alexander Myers, Kara O'Connell, Mauricio Paez, Nicole Perry, Alexa Sendukas, Anand Varadarajan, and Jenna Vilkin.



MCTIC Launches "Internet of Things" Consultation

On June 6, the Ministry of Science, Technology, Innovation and Communications (Ministério da Ciência, Tecnologia, Inovações e Comunicações) ("MCTIC") launched a new consultation (source document in Portuguese) to sponsor the "National Internet of Things Plan" developed by the federal government. The contributions will be used to draw up a map of companies and scientific and technological institutions that offer IoT technologies, products, services, and solutions in Brazil.

MCTIC Issues Public Consultation on Strategy for Digital Transformation

On August 1, MCTIC launched a public consultation (source document in Portuguese) regarding the Brazilian Strategy for Digital Transformation, which includes guidelines and targets for the digitization of the Brazilian economy in the coming years. The proposal was drafted by an Interministerial Working Group coordinated by MCTIC, and it will be open to public comment for 30 days. The final version will be sent as a draft decree to the Presidency of the Republic.


Colombian Data Protection Authority's Total Fines Exceed US$1 Million

On June 8, the Colombian Industry and Commerce Superintendence (Superintendencia de Industria y Comercio) ("SIC") issued a notice (source document in Spanish) that since 2010, SIC has imposed a total of 619 fines exceeding US$1 million. The most frequent breaches, which represent most of the sanctions imposed by SIC, consist of breaches of the habeas data provided in Law 1266 of 2008. To address such violations, SIC has issued 1,094 orders to correct, update, and delete personal data contained in corporate databases.

SIC Launches Public Consultation on Draft Regulation for Cross-Border Data Transfers

On July 18, SIC launched a consultation on a draft regulation (source document in Spanish) regarding cross-border data transfers. The draft regulation establishes the criteria SIC would use to determine if a third country provides an adequate level of data protection. The data regulation also provides an updated list of countries granted adequacy status for purposes of cross-border transfers. The criteria discussed include the existence of rules for lawful data processing, the recognition of data subjects' rights and obligations for data controllers and data processors, and the presence of a supervisory authority.


Ibero-American Data Protection Network Approves New Standards for Personal Data Protection

During the 15th Annual Ibero-American Data Protection Conference held on June 20-22, the Ibero-American Data Protection Network issued the Standards for Personal Data Protection for Ibero-American States. The standards establish a common framework of data protection principles and rights for the different national legislations throughout the Ibero-American region.


Mexican Government Issues Working Document on National Cybersecurity Strategy

On July 12, the Mexican government issued (source document in Spanish) a working document for National Cybersecurity Strategy. The document sets forth guidelines for individuals, companies, and public entities on how to use information and communication technologies in a secure manner that promotes the economic, political, and social development of Mexico. The Strategy has four strategic pillars: economy, society, government, and national security. The Strategy is also informed by eight cross-cutting principles: legal framework; development capacity; coordination and collaboration; research and development; technical standards and criteria; measurement and assessment; awareness, culture, and prevention; and critical information protective infrastructure. Following the Strategy guidelines will be mandatory for the executive branch of the federal government, while other public and private-sector entities may adopt it in a voluntary and cooperative manner.

INAI Issues Security Recommendations for Social Media Users

On July 28, the National Institute for Transparency, Access to Information, and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales) ("INAI") issued recommendations (source document in Spanish) to avoid risks when using personal data in social media. Given the prevalence of social media use, INAI suggests that social media users avoid contact with unknown users, adequately log out when accessing accounts from a cybercafé or a public computer, create safe passwords that contain diverse elements, select an adequate privacy and security configuration for social media accounts, refrain from conducting business transactions through social media, disclose personal information in social media only in a controlled and responsible manner, and create awareness among family members and friends of the importance of responsibly using social media.

INAI Issues Recommendations for Biometric Identification Systems in Mobile Banking

On July 30, INAI issued recommendations (source document in Spanish) to avoid risks when using biometric identification systems with financial institutions. These guidelines advise users to be informed about the risks related to the processing of biometric data in order to make adequate decisions, be aware of the privacy policy and/or notice of mobile banking apps, download mobile banking apps only from authorized markets, authorize the use of biometric data only when necessary, provide as little biometric data as possible, and use biometric authentication services as a secondary method to complement other security methods.


Ministry of Justice and Human Rights Signs Personal Data Protection Commitment

On July 8, the Ministry of Justice and Human Rights (Ministerio de Justicia y Derechos Humanos), through the Directorate General of Personal Data Protection and along with 11 representatives of taxi and transport services companies that provide services via virtual applications, enacted a resolution (source document in Spanish) concerning the protection of users' personal data. This resolution, or "commitment," followed several claims that taxi drivers were using clients' personal data to sexually harass them. According to the resolution, companies will train taxi drivers in order to avoid sexual harassment, work on the implementation of clauses regarding data protection in their contracts, and strengthen measures that protect the confidentiality of users.

The following Jones Day lawyers contributed to this section: Guillermo Larrea, Daniel D'Agostini, and Mónica Peña Islas.


European Union

EU and U.S. Establish Arbitration Mechanism under Privacy Shield

On June 14, the European Commission and the U.S. Department of Commerce ("DoC") agreed to an arbitration mechanism that Europeans whose personal data has been transferred to certified U.S. companies may invoke if they believe their data protection rights under the Privacy Shield have been infringed. For the mechanism to become fully operational, the Commission and the DoC must agree on a list of arbitrators.

EDPS Releases Opinion on Proposal for Single Digital Gateway Regulation

On August 1, the European Data Protection Supervisor ("EDPS") released an Opinion on the proposal for a regulation establishing a single digital gateway under the "once-only" principle. The "once-only" principle is "aimed at ensuring that citizens and businesses are requested to supply the same information only once to a public administration, which can then re-use the information they already have." The proposal seeks to create a technical system for specified cross-border procedures. Among the critiques offered in the opinion, EDPS suggests "clarifying that the Proposal does not provide a legal basis for using the technical system for exchanging information for purposes other than those provided for in the four directives listed or otherwise foreseen under applicable EU or national law, and that the Proposal does not aim to provide a restriction on the principle of purpose limitation under the GDPR [General Data Protection Regulation]."

Article 29 Working Party

Article 29 WP Releases Opinion on Data Processing at Work

On June 8, the Article 29 Working Party ("WP") adopted an Opinion on data processing in the workplace. The Opinion assesses how to balance employers' interests in data monitoring with their privacy expectations by outlining risks posed by new technologies. In addition to discussing the EU Data Protection Directive, the Opinion also examines the additional obligations placed on employers by the GDPR.

Article 29 WP Issues Guidance on International Transfers under GDPR

On June 13, the Article 29 WP addressed a letter to the European Securities and Markets Authority ("ESMA"). The letter provides guidance and recommendations to ESMA and European national financial supervisory authorities on how to frame international transfers of personal data under Article 46 of the GDPR and how to draft legal instruments for data transfers to countries that have not been recognized by the European Commission as offering adequate data protection.

Article 29 WP Publishes Letter on EU-U.S. Privacy Shield Annual Joint Review

On June 15, the Article 29 WP issued a letter to the European Commission in preparation for the annual Joint Review on the Privacy Shield. In the letter, the Article 29 WP discussed questions and recommendations that it will raise during the review relating to law enforcement and national security access.

European Network and Information Security Agency

ENISA Publishes 2016 Annual Incident Report

On June 16, the European Network and Information Security Agency ("ENISA") published its annual report on significant outage incidents in the European electronic communications sector. The incidents are reported by the national regulatory authorities of the EU Member States to ENISA and the European Commission under Article 13 (a) of the 2009/140/EC Framework Directive. The major findings within the report include: (i) mobile internet was the most affected service; (ii) malware caused the longest lasting incidents; and (iii) system failures affected on average more user connections per incident.

ENISA Publishes Security Guidelines on Website Authentication Mechanisms

On June 27, ENISA released a series of documents to assist parties using qualified electronic signatures, seals, time stamps, eDelivery, and website authentication certificates, as defined by Regulation 910/2014 on electronic identification and trust services for electronic transactions. The series explores possible applications and advises on how to use these web authentication services correctly as more financial transactions occur in the online marketplace.

ENISA Publishes Cyber Europe 2016: After Action Report

On June 30, ENISA released the Cyber Europe 2016: After Action Report on its fourth pan-European cyber crisis exercise. The exercise simulated a realistic crisis build-up over a time period of six months, and participants had to "follow existing business processes, agreements, communication protocols and regulations to mitigate effectively the situations presented to them."


Privacy Commission Releases Recommendation on Internal Records of Processing Activities

On June 14, the Privacy Commission released a Recommendation (source documents in French and in Dutch) providing guidance on the GDPR requirement to maintain records of data processing activities. Among other topics, the Recommendation covers the responsibility of maintaining internal records for both data controllers and data processors, the purpose of the requirement, the content of records of activities, and recipients of such internal records.


French Supreme Administrative Court Rules in Favor of Transfer to Heirs of Data Subject Status

On June 7, the Conseil d'Etat (French supreme administrative court) overturned a decision (source document in French) of the French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL"), which ruled that the personal data pertaining to a car accident victim could not be transferred to the victim's heirs. During the legal proceedings to obtain damages as a result of the accident, the heirs were denied access to the victim's personal data from the victim's insurance company, and CNIL subsequently rejected the heirs' complaint. On appeal, the Conseil d'Etat ruled that the right to request damages and access information as a data subject had been properly transferred to the heirs, provided that such access was limited to the information necessary to obtain damages within the frame of the proceedings.

CNIL Warns that Anti-Terrorist Bill Requires Enhanced Security Measures

On July 6, CNIL held a plenary meeting to discuss the anti-terrorist bill, concluding that the bill provides extended personal data processing that requires the involvement of CNIL in the draft bill process. CNIL noted the bill's intrusive personal data processing measures and the need for enhanced warranties. The CNIL also cautioned that the Passenger Name Record, as set by the bill, had a broader scope than Directive 2016/681 and that the bill provided spot controls but did not provide ex post control by CNIL (source documents in French).

Information Systems National Agency Releases "Agile" Guidelines

On July 26, the Information System National Agency and the Digital and Information system Interdepartmental Directorate released the "Agile" guidelines (source document in French), which aim to provide guidance and elaborate on information system security.


Federal Commissioner Publishes Guidance on Automated and Connected Driving

On June 1, the German Federal Commissioner for Data Protection and Freedom of Information published recommendations (source document in German) on automated and connected driving for users to maintain informational self-determination. Several of the Commissioner's recommendations discuss the principle of data minimization and limiting data processing activities to the extent necessary for the operability of the service.

DPA Issues Questionnaire for GDPR Implementation

On July 5, the Bavarian Data Protection Authority ("DPA") published its Questionnaire for GDPR Implementation in English. The questionnaire contains basic questions to ensure that a company complies with the requirements set out by the GDPR.

Germany Warns of Cyber Espionage Threats from State Actors

On July 21, BitKom (Germany's digital industry association) released a report (source document in German) titled "Business Protection in the Digital World," which details how 53 percent of German companies have been victims of economic espionage, and how more than €55 billion is lost each year due to espionage or sabotage within the German markets. The German domestic intelligence and security service warned in its annual Report on the Protection of the Constitution that state actors are key players in cyber espionage targeting Germany. In addition, both reports note that less than one third of companies turn to the government for assistance when dealing with an attack.


DPA Chairman States Six-Year Data Retention is Excessive

On July 25, the DPA Chairman Antonello Soro testified before the National Security Committee on the recent amendment (source document in Italian) introducing a six-year data retention period for telephone traffic data of Italian users. The Chairman stated that the data retention period is excessive and introduces data processing patterns that infringe existing law and regulations at the EU level.

The Netherlands

Transport Company Corrects Privacy Violations

On July 11, the Dutch Data Protection Authority ("DDPA") announced (source document in Dutch) that Nippon Express, a major transport company, ended the unlawful processing of its drivers' national identification numbers. According to the DDPA, the company checked the identity documents of its drivers using scanning equipment and services from an external service provider but did not take sufficient measures to ensure that identity fraud would not be committed with the scanned IDs. In addition, the DDPA stated that the company retained the scans for longer than necessary, given the purpose for which the scans were collected.


Spanish Government Publishes Preliminary Draft of Organic Law on Protection of Personal Data

In June 2017, the Spanish government published a preliminary draft of the Organic Law's 78 Articles on the Protection of Personal Data, which would repeal the Spanish Data Protection Law originally passed in 1999. The new data protection regulation adapts Spanish legislation to the changes introduced by the GDPR and clarifies the legislative provisions. The draft will be subject to hearings and a public information process before the regulation is formally approved and becomes effective.

Spanish DPA and ENAC Present Data Protection Officer Certificate

On July 13, the Spanish Data Protection Agency ("SDPA"), in collaboration with the National Entity of Accreditation ("ENAC"), presented the Data Protection Officer Certificate (source document in Spanish). The SDPA became the first European Data Protection Authority to implement a framework to appoint a Data Protection Officer and a Data Protection Officer Certificate. Although certification is not required to become a Data Protection Officer, the process will benchmark the standards and qualifications of Data Protection Officer candidates.

Spanish DPA Rewards Public and Private GDPR Compliance Initiatives

On August 7, the Spanish DPA published the criteria (source document in Spanish) used in the consideration of a candidate for the 2017 Personal Data Protection Awards. The awards recognize good practices carried out by private and public organizations, in addition to promoting knowledge of the new regulations taking effect on May 25, 2018.

United Kingdom

UK Announces New Data Protection Law

On August 7, the UK government released a statement of intent to update data protection laws through a new Data Protection Bill. The bill will make it simpler to withdraw consent for the use of personal data, provide a right to require that personal data be erased, make it easier for individuals to require an organization to disclose the personal data it holds, and move personal data between service providers. In addition, the bill will create new criminal penalties to deter organizations from intentionally or recklessly creating situations where individuals could be identified from anonymized data.

The following Jones Day lawyers contributed to this section: Paloma Bru, Laurent De Muyter, Undine von Diemar, Marina Foncuberta, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Matthijs Lagas, Jonathon Little, Martin Lotz, Hatziri Minaudier, Giuseppe Mezzapesa, Selma Olthof, Audrey Paquet, Elizabeth Robertson, and Rhys Thomas.


Hong Kong

PCPD Investigates Personal Data Loss of Electors

On June 12, the Privacy Commissioner for Personal Data ("PCPD") released an investigation report on two lost laptops containing the personal information of electors. The report concluded that the Registration and Electoral Office responsible for securing the devices violated the Data Security Principle of the Personal Data Ordinance because it "lacked the requisite awareness and vigilance expected of it in protecting personal data, rules of application and implementation of various guidelines were not clearly set out or followed, internal communication was less than effective, and [it] failed to take all reasonably practicable steps in consideration of the actual circumstances and needs to ensure that the Electors' personal data was protected from accidental loss." The PCPD issued an enforcement notice to the registration office to prevent future violations.

PCPD Comments on Person-to-Person Telemarketing Practices

On July 31, the PCPD submitted comments in response to the public consultation on "Strengthening the Regulation of Person-to-Person Telemarketing Calls." The comments outlined the advantages and disadvantages of each several approaches to improve the regulatory framework and recommended a fusion of multiple approaches, including a trade-specific self-regulatory regime and a do-not-call register.


PDPC Fines Retail Mall for Failing to Secure Data

On July 6, the Personal Data Protection Commission ("PDPC") imposed a S$15,000 fine on a retail mall for failing to adequately secure personal data that the mall was storing on its server. The inadequate security allowed a hacker to send phishing emails to more than 24,000 users who subscribed to the mall's rewards program. In addition to the fine, the company must implement a host of new security measures and conduct training for its staff.

PDPC Issues Public Consultation on Approaches to Managing Personal Data

On July 27, the PDPC began seeking public comments on managing personal data in the digital economy. Specifically, the consultation paper asks for the public's comment on "proposed Notification of Purpose and Legal or Business Purpose approaches as parallel bases for collecting, using and disclosing personal data, and the proposed mandatory data breach notification regime under the PDPA." The comment period closes on September 21.


Personal Information Protection Commission and European Commission Issue Joint Press Release on Mutual Data Transfer

On July 3, the Commissioner of the Personal Information Protection Commission of Japan and the European Commissioner for Justice and Consumers met in Brussels to discuss how to achieve "smooth and mutual data transfer." The joint statement states that the parties are targeting a "simultaneous finding of an adequate level of protection by both sides" by early 2018.

People's Republic of China

National Intelligence Law Takes Effect

On June 28, China's new national intelligence law took effect. The law discusses the functions, powers, and privileges Chinese national intelligence agencies are afforded in their activities, including the right to seek and collect information on foreign entities and individuals. The law also mandates that organizations and citizens provide assistance and cooperation with intelligence work. For more information on the legislation, see the Jones Day Alert.

China Issues Draft Guidelines on De-Identification of Personal Information

On August 15, the National Standardization Committee of China and the General Administration of Quality Supervision, Inspection and Quarantine of China jointly submitted the draft version of "Information Security Technology—Guidelines on De-Identification of Personal Information" for public comment. The draft provides voluntary guidance to data collectors and processors regarding the de-identification of personal information, such as how to choose appropriate models and technologies and how to use the relevant software, technologies, and tools. The draft guidelines are open for public comment until October 9.

The following Jones Day lawyers contributed to this section: Michiru Takahashi, Li-Jung Huang, and Richard Zeng.


Information Commissioner Issues New Privacy Code for Australian Government Entities

On May 18, the Office of the Australian Information Commissioner announced that a new APS Privacy Governance Code will apply to all Australian government agencies currently subject to the Australian Privacy Principles. The current draft of the APS Code requires government agencies to: (i) implement a privacy management plan; (ii) appoint a dedicated "Privacy Officer"; (iii) appoint a "Privacy Champion" to promote attention to data privacy issues; and (iv) undertake "Privacy Impact Assessments" for all high-risk projects or initiatives that involve personal information. The APS Code was developed after the Australian Community Attitudes to Privacy Survey 2017 revealed that only 58 percent of the Australians surveyed consider government departments to be trustworthy with respect to data protection. The APS Code will take effect July 1, 2018.

The following Jones Day lawyers contributed to this section: Adam Salter and Nicola Walker.


Handling a Cybersecurity Investigation: A Discussion with a Regulator, a Lawyer, and a Security Expert, The Society of Corporate Compliance & Ethics 16th Annual Compliance & Ethics Institute, Las Vegas, NV (Oct. 18). Jones Day Speaker: Jay Johnson

EU General Data Protection Regulation/Countdown to the GDPR—Top 10 Implementation Issues for Companies, Tokyo, Japan (Oct. 16). Jones Day Speakers: Undine von Diemar and Jörg Hladjk

Cybersecurity—A Key Data Governance Issue: From Personal Data to Critical Infrastructures, Paris, France (Oct. 10). Jones Day Speaker: Olivier Haas

Presentation on GDPR and related Brexit Impact, Association of Veterinary Consultants, Milan, Italy (Oct. 7). Jones Day Speaker: Giuseppe Mezzapesa

Industrial Security and Privacy—ICS/SCADA Threats, Laws, and Risk Mitigation, Privacy + Security, Washington, D.C. (Oct. 6). Jones Day Speaker: Jay Johnson

Security Visibility & Incident Response, CISO Executive Network, Houston Chapter Breakfast Roundtable 4 of 6, Houston, Texas (Sept. 21). Jones Day Speaker: Nicole Perry

Security Visibility & Incident Response, CISO Executive Network, Dallas Chapter Breakfast Roundtable 4 of 6, Dallas, Texas (Sept. 20). Jones Day Speaker: Jay Johnson

EU General Data Protection Regulation/Countdown to the GDPR—Top 10 Implementation Issues for Companies, Webinar (Sept. 14). Jones Day Speakers: Undine von Diemar and Jörg Hladjk

Investigating IP Crimes, Anti-Counterfeiting, and The Global Marketplace: How to Protect and Enforce IP While Expanding Trade, U.S. Patent & Trademark Office, Dallas, Texas (Aug. 29). Jones Day Speaker: Jay Johnson

Cybersecurity Regulation and Enforcement, 2017 Essential Cybersecurity Law, The University of Texas School of Law, Dallas, Texas (July 28). Jones Day Speaker: Jay Johnson

Cybersecurity, National Compliance Outreach Program for Broker-Dealers, Securities and Exchange Commission, Financial Industry Regulatory Authority, Washington, D.C. (July 27). Jones Day Speaker: Jay Johnson

The Upcoming ePrivacy Regulation: Status and Assessment of the Commission's Proposal, IAPP Knowledge Net, Munich, Germany (July 12). Jones Day Speaker: Jörg Hladjk

Cognitive Technology and AI: Legislation and Regulation, Federations of Enterprises in Belgium, Brussels, Belgium (June 30). Jones Day Speaker: Laurent De Muyter

Network & System Architecture as a Defense, CISO Executive Network, Houston, Texas (June 22). Jones Day Speaker: Nicole Perry

International Data Transfers, 19th Annual Data Protection and Data Security Conference (DuD 2017), Berlin, Germany (June 20, 2017). Jones Day Speaker: Jörg Hladjk

Building a Cybercrime Prosecution: Law Enforcement and Corporate Perspectives, Massachusetts Institute of Technology, Cambridge, Massachusetts (June 19). Jones Day Speaker: Lisa Ropple

Cyber Security: Preparing, Preventing & Responding, Lawyers' Clearinghouse, Boston, Massachusetts (June 16). Jones Day Speakers: Lisa Ropple and Sarah Podmaniczky McGonigle

Fully Connected, Fully Liable? Cybersecurity: Risks and Pitfalls—Be Prepared (and Watch Your Smartphones—Live Hacking Demonstration!), Jones Day Client Conference 2017, Frankfurt, Germany (June 12). Jones Day Speaker: Undine von Diemar

Cybersecurity—Handling a Crisis, Symposium on International Law and Global Markets, Institute for Law and Technology, Plano, Texas (June 12). Jones Day Speaker: Jay Johnson

Network & System Architecture as a Defense, CISO Executive Network, Atlanta, Georgia (June 7). Jones Day Speaker: Todd McClelland

Cyber Security Primer, Plano Bar Association, Plano, Texas (June 2). Jones Day Speaker: Jay Johnson

GDPR: What is Going to Change About Data Protection Across the EU, Jones Day Webinar (June 1). Jones Day Speaker: Giuseppe Mezzapesa


Blind Spots Remain as SELF DRIVE Act Passes House (Sept.) Jones Day Authors: Jeff Jones, Bob Kantner, Chuck Moellenberg, Paul Rafferty

"General Data Protection Regulation," chapters on profiling, security, and data breach notification), Ehmann/Selmayr, Beck Verlag, first edition 2017 (in German, English translation available soon). Jones Day Author: Jörg Hladjk

"EU GDPR," chapter on international data transfers, including EU model contracts and Binding Corporate Rules, Auernhammer, Heymann Verlag, first edition 2017 (in German). Jones Day Author: Jörg Hladjk

Implementing China's Cybersecurity Law (Aug.). Jones Day Authors: Various

Deadline to Comply with New York's Cybersecurity Regulation Is Approaching (Aug.) Jones Day Authors: Jay Johnson, Mauricio Paez, Kerianne Tobitsch

SELF DRIVE Act Cruises from Committee to Full House (Aug.). Jones Day Authors: Various

FORUM: Best Practices in Data Loss Prevention (Aug.). Jones Day Author: Olivier Haas

FDA Establishes Electronic Privacy, Security, and Reliability Criteria for Clinical Trial Records (July). Jones Day Authors: Various

Congress Moving into the Driver's Seat for Autonomous Vehicles (July). Jones Day Authors: Various

Online Terrorist Propaganda: France and UK Put Internet Giants in the Cross-Hairs (July). Jones Day Authors: Rémy Fekete, Jonathon Little, Elizabeth Robertson

Actualidad Juridica: Regarding Video Surveillance in the Workplace (July) (in Spanish). Jones Day Authors: Paloma Bru, Javier Gutierrez

A New Chinese National Intelligence Law Is On Its Way (June). Jones Day Authors: Christopher Pelham, Vivi Zhou

French Data Protection Authority Approves Implementation of Biometric Authentication Tools in Banking Sector (June). Jones Day Authors: Various

French Data Protection Authority Clarifies Responsibilities for the Use of Cookies in Online Advertising (June). Jones Day Authors: Various

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.