Legislative Developments

Subscribe to Legislative Developments

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

The Senate yesterday confirmed all five nominees to the Federal Trade Commission by voice vote, which means the five-person body will soon be restored to full capacity after over a year with only two Commissioners.  Current Chair Ohlhausen released a statement congratulating incoming Chair Joseph Simons and soon-to-be new Commissioners Noah Phillips, Becca Slaughter, Rohit Chopra, and Christine Wilson.

Ohlhausen’s statement suggests that she intends to remain at the Commission until confirmed by the Senate to her nomination as a Judge on the U.S. Court of Federal Claims – with Wilson set to fill Ohlhausen’s seat once she departs.  Current Commissioner McSweeny recently announced that she intended to depart the Commission tomorrow, April 27, and that she hoped the Senate would move expeditiously in the confirmation process.

As we previously discussed here and here, the new Chair and Commissioners will bring a breadth of knowledge and experience to the FTC.  While working in private practice for the majority of his career, incoming Chair Simons also has significant experience at the Commission, having served as Director of the Bureau of Competition from June 2001 to August 2003 and in other roles at the FTC in the late 1980s.  Wilson, currently a Senior Vice President at Delta Airlines, overlapped with Simons during his most recent stint at the Commission while Wilson served as Chief of Staff to then-Chair Timothy Muris.

The other three Commissioners have not previously served at the FTC, but have notable expertise and experience in other areas.  Chopra, the only non-lawyer of the bunch, comes most recently from the Consumer Federation of America and previously served as Assistant Director at the Consumer Financial Protection Bureau.  Phillips and Slaughter will be departing legal positions on the Hill – Phillips serving as Chief Counsel to Senator Cornyn and Slaughter as Chief Counsel to Senator Schumer.  As the fifth and final nominee, Slaughter was unanimously reported out of the Commerce Committee earlier this week.

The new slate of Commissioners is expected to shake things up at the FTC.  While generally avoiding firm policy positions or legal interpretations during the confirmation process, the appointees affirmed their commitment to vigorously enforcing consumer protection and antitrust laws and expressed distinct interests in specialized topics such as big data and interconnected devices.  Now that the confirmation process has run its course, the coming days are likely to shed more light on the key priorities for the new Chair and Commissioners.

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

Seven years ago, we posted about a new law in California governing automatic renewals. The law generally requires that companies: (1) clearly disclose the material offer terms before a consumers subscribes; (2) obtain affirmative consent to the terms before the consumer is charged; (3) provide a confirmation to the consumer that includes the terms, a description of the cancellation policy, information on how to cancel, and, if the offer includes a free trial, that the consumer may cancel before being charged; and (4) provide an easy-to-use method for canceling. Since then, we’ve seen several lawsuits under the law, including this one.

The state recently enacted a new law that adds additional requirements to the ones already on the books. Under the new law, companies will also be required to:

  • Provide a clear and conspicuous explanation of the price that will be charged after the trial ends;
  • Obtain consent before charging a consumer for an automatic renewal or continuous service that is made at a promotional or discounted price for a limited period of time;
  • Disclose how to cancel automatic renewal prior to payment for the continuing service after a free trial; and
  • Allow consumers to cancel online if they signed up online.

The new law isn’t effective until July 1, 2018, so companies have time to make change their processes. But these changes can require a lot of planning and technological changes on the back end, so it makes sense to start thinking about them now. This is an area that gets a lot of attention from regulators and class action attorneys, so the consequnces of getting things wrong can be significant.

Last week, the Senate voted 51 to 50 (with Vice President Pence casting the tiebreaking vote) to override the Consumer Financial Protection Bureau’s Arbitration Rule, which was finalized earlier this year in July.  As previously discussed here and here, the Arbitration Rule would have prohibited providers of covered consumer financial products and services from using pre-dispute arbitration agreements to compel consumers to participate in arbitration to resolve disputes about those products and services.  Shortly after the vote, the White House released a statement applauding the override vote and indicating that President Trump intended to enact it, effectively confirming that the Arbitration Rule will not come into effect.

The override occurred pursuant to the Congressional Review Act (CRA), which was enacted in 1996 to provide an easier mechanism for Congress to undo agency regulations without enacting wholly new legislation.  Under the CRA, both the House and Senate can use streamlined procedures that limit debate and the amendment process and allow Congress to overturn agency regulations with a simple majority in each chamber.  The CRA also prohibits agencies from issuing regulations that are “substantially the same” as the overturned regulation unless authorized by a subsequent law, meaning that the CFPB will be unable to simply pass a substantially similar rule in the next session of Congress.  The meaning of “substantially the same” under the CRA has yet to be litigated, so it’s at least possible that the CFPB could try to reissue another arbitration rule down the road even without subsequent legislation.

While the battle over the Arbitration Rule appears to be over for now, proponents of the rule vowed to continue to push related reforms and encouraged the CFPB to use existing authority to review and take action against unfair, deceptive, or abusive arbitration provisions.  The CFPB remains authorized to use its supervisory and enforcement authorities under the Dodd-Frank Act to regulate arbitration provisions.  While the repeal of the Rule means the CFPB can’t prohibit arbitration clauses in the aggregate via rule, it could still allege that particular arbitration provisions are unfair, deceptive or abusive on a case-by-case basis.  Providers of financial products and services, therefore, should remain cognizant of the CFPB’s regulatory and enforcement authority and evaluate consumer arbitration provisions in light of relevant court precedent and guidance to minimize the likelihood that such provisions are invalidated and/or garner CFPB interest.

On October 1, 2017, a new law will take effect in New Jersey, the Personal Information and Privacy Protection Act (“PIPPA”), which will severely restrict retailers’ ability to “scan” any customer’s “identification card”–a term defined to mean “a driver’s license,” “probationary license,” “non-driver photo identification card,” or any similar card “issued…for purposes of identification.” Merely looking at a license to verify identity or age is not covered by the new law, only “scanning” the license for the purpose of recording and retaining the data.  Both the Attorney General’s Office and private consumers can sue for violations, but the window for private suits is fairly narrow.

The law begins by listing the only purposes for which a retailer may “scan” an identification card at all. They are to (1) verify the person’s identity or the authenticity of the ID card (but this cannot be done if the purchaser is buying an item for cash); (2) verify age when an item is age-restricted; (3) prevent fraud in connection with returns and exchanges if “the business uses a fraud prevention service company or system”; (4) prevent fraud in credit transactions or in connection with the opening of a credit account; (5) establish or maintain a contractual relationship; (6) meet any state or federal legal obligation; (7) transmit information to a consumer reporting agency as may be permitted by law; and (8) accomplish the goals of the Health Insurance Portability and Accountability Act.

The PIPPA then says that if a retailer scans information for one of these permitted reasons, it may only scan “the person’s name, address, date of birth, the state issuing the identification card, and identification card number.” Among the other information that may be listed on a driver’s license that the law does not permit to be “scanned” are a person’s photograph, height, weight, eye color, any restrictions on the license, and the person’s status as an organ donor.  That other information may not be “scanned” at all.

If a retailer scans an identification for purposes (1) and (2)–identity and age verification–it cannot “retain” this information, even briefly. Retailers may retain information they collect for the other permitted purposes, but if they do so, they must “securely store[]” it and “promptly report[]” any breaches to the New Jersey State Police and the Attorney General’s Office pursuant to existing breach notification statutes.  The statute does not put any express limitations on the length of time this information can be retained.

The PIPPA allows the Attorney General’s Office to recover a $2,500 civil penalty for a first violation and $5,000 for each subsequent violation. It also provides that “any person aggrieved by a violation of this act can bring an action in Superior Court to recover damages.”  That private right of action would therefore seem to be limited in two very important respects.

First, a consumer can sue only if “aggrieved.” That same word appears in another New Jersey statute that has been in the news lately–the Truth-in-Consumer Contract, Warranty, and Notice Act (“TCCWNA”)–and we are awaiting word from the New Jersey Supreme Court in a pending TCCWNA case as to what it means.  Second, the statute very clearly does not say that consumers can recover the same $2,500 penalty that the Attorney General’s Office may collect.  Consumers can only sue for “damages,” which would seem to require real, out-of-pocket losses, such as those from actual identity theft.  If a data breach leads to such theft, however, and if the retailer did not “securely store” the data, class action lawsuits may be possible under the new PIPPA.

The window to comply with this new statute is a short two months. Retailers doing business in New Jersey should determine the extent to which they are scanning driver’s licenses and other ID cards and ensure that their policies for doing so, and for retaining any data collected, comply with the PIPPA.  If conducting similar business practices elsewhere, it’s a good idea to confirm compliance with similar laws to this New Jersey law in other states.

Late last year, the Consumer Fairness Review Act became law, placing new restrictions on what companies can include in form contracts that impede consumers’ ability to communicate honest reviews of products, services, and companies in any forum. Quietly last month, the Federal Trade Commission released non-binding business guidance on how organizations can comply with the Act.  Given the widespread use of such terms in form agreements, such as online terms of use, it’s a good idea to determine whether any of your company’s contract terms are covered, and, if so, what changes you will need to make to such agreements.

Time is of the essence: as of March 14, 2017, the Act voids and makes unlawful such agreements containing the triggering terms.  By December 14, 2017, the FTC and State Attorneys General and other state consumer protection officials can enforce such violations as unfair and deceptive trade practices.

Who Should Pay Attention?

The law applies to organizations that use form contracts when selling or leasing that party’s goods or services, and do not provide the other contracting party with a meaningful opportunity to negotiate the terms of that contract. Standard term sheets and website agreements come immediately to mind, but given the broad scope of the law, the statute also could apply to various codes of conduct and other agreements that apply to commercial activity, both on- and offline.

What Kind of Form Contract Terms Are Prohibited?

The law prohibits and voids form contracts if they:

  • Prohibit or restrict the ability of an individual who is a party to the form contract to engage in a covered communication;
  • Impose a penalty or fee against an individual who is a party to the form contract for engaging in a covered communication; or
  • Transfer or require the other party to the contract to transfer any intellectual property rights in review or feedback content except for certain non-exclusive licenses.

For example, if your website terms of use prohibits customers from posting a review of your product or service as a condition for using the Site, or cites a consequence if they do, such terms are prohibited by the law. It also pays to closely look at Site terms that allow the company to remove postings for any reason, and what type of criteria is used operationally to remove offensive reviews.

What Communications Are Protected?

The law’s main intent is to protect honest reviews of goods, services, and the conduct of the contracting party. It thus broadly protects written, oral, or pictorial reviews, performance assessments of, or other similar analyses of the goods, services, or conduct of the party that issues the form contract in the course of selling or leasing the person’s goods or services.

What Communications Are Not Covered?

The Act has a number of exemptions and does not apply to:

  • Employer-employee or independent contractor contracts, including photographs or videos owned by a party that are subject to such contracts;
  • False and misleading content;
  • Content that is defamatory, libelous, slanderous, or similar;
  • Content containing personal information, or another person’s likeness;
  • Content that is libelous, harassing, abusive, obscene, vulgar, sexually explicit, or is inappropriate with respect to race, gender, sexuality, ethnicity, or other intrinsic characteristic;
  • Content that is unrelated to the goods or services offered by or available on the party’s website; or
  • Content impacting a party’s duty of confidentiality imposed by law, including via agency guidance.

For websites that host online consumer reviews and comments, the Act also does not prohibit the website host from reserving the right to remove:

  • Privileged or confidential trade secrets, commercial, or financial information;
  • Personnel, medical, and similar files, which, if disclosed, would constitute an unwarranted invasion of privacy;
  • Law enforcement records, which, if disclosed, would constitute an unwarranted invasion of privacy;
  • Unlawful content; or
  • Content that poses security risks, such as viruses or worms.

Does This Law Preempt State Laws?

Notably, the law does not preempt state laws, so businesses will still need to comply with states that regulate this space, such as California’s similar law, which lacks the long list of exceptions in the federal statute, and carries its own civil penalties for non-compliance.

Conclusion

Given the common use of these terms in a variety of agreements, a little Spring (contract) cleaning is in order for most organizations. Proactive efforts on this front can prevent expensive lawsuits and government investigations in the future.

Did you know Kelley Drye’s Advertising Law practice produces a newsletter, Ad Law News and Views, every two weeks to help you stay current on ad law and privacy matters? Click here to access our Publication Sign Up and select Advertising and Marketing to subscribe. Find contents from the latest issue below:

Click here to view with images.

Recent News

Chairman Kaye Steps Down as CPSC Chair; Republican Buerkle Assumes Role of Acting Chair

CFSAN Director Anticipates “Tweaks,” Not Rollbacks Despite Administration’s De-Regulation Emphasis

Smart TV Manufacturer “Smarting” after $2.2 Million Privacy Enforcement

FTC Announces Changes at the Helm of the Bureau of Consumer Protection; Thomas Pahl to Take Over as Acting Bureau Director Following Jessica Rich’s Departure

Not a Passing Grade: FTC Settles with Company Over Alleged False Advertising for High School Diploma Program

EU Data Protection Authority Issues GDPR Action Plan, Swiss Sign Privacy Deal with U.S.

New FTC Acting Chair Maureen Ohlhausen Offers Insight into Consumer Protection Priorities

CIT Adds New Requirements for ‘Assembled in USA’ Claims Analysis

FTC Cries Foul On Breathometer Accuracy Claims

Spotlight On Our New Texas Offices

Kelley Drye & Warren LLP recently merged with Jackson Gilmour & Dobbs, P.C., a highly respected Texas law firm best known for success in environmental litigation matters. The team also brings substantial experience in sophisticated regulatory and commercial litigation matters. The merger strengthens Kelley Drye’s litigation and environmental practices, as well as extends our national presence.

The collective environmental practices broaden Kelley Drye’s nationwide capabilities in site remediation, cost recovery, natural resource damages, and related insurance litigation, creating a powerhouse firm for businesses contemplating sales and acquisitions, debt and equity financings, and real estate development and construction where environmental issues may be present.

Please read more about our Environmental Law and Environmental Litigation capabilities, as well as our new offices in Houston and Austin

Analysis 

Marketing in a Multi-Device World: Update on Cross Device Tracking

On January 25, Kelley Drye hosted a webinar on maintaining transparency and respecting consumer choice while achieving marketing objectives. Megan Cox, Attorney at the Federal Trade Commission, J. Jurgen Van Staden, Vice President, Policy & Technology at the Network Advertising Initiative, and partner Dana Rosenfeld discussed recent law enforcement activity, such as the FTC’s recent settlement with Turn Inc., as well as self-regulatory guidance and enforcement issues surrounding cross device information tracking and uses. For a copy of the slide deck, please click here.

Our next webinar will be on “Litigation is Inevitable: Update on Recent Advertising Class Actions” February 22. Please click here for more information and to register.

To sign up to receive future webinar invitations, please click here and sign up to receive communications from the Advertising and Marketing practice group.

Suing over Empty Space: Why Lawsuits over Slack Fill in Packaging Are Growing

Partner Kristi Wolff co-authored the Nutritional Outlook article “Suing over Empty Space: Why Lawsuits over Slack Fill in Packaging Are Growing.” The article discusses the rise in lawsuits regarding slack fill, or the difference between the capacity of a container and the volume of the product inside. Read more…

ABA Section of Antitrust Law Presidential Transition Report

Partner Bill MacLeod addressed the American Bar Association’s Section of Antitrust Law with an introductory note to the Section’s 2017 Presidential Transition Report. The American Bar Association Section of Antitrust Law released its 60-page eighth sequential Presidential Transition Report, which offers a retrospective of current state and federal antitrust and consumer protection law and policy, as well recommendations for ways the new Trump administration might consider further strengthening policy and enforcement to deal with new antitrust challenges on the horizon. Read more…

Has the Supreme Court’s Resolution of Spokeo Played Out as Expected?

Partner Lee S. Brenner co-authored the Bloomberg BNA article “Has the Supreme Court’s Resolution of Spokeo Played Out as Expected?” On May 16, 2016, the United States Supreme Court held in Spokeo Inc. v. Robins that a consumer cannot satisfy the injury-in-fact demands of Article III by alleging only a bare procedural violation of a statute, divorced from any concrete harm. The article examines the Spokeo decision and how that case impacted litigation in various contexts, including data privacy, the Truth in Lending Act (TILA), the Fair and Accurate Credit Reporting Act (FACTA), and the Telephone Consumer Protection Act (TCPA). Read more…

Fifty Countries and Counting, Sixty Sessions and More – at Spring Meeting: A Message From Bill MacLeod, Chair, Section of Antitrust Law

Partner William MacLeod authored his monthly address to the American Bar Association’s Section of Antitrust Law. This month’s message features The Spring Meeting of the Section of Antitrust Law. Read more…

Upcoming Events and Speeches

Toys for Sale: IoT Devices and Connected Kids
 February 15, 2017 |WEBINAR
American Bar Association
Dana B. Rosenfeld

Litigation is Inevitable: Update on Recent Advertising Class Actions
February 22, 2017 | WEBINAR
Jeffrey S. Jacobson

Regulation of Cosmetics
March 3, 2017 | WASHINGTON, DC
Introduction to U.S. Food Law and Regulation
Kristi L. Wolff

Doing Data Right: Legal Best Practices for Making Your Data Work
March 16, 2017 |SAN JOSE, CA
Strata + Hadoop World 2017
Alysa Zeltzer Hutnik

Eyes on the 1-800 Prize: IP Restrictions and Online Competition
March 29, 2017 | WASHINGTON, DC
65th Antitrust Law Spring Meeting
David H. Evans

Multi-State Privacy/Security Investigations: Expert Roundtable
April 20, 2017 |WASHINGTON, DC
Global Privacy Summit 2017
Alysa Zeltzer Hutnik

Impact of the 2016 Election on Antitrust and Consumer Protection Class Actions
April 27, 2017 |SEATTLE, WA
Law Seminars International’s Litigating Class Actions
Jeffrey S. Jacobson

Follow the Practice

 
Follow us on
Facebook
Follow us on
Twitter
Follow us on
LinkedIn

 

Think a colleague might find this newsletter of interest? Please invite others to subscribe at the Kelley Drye publication Sign Up.

 

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

  • Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
  • Administrative fines;
  • Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
  • Preparation of the one-stop shop and the EDPB consistency mechanism.

New work priorities and objectives for 2017 include:

  • Guidelines on the topics of consent and profiling;
  • Guidelines on the issue of transparency; and
  • Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.

Moreover, the Working Party commits to continue consultation rounds and will invite relevant stakeholders to provide input on topics of interest.  During a “Fablab” workshop announced for April 5 and 6, stakeholders will have the opportunity to comment on the Working Party’s Action Plan. Non-EU counterparts will have an opportunity to exchange views on the Working Party’s GDPR implementation and the GDPR generally during an interactive workshop scheduled for May 18 -19, 2017.

*           *           *

In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements.  Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union’s invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required.  Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws.  There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:

EU – U.S. Privacy Shield Swiss – U.S. Privacy Shield
EU Data Protection Authority is cooperation and compliance authority Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority
Sensitive data definition under Choice Principle Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings
Binding arbitration option in place Commerce to work with Swiss Government to put in place binding arbitration option at first annual review

The new agreement replaces the existing U.S. – Swiss Safe Harbor Framework with immediate effect. The Department of Commence will begin accepting self-certification applications on April 12, 2017.

Please join Kelley Drye in 2017 for the Advertising and Privacy Law Webinar Series. Like our annual in-person event, this series will provide engaging speakers with extensive experience and knowledge in the fields of advertising, privacy, and consumer protection. These webinars will give key updates and provide practical tips to address issues faced by counsel.

This webinar series will commence January 25 and continue the last Wednesday of each month, as outlined below.

January 25, 2017 | February 22, 2017 | March 29, 2017 | April 26, 2017 | June 28, 2017
July 26, 2017 | September 27, 2017 | October 25, 2017 | November 29, 2017

Kicking off the series will be a one-hour webinar on “Marketing in a Multi-Device World: Update on Cross Device Tracking” on January 25, 2017 at 12 PM ET. For more information and to register, please click here. CLE credit will be offered for this program.