Posts Tagged: "data privacy"

In Part I of this series, we discussed the Federal Trade Commission’s (FTC’s) case against Everalbum as just one example where companies may be required to remove data from their machine learning models (or shut down if unable to do so). Following are some additional pitfalls to note. A. Evolving privacy and data usage restrictions Legislators at the international, federal,…

While the COVID-19 pandemic has changed every aspect of our lives, digital transformation in healthcare has accelerated above others. The pandemic has changed the healthcare delivery paradigm from human to digital platforms faster than Klaus Schwab could have imagined. In 2016, the World Economic Forum chairman coined the phrase “Fourth Industrial Revolution,” envisioning the combination of fourth industrial-era technologies in hardware, software, and biology, or cyber-physical systems. These new technologies, leveraging advances in communication, connectivity, and computing power, would usher in a more efficient way to live, work, and socialize. Who knew how the horrific circumstances triggered by a global pandemic could accelerate an evolution that might have taken 20 years and condensed into a single year. Healthcare has gone digital, and there is no going back now.

In these times, businesses are increasingly data driven and privacy regulations are continually being updated to keep pace. As an entrepreneur, of the many operational checkpoints that come with starting and growing a business, managing your privacy notices and programs is something that can fall by the wayside. But given the increasing scrutiny from a privacy standpoint from investors, regulators, and the public at large, early attention to and investment in sustainable privacy practices can pay dividends as you grow and avoid some potentially disastrous pitfalls.

Notwithstanding its negative effects on the world at large, COVID-19 quarantine has been a boon to a growing group of entertainment-based apps and services. Netflix, Amazon, Zoom, and Instagram are a few of the best-known apps that many have used to break the monotony of pandemic-induced isolation. TikTok is also on the list of apps experiencing a growth surge, though chances are that your kids are more likely to have participated in a viral TikTok dance challenge than you. Unfortunately for the Chinese-owned company, this popularity among the tween-and-under set is the source of its ongoing struggles with privacy advocates and regulators.

In 2018, after years of planning, the General Data Protection Regulation (GDPR) was introduced by authorities across Europe. It aimed to modernize the laws that protect individuals’ private information; laws which hadn’t been updated for nearly two decades. The GDPR was designed to give formidable power to data protection authorities. The threat of fines of up to €20 million or up to 4% of an organization’s global annual turnover (depending on which is greater) had been established. Two years on, although there have been over 160,000 data breaches reported, only a small number of companies have been issued with a punishment…. Enforcement has indeed varied widely across countries, and last year we caught a glimpse of what the data breach landscape may look like in terms of fines in the UK. The Information Commissioner’s Office (ICO) has issued intentions to fine British Airways £183 million, in addition to a potential £3 billion compensation pay-out, after the personal data of around 500,000 customers was exposed from their website and app. Marriott have also been issued with an intention to fine in the sum of £99m. In comparison, almost a third of countries reportedly have yet to issue a single fine.

The last few years have seen unprecedented changes in the legal landscape concerning data protection and privacy. The European Union General Data Protection Regulation (GDPR) became enforceable in May 2018. In July 2018, the California Consumer Privacy Act (CCPA) was enacted, and it became effective January 1, 2020. In response to the GDPR and the CCPA, many businesses are updating their privacy policies to comply with these laws. While crafting these updates, drafters should be cognizant of the effect such policies could have not only in the short term, but also down the road. For example, in the bankruptcy context, the content of a company’s privacy policy is important. If a privacy policy does not inform customers that their data may be sold in a bankruptcy proceeding, courts are likely to impose restrictions on the sale of that data. These restrictions can significantly decrease the value of such assets. Because of this reality, drafters should keep a few considerations in mind as they update privacy policies to comply with new laws and maximize the value of data assets.

We live in a world where data has become an increasingly valuable asset and huge companies are built on the collection and analysis of publicly available data. Yet, there is no federal statute that directly protects this type of information or even directly addresses how this information should be treated. Instead, businesses are often forced to rely on the Computer Fraud and Abuse Act (CFAA) in order to protect this valuable asset or commodity, which originally only provided criminal sanctions and was enacted to address computer hacking. Most recently, the Ninth Circuit in hiQ Labs, Inc. v. Linkedin Corp., 938 F.3d 985 (9th Cir. 2019), addressed under what circumstances a company may legally “scrape” data from another company’s website. There, the court determined on hiQ’s motion for preliminary injunction that “scraping” publicly available information from LinkedIn likely is not a violation of the CFAA because the LinkedIn computers are publicly accessible and hiQ thus did not access the computers “without authorization” as required by the CFAA. Under these circumstances, the court determined that it did not matter that LinkedIn had sent a cease and desist letter to hiQ prohibiting such access. This is a potentially very important decision for companies on both sides of this issue and for the general public, at least in the Ninth Circuit.

This week in Washington, D.C., the Senate Subcommittee on Intellectual Property holds a hearing to look at ways to reduce the number of fraudulent trademark application filings that have been making their way to the U.S. Patent and Trademark Office. Other Senate committee hearings will focus on legislative proposals to protect consumer data privacy and promote the availability of wireless spectrum for 5G networks. Over in the House of Representatives, the Artificial Intelligence Task Force will convene a hearing to look into concerns related to the use of artificial intelligence technologies in the financial services industry. Elsewhere in D.C., both The Brookings Institution and the Information Technology and Innovation Foundation will host events discussing the use of facial recognition technology in the public and private sectors. 

Imagine the following scenario: You have an idea for a new mobile application. As adoption of the app picks up, so does your business, and you hire more employees to provide sales and support assistance. You are on your way to transforming your startup into a successful business. Needing additional capital to scale the business more quickly, you identify a strategic partner interested in investing in your business. Before you can close on the funding, several employees report that they did not receive their paychecks through the direct deposit system. The investigation reveals that several months ago, your organization received a series of spear phishing emails. You learn that multiple employees opened the email and its attachment giving the cybercriminals access to your systems. Not only are you out the payroll money, but you also learn that in addition to your employees’ banking information, the criminals had access to your customer contact information and the source code for your app. A cyberattack is an unwelcome event for any company, but the effects can be especially detrimental to a startup, with 60% or more of small businesses that experience a data breach going out of business within a year of the breach. It is impossible for any size business to guarantee a system that is fully secure. However, not all companies have millions of dollars to invest in cybersecurity and by allocating even limited funds to assessing your data privacy risks, implementing a protection plan and creating an incident response plan, a startup can significantly improve its chances of surviving a cyberattack.

The House Subcommittee on Antitrust, Commercial, and Administrative Law yesterday heard from Joseph Simons, Chairman of the Federal Trade Commission, and Makan Delrahim, Assistant Attorney General in the Department of Justice’s Antitrust Division as part of the Subcommittee’s fourth hearing in its “Online Platforms and Market Power” series. The latest hearing focused on the perspectives of the antitrust authorities, while previous hearings have examined the effects of the big tech companies on innovation and entrepreneurship; online platforms’ effect on a free and diverse press; and the role of data and privacy in competition. While both Delrahim and Simons said they are aggressively investigating and monitoring dominant platforms like Facebook and Google, they warned against overreach. Subcommittee Chair David Cicilline (D-RI) expressed his concern that, over the past decade, the largest tech firms have acquired more than 436 companies, “many of which were actual or potential competitors,” without intervention from antitrust enforcement authorities. The last major monopolization case was brought in 2001 against Microsoft, Cicilline noted. “This has created a de facto antitrust exemption for online platforms.,” he said, questioning whether the failure lies in the need for congressional action to amend and strengthen existing laws, a lack of agency resources to effectively combat the problem, or simply a lack of will to enforce the laws on the books.

This week in our nation’s capital, the U.S. Senate is the lone house of Congress that will host hearings on tech and innovation topics. On Tuesday, Senate subcommittees will explore national security concerns related to big tech use of user data along with NASA’s efforts to improve the STEM workforce. On Wednesday, a few legislative hearings will commence to look at bills related to government AI, cybersecurity and geothermal innovation, among other tech subjects. Elsewhere in D.C., the Center for International and Strategic Studies explores the future of the electrical grid and China’s efforts towards techno-governance.

This week in technology and innovation hearings taking place in Washington, D.C., subcommittees in the House of Representatives discuss the worker pipeline for the clean energy sector and ways to promote C-Band spectrum auctions on Tuesday. Then on Wednesday, the Senate IP Subcommittee holds a hearing on preventing the issuance of poor quality patents, which is likely to include some contentious viewpoints on the U.S. patent system. Other Senate hearings this week focus on innovation in water security as well as national security issues in the 5G supply chain. Elsewhere, The Brookings Institution explores the role of the Federal Trade Commission in consumer data privacy legislation and closes out the week with an event that takes a look at ways to mitigate the risks of artificial intelligence technologies.

This week in tech and innovation hearings in Washington, D.C., the House of Representatives explores issues related to emerging cyber threats, Facebook’s cryptocurrency and its impact on the financial sector, space weather research and supporting clean automobile developments. House committees will also hold two field hearings outside of D.C. on improving Internet connectivity in rural communities and community initiatives in smart mobility programs. In the Senate, committee hearings will focus on ownership of personal data, international energy efficiency efforts and the reauthorization of compulsory copyright licenses for satellite broadcasts under STELAR. Elsewhere, Cato Institute will host an event looking at advances to space technology encouraged by the private sector, while the week closes out with an event at The Heritage Foundation discussing the effect of data surveillance on Fourth Amendment protections.

On September 24, the Court of Justice of the European Union (CJEU) delivered its decision in case C-507/17, Google v. CNIL regarding the territorial scope of the “right to be forgotten”. Google Inc. had filed an appeal with the French Council of State (FCS), the Highest Administrative Court in France, requesting the annulment of a decision by the French Data Protection Authority (CNIL), which imposed a penalty of EUR 100,000 (approximately USD 110,300) on Google. The case arises from a request to Google by a natural person for deletion of certain links from the list of results displayed following a search of his name (“request for de-referencing”). In response, Google refused to remove certain content from all versions of the domain name of its search engine (i.e., worldwide), leading to the penalty imposed by the CNIL. The FCS then made a request for preliminary reference to the CJEU for guidance on the interpretation of the “right of de-referencing”, popularly known as the “right to be forgotten”.