SlideShare a Scribd company logo

2017: Privacy Issues on the Horizon

Winston & Strawn LLP
Winston & Strawn LLP

2016 was an important year for privacy on many fronts. From Privacy Shield to the imminent arrival of a new U.S. president; from Brexit to ongoing breach law developments; and from FCC changes for ISPs to the upcoming arrival of GDPR—there wasn’t a single dull moment. In this eLunch, Winston’s Privacy & Data Security Practice Chair Liisa Thomas and Partner Rob Newman looked back at 2016 and discussed what to expect in the privacy world in 2017 and beyond.

Law
1 of 50
Download to read offline
2017: Privacy Issues on the Horizon January 19, 2017
Today’s Presenters 2 Liisa M. Thomas Chair, Privacy and Data Security Practice Chicago, London lmthomas@winston.com Robert H. Newman Partner, Privacy and Data Security Practice Chicago rnewman@winston.com
Overview • Data Breach • The European Privacy Landscape • The “Internet of Things” • Privacy and Security in China • Industry-Specific Privacy Requirements • Mobile Tracking 3
Data Breach
Audience Question One As a consumer, do you feel protected by breach notice laws? 5
New U.S. State Laws That Took Effect in 2016 6
GDPR: Beginning May 2018 72 hours 7
What’s Next? ?? 8
Audience Question One: Results 9
Audience Question Two As a consumer, when (not if) you get a notice that your personal information has been breached, do you feel harmed? 10
Spokeo: Why Aren’t There Fewer Cases? • Spokeo, Inc. v. Robins (May 2016) • Court held that statutory violations, alone, aren’t enough to satisfy the injury requirement for Article III standing • Because the harm to the plaintiff from a defendant’s mere statutory violation is not “concrete” • However, a “concrete” harm need not necessarily be “tangible” What is a concrete harm is thus unclear 11
No Harm • Kamal v. J. Crew Grp., Inc. (U.S. District Court for the District of New Jersey) • J. Crew printed more than five credit card digits on in-store sales receipts, in potential violation of FACTA • Court held that the supposed harm of the FACTA violation (a heightened risk of potential future identity theft) is not concrete 12
Harm • Flaum v. Doctor’s Associates Inc. (U.S. District Court for the Southern District of Florida) • Subway operator printed five debit card digits plus an expiration date on in-store sales receipts, in potential violation of FACTA • Carlos Guarisma v. Microsoft Corp (U.S. District Court for the Southern District of Florida) • Microsoft retail store printed first six digits of credit card, plus last four, on plaintiff’s printed sales receipt, in potential violation of FACTA • Courts reasoned that FACTA confers a substantive right (rather than a procedural right) • In Guarisma, court held “Where Congress has endowed plaintiffs with a substantive legal right, as opposed to creating a procedural requirement, the plaintiffs may sue to enforce such a right without establishing additional harm” 13
How Courts Will Rule… Right now not easy to predict, cases thus likely to continue… 14
Audience Question Two: Results 15
The European Privacy Landscape
GDPR Will Usher in New EU Privacy Regime • May 2018: General Data Protection Regulation (GDPR) will repeal and replace the EU Data Privacy Directive 17 Key Changes from Data Protection Directive EU-wide regulation (not country- by-country) Opt-in consent for data processing Right to be forgotten Record keeping requirements Data Protection Officers
Audience Question(s) Three Will your company be adding a Data Protection Officer (DPO) to address GDPR? If not, is it because you already have a DPO? If not, is it because you don’t have EU operations? 18
Do You Need a Data Protection Officer Under GDPR? Companies with core activities that require regular and systematic monitoring of individuals on a large scale. Article 37(1)(b). But what does that mean in practice? 19
Core Activities Those that are key to achieving a company’s goals (e.g., processing of patient data by a hospital) 20 Processing patient data Hospital Monitoring shopping center Security company
Regular and systematic Ongoing or recurring on a fixed basis in a manner that shows some planning or strategy 21 Online profiling Online tracking Retargeting Location tracking Loyalty program Monitoring fitness (wearable)
Large scale Standards likely to develop over time… 22 Processing customer geo- location data for statistical purposes related to the company’s services Processing customer data in “regular course of business”
Audience Question(s) Three: Results 23
Privacy Shield: Will it Gain Traction? But even if not … it can help to go through the process and get your “privacy house in order” 24 Will EC re-evaluate effectiveness annually? Will Department of Commerce really give greater scrutiny than under Safe Harbor? How burdensome will vendor management be for enforcing contractual provisions? How will the new U.S. administration impact certainty and predictability?
Reminder: Alternatives to Privacy Shield 25 Model Clauses Binding Corporate Rules
The “Internet of Things”
Audience Question Four Do you have a connected device (a wearable fitness monitor, baby monitor, home security camera, Internet-connected fridge, Internet-connected thermostat)? 27
What is the Risk? October 2016: Massive DDoS attack of Dyn web servers using connected “smart” consumer devices with default usernames and passwords 28
Regulators Taking Notice FTC settlement with ASUSTeK • A cloud computing and router company • FTC alleged that gaps in ASUSTeK’s products’ security violated its promises to protect consumer information (i.e., a deceptive act) 15 state AGs settle with Adobe for $1 million • Data breach impacted more than half a million users • AGs were concerned by Adobe’s alleged lack of mechanisms to detect and respond to unauthorized activity in its systems 29
Audience Question Four: Results 30
Privacy and Security in China
Audience Question Five Does your organization have operations in China or work with third parties (like suppliers) from China? 32
Draft Regulations to Update Consumer Rights Protection Law • Reiterates existing data privacy rules under the 2013 Consumer Rights Protection Law • E.g., disclosure and consent requirements, data security measures • New requirements • Data collection must be relevant to the business operations • No electronic marketing or telemarketing without consent • “Personal information” expanded to include biometric data • New exception: Operators may transfer data without consent if it has been desensitized so an individual cannot be identified 33
New Cybersecurity Law Raises Concerns for Non-Chinese Organizations • Broad new powers for Chinese government to investigate crime and protect IT systems • Permits the Chinese government to audit organizations and require security certification • Potential effect: Chinese government could obtain proprietary information (e.g., source code) and encryption keys for sensitive systems • Also requires companies to store data locally • Potential impact on cross-border data transfers • Data processors must obtain government permission before transferring consumer or other important information out of the country • Will take effect June 2017 34
Audience Question Five: Results 35
Industry-Specific Privacy Requirements
Audience Question Six Do you feel like you have a strong handle on existing legal requirements about how your organization can collect, use, and store information, including how your organization can interact with consumers using their information? 37
Everyone “Wants In” on the Privacy Game • Requirements on organizations continue to proliferate • Critical to understand what information a company holds, how it gets it, how it is used, and how it is protected 38 FTC
Audience Question Six: Results 39
FCC’s Recently Finalized Privacy Regulations • Applies to Internet service providers (ISPs) • New rules for collecting “sensitive data” • Defined to include children’s information, health and financial information, geolocation records, and Internet browsing history • ISPs must get express prior consent (i.e., opt-in consent) from customers before collecting “sensitive” data 40
FCC Regs vs. Other Regulatory Oversight • FCC (opt-in) vs. FTC (opt-out) for collecting • If FCC preempts state law, yet another layer of complication 41 Confusion State AGs FCC FTC
CFPB Begins Privacy Enforcement Efforts (Financial Services) First enforcement against Dwolla (online payment platform) • Settlement over alleged misrepresentations over data security claims • Claimed to be “safe” and “secure” • Per CFPB: Dwolla allegedly failed to encrypt sensitive data, conduct risk assessments, or train employees 42 Board responsible for implementing and overseeing compliance $100,000 civil penalty Annual audits to identify security flaws 2x per year internal security assessments Appoint someone to lead data security program Employee training Draft / implement data security plan
Mobile Tracking
Audience Question Seven Do you play Pokémon GO? 44
Pokémon GO and Geolocation Tracking Disclosures 45
Audience Question Seven: Results 46
FTC’s Take on Geolocation • FTC recs: “Mobile Privacy Disclosures: Building Trust Through Transparency” • InMobi settlement (June 2016) • Mobile advertising network allegedly bypassed location settings on users’ phones to collect location data 47 Annual audits for 20 years Must delete improperly obtained location data Must get EXPRESS consent for location tracking Nearly $1 million civil penalty Just-in-time disclosures Affirmative consent
Industry Self-Regulation on Geolocation • Digital Advertising Alliance mobile privacy guidelines on precise location data and third-parties • DAA Accountability Program enforcement against iTriage • Mobile app allegedly failed to disclose collection/sharing of location data with third parties for interest-based advertising • Settlement terms • Ceased collecting and sharing precise location data with third parties • Added just-in-time notifications for data collection in app 48 Provide notice of third-party collection or sharing (“clear, meaningful, and prominent”) Get consent for third-party collection or sharing
Want More Information? • Winston Privacy Year In Review 2016 • http://cdn2.winston.com/images/content/1/1/v2/118486/Privacy-YIR- DEC2016.pdf 49
Thank You. 50 Liisa M. Thomas Chair, Privacy and Data Security Practice Chicago, London lmthomas@winston.com Robert H. Newman Partner, Privacy and Data Security Practice Chicago rnewman@winston.com

Recommended

GDPR for Marketers - teaser
GDPR for Marketers - teaserGDPR for Marketers - teaser
GDPR for Marketers - teaser
Lava Consult BVBA
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
Tech Trust
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
Maximizing & Exploiting Big Data in Digital Media....Legally
Maximizing & Exploiting Big Data in Digital Media....LegallyMaximizing & Exploiting Big Data in Digital Media....Legally
Maximizing & Exploiting Big Data in Digital Media....Legally
MediaPost
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'S
Morgan McKinley
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 

Recommended

GDPR for Marketers - teaser
GDPR for Marketers - teaserGDPR for Marketers - teaser
GDPR for Marketers - teaser
Lava Consult BVBA
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
Tech Trust
 
[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance[Presentation] GDPR - How to Ensure Compliance
[Presentation] GDPR - How to Ensure Compliance
AIIM International
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
Maximizing & Exploiting Big Data in Digital Media....Legally
Maximizing & Exploiting Big Data in Digital Media....LegallyMaximizing & Exploiting Big Data in Digital Media....Legally
Maximizing & Exploiting Big Data in Digital Media....Legally
MediaPost
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'S
Morgan McKinley
 
iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?iStart feature: Protect and serve how safe is your personal data?
iStart feature: Protect and serve how safe is your personal data?
Hayden McCall
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
Ebiquity
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
MoEngage Inc.
 
Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy
Piwik PRO
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
Explain your algorithmic decisions for gdpr
Explain your algorithmic decisions for gdprExplain your algorithmic decisions for gdpr
Explain your algorithmic decisions for gdpr
Pierre Feillet
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c
Raj Goel
 
Security, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it rightSecurity, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it right
N-iX
 
GDPR
GDPRGDPR
GDPR
Sebastian Dramburg
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
Atif Ghauri
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy
Piwik PRO
 
Privacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital SetupPrivacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital Setup
Piwik PRO
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
GDPR and personal data protection in EU research projects
GDPR and personal data protection in EU research projectsGDPR and personal data protection in EU research projects
GDPR and personal data protection in EU research projects
Lorenzo Mannella
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
Brian Miller, Solicitor
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
legalandgeneral
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
Mark Baker
 
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
SignUp4
 
Cutting Edge Robotics
Cutting Edge RoboticsCutting Edge Robotics
Cutting Edge Robotics
Robots Alive India
 

More Related Content

What's hot

2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c
Raj Goel
 
GDPR and personal data protection in EU research projects
GDPR and personal data protection in EU research projectsGDPR and personal data protection in EU research projects
GDPR and personal data protection in EU research projects
Lorenzo Mannella
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
Mark Baker
 

What's hot (20)

Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
U.S. Data Privacy Report - Patchy preparation for GDPR shows U.S. businesses ...
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
 
Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy Piwik PRO The Real Cost of Data Privacy
Piwik PRO The Real Cost of Data Privacy
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Explain your algorithmic decisions for gdpr
Explain your algorithmic decisions for gdprExplain your algorithmic decisions for gdpr
Explain your algorithmic decisions for gdpr
 
2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c2016-09-05-Lessons_Learned_From_The_FTC_v1c
2016-09-05-Lessons_Learned_From_The_FTC_v1c
 
Security, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it rightSecurity, GDRP, and IT outsourcing: How to get it right
Security, GDRP, and IT outsourcing: How to get it right
 
GDPR
GDPRGDPR
GDPR
 
GDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e bookGDPR, what you need to know and how to prepare for it e book
GDPR, what you need to know and how to prepare for it e book
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Web Analytics and Privacy
Web Analytics and Privacy Web Analytics and Privacy
Web Analytics and Privacy
 
Privacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital SetupPrivacy Regulations and Your Digital Setup
Privacy Regulations and Your Digital Setup
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
Companies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next stepsCompanies, digital transformation and information privacy: the next steps
Companies, digital transformation and information privacy: the next steps
 
GDPR and personal data protection in EU research projects
GDPR and personal data protection in EU research projectsGDPR and personal data protection in EU research projects
GDPR and personal data protection in EU research projects
 
Legal Implications of a Cyber Attack
Legal Implications of a Cyber AttackLegal Implications of a Cyber Attack
Legal Implications of a Cyber Attack
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
 
GDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your businessGDPR- Get the facts and prepare your business
GDPR- Get the facts and prepare your business
 

Viewers also liked

Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
SignUp4
 
Kurumsal Çözümler Rehberi 2013
Kurumsal Çözümler Rehberi 2013Kurumsal Çözümler Rehberi 2013
Kurumsal Çözümler Rehberi 2013
ERP Committee Turkey
 
Kurumsal Çözüm Önerileri Rehberi
Kurumsal Çözüm Önerileri RehberiKurumsal Çözüm Önerileri Rehberi
Kurumsal Çözüm Önerileri Rehberi
ERP Committee Turkey
 
Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)
Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)
Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)
SignUp4
 
Lista de utiles escolares del sexto grado 2016
Lista de utiles escolares del sexto grado 2016Lista de utiles escolares del sexto grado 2016
Lista de utiles escolares del sexto grado 2016
Paulina Quispe
 
php[world] 2015 Training - Laravel from the Ground Up
php[world] 2015 Training - Laravel from the Ground Upphp[world] 2015 Training - Laravel from the Ground Up
php[world] 2015 Training - Laravel from the Ground Up
Joe Ferguson
 

Viewers also liked (19)

Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
Meeting Policies LIVE: How to bring your policy to life with a well-designed,...
 
Cutting Edge Robotics
Cutting Edge RoboticsCutting Edge Robotics
Cutting Edge Robotics
 
SMM Basics 101
SMM Basics 101 SMM Basics 101
SMM Basics 101
 
Kurumsal Çözümler Rehberi 2013
Kurumsal Çözümler Rehberi 2013Kurumsal Çözümler Rehberi 2013
Kurumsal Çözümler Rehberi 2013
 
Kurumsal Çözüm Önerileri Rehberi
Kurumsal Çözüm Önerileri RehberiKurumsal Çözüm Önerileri Rehberi
Kurumsal Çözüm Önerileri Rehberi
 
Creatief innoveren am
Creatief innoveren amCreatief innoveren am
Creatief innoveren am
 
Virtualization
VirtualizationVirtualization
Virtualization
 
Instagram Training for Collective Bias
Instagram Training for Collective BiasInstagram Training for Collective Bias
Instagram Training for Collective Bias
 
Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)
Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)
Getting “Buy-In” for a Strategic Meetings Management Program (SMMP)
 
PDMS
PDMSPDMS
PDMS
 
Culture of gilgit baltistan
Culture of gilgit baltistanCulture of gilgit baltistan
Culture of gilgit baltistan
 
Lista de utiles escolares del sexto grado 2016
Lista de utiles escolares del sexto grado 2016Lista de utiles escolares del sexto grado 2016
Lista de utiles escolares del sexto grado 2016
 
Credit Scoring 101 Education
Credit Scoring 101 EducationCredit Scoring 101 Education
Credit Scoring 101 Education
 
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 TutorialAdventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
 
El Oráculo De Paracelso
El Oráculo De ParacelsoEl Oráculo De Paracelso
El Oráculo De Paracelso
 
Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:win Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:win
 
php[world] 2015 Training - Laravel from the Ground Up
php[world] 2015 Training - Laravel from the Ground Upphp[world] 2015 Training - Laravel from the Ground Up
php[world] 2015 Training - Laravel from the Ground Up
 
ROLE OF HRIS IN EFFECTIVE WORKFORCE PLANNING
ROLE OF HRIS IN EFFECTIVE WORKFORCE PLANNINGROLE OF HRIS IN EFFECTIVE WORKFORCE PLANNING
ROLE OF HRIS IN EFFECTIVE WORKFORCE PLANNING
 
Internship report on HRIS
Internship report on HRISInternship report on HRIS
Internship report on HRIS
 

Similar to 2017: Privacy Issues on the Horizon

[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
TrustArc
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
Resilient Systems
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Shawn Tuma
 

Similar to 2017: Privacy Issues on the Horizon (20)

Data Privacy
Data PrivacyData Privacy
Data Privacy
 
[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities[Privacy Webinar Slides] Global Enforcement Priorities
[Privacy Webinar Slides] Global Enforcement Priorities
 
IT risk discusion qustion.pdf
IT risk discusion qustion.pdfIT risk discusion qustion.pdf
IT risk discusion qustion.pdf
 
Data breaches at home and abroad
Data breaches at home and abroad Data breaches at home and abroad
Data breaches at home and abroad
 
Cookies, FLoC & GDPR: Marketing Impact
Cookies, FLoC & GDPR: Marketing ImpactCookies, FLoC & GDPR: Marketing Impact
Cookies, FLoC & GDPR: Marketing Impact
 
Cloud Security Law Issues--an Overview
Cloud Security Law Issues--an OverviewCloud Security Law Issues--an Overview
Cloud Security Law Issues--an Overview
 
nerfslides.pptx
nerfslides.pptxnerfslides.pptx
nerfslides.pptx
 
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
GDPR Pop Up | Human Capital Department - HR Forum - 26 April 2018
 
Why the new data laws are good for UX
Why the new data laws are good for UXWhy the new data laws are good for UX
Why the new data laws are good for UX
 
A Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 PredictionsA Breach Carol: 2013 Review, 2014 Predictions
A Breach Carol: 2013 Review, 2014 Predictions
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
The Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPRThe Countdown is on: Key Things to Know About the GDPR
The Countdown is on: Key Things to Know About the GDPR
 
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
Cybersecurity Legal and Compliance Issues Business & IT Leaders Must Know -- ...
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
 
GDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To PrepareGDPR is Coming, Five Things You Can Do Now To Prepare
GDPR is Coming, Five Things You Can Do Now To Prepare
 
GDPR training
GDPR training GDPR training
GDPR training
 
Cloud Roundtable
Cloud RoundtableCloud Roundtable
Cloud Roundtable
 
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business ClientsCyber Security for Your Clients: Business Lawyers Advising Business Clients
Cyber Security for Your Clients: Business Lawyers Advising Business Clients
 
Ethical and social issues in information systems
Ethical and social issues in information systemsEthical and social issues in information systems
Ethical and social issues in information systems
 
Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016 Data Protection and Comnpliance with the GDPR Event 22 september 2016
Data Protection and Comnpliance with the GDPR Event 22 september 2016
 

More from Winston & Strawn LLP

The Nordic Sessions: Avoiding Employment Law Landmines
The Nordic Sessions: Avoiding Employment Law LandminesThe Nordic Sessions: Avoiding Employment Law Landmines
The Nordic Sessions: Avoiding Employment Law Landmines
Winston & Strawn LLP
 
Latest Developments Regarding Arbitration in Hong Kong and Mainland China
Latest Developments Regarding Arbitration in Hong Kong and Mainland ChinaLatest Developments Regarding Arbitration in Hong Kong and Mainland China
Latest Developments Regarding Arbitration in Hong Kong and Mainland China
Winston & Strawn LLP
 
Recent Trends in Regulatory Actions Impacting Banks and Financial Institutions
Recent Trends in Regulatory Actions Impacting Banks and Financial InstitutionsRecent Trends in Regulatory Actions Impacting Banks and Financial Institutions
Recent Trends in Regulatory Actions Impacting Banks and Financial Institutions
Winston & Strawn LLP
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
Winston & Strawn LLP
 
Maximizing Deductions in Light of the Section 162(m) Guidance
Maximizing Deductions in Light of the Section 162(m) GuidanceMaximizing Deductions in Light of the Section 162(m) Guidance
Maximizing Deductions in Light of the Section 162(m) Guidance
Winston & Strawn LLP
 
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Winston & Strawn LLP
 
IRS and DOL Audit Issues for Retirement Plans
IRS and DOL Audit Issues for Retirement PlansIRS and DOL Audit Issues for Retirement Plans
IRS and DOL Audit Issues for Retirement Plans
Winston & Strawn LLP
 
Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...
Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...
Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...
Winston & Strawn LLP
 
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...
Winston & Strawn LLP
 
Under New Management: What to Expect from a Trump NLRB
Under New Management: What to Expect from a Trump NLRBUnder New Management: What to Expect from a Trump NLRB
Under New Management: What to Expect from a Trump NLRB
Winston & Strawn LLP
 

More from Winston & Strawn LLP (20)

The Nordic Sessions: Avoiding Employment Law Landmines
The Nordic Sessions: Avoiding Employment Law LandminesThe Nordic Sessions: Avoiding Employment Law Landmines
The Nordic Sessions: Avoiding Employment Law Landmines
 
Latest Developments Regarding Arbitration in Hong Kong and Mainland China
Latest Developments Regarding Arbitration in Hong Kong and Mainland ChinaLatest Developments Regarding Arbitration in Hong Kong and Mainland China
Latest Developments Regarding Arbitration in Hong Kong and Mainland China
 
Recent Trends in Regulatory Actions Impacting Banks and Financial Institutions
Recent Trends in Regulatory Actions Impacting Banks and Financial InstitutionsRecent Trends in Regulatory Actions Impacting Banks and Financial Institutions
Recent Trends in Regulatory Actions Impacting Banks and Financial Institutions
 
Computer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to KnowComputer Forensics – What Every Lawyer Needs to Know
Computer Forensics – What Every Lawyer Needs to Know
 
Maximizing Deductions in Light of the Section 162(m) Guidance
Maximizing Deductions in Light of the Section 162(m) GuidanceMaximizing Deductions in Light of the Section 162(m) Guidance
Maximizing Deductions in Light of the Section 162(m) Guidance
 
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
Regulators on the Move – Recent Treasury and Comptroller Actions: How They Af...
 
IRS and DOL Audit Issues for Retirement Plans
IRS and DOL Audit Issues for Retirement PlansIRS and DOL Audit Issues for Retirement Plans
IRS and DOL Audit Issues for Retirement Plans
 
Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...
Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...
Solutions to Section 301 Tariffs on Products from China—Managing the Shock of...
 
Best Practices for Anti-Bribery and Anti-Corruption (ABAC) Compliance
Best Practices for Anti-Bribery and Anti-Corruption (ABAC) ComplianceBest Practices for Anti-Bribery and Anti-Corruption (ABAC) Compliance
Best Practices for Anti-Bribery and Anti-Corruption (ABAC) Compliance
 
International Transactions Program
International Transactions ProgramInternational Transactions Program
International Transactions Program
 
Recent Legislation Impacting Dodd-Frank Requirements: What Financial Institut...
Recent Legislation Impacting Dodd-Frank Requirements: What Financial Institut...Recent Legislation Impacting Dodd-Frank Requirements: What Financial Institut...
Recent Legislation Impacting Dodd-Frank Requirements: What Financial Institut...
 
Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...
Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...
Trade Secret Protection: Practical Advice on Protecting and Defending Your Or...
 
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...
Cryptocurrency Crackdown: What You Need to Know about Enhanced IRS/Government...
 
Sanctions & Export Controls: Focus on Medical Devices
Sanctions & Export Controls: Focus on Medical DevicesSanctions & Export Controls: Focus on Medical Devices
Sanctions & Export Controls: Focus on Medical Devices
 
The Equal Rights Amendment: Legal Issues and Implications
The Equal Rights Amendment: Legal Issues and ImplicationsThe Equal Rights Amendment: Legal Issues and Implications
The Equal Rights Amendment: Legal Issues and Implications
 
Under New Management: What to Expect from a Trump NLRB
Under New Management: What to Expect from a Trump NLRBUnder New Management: What to Expect from a Trump NLRB
Under New Management: What to Expect from a Trump NLRB
 
2018 Hot Topics for Health & Welfare Plans, Fringe Benefits, and Withholding ...
2018 Hot Topics for Health & Welfare Plans, Fringe Benefits, and Withholding ...2018 Hot Topics for Health & Welfare Plans, Fringe Benefits, and Withholding ...
2018 Hot Topics for Health & Welfare Plans, Fringe Benefits, and Withholding ...
 
The Real Deal Webinar Series: Delaware Law Developments/Recent Judicial Decis...
The Real Deal Webinar Series: Delaware Law Developments/Recent Judicial Decis...The Real Deal Webinar Series: Delaware Law Developments/Recent Judicial Decis...
The Real Deal Webinar Series: Delaware Law Developments/Recent Judicial Decis...
 
The Real Deal Webinar Series: Practical Advice from a Former Chief Compliance...
The Real Deal Webinar Series: Practical Advice from a Former Chief Compliance...The Real Deal Webinar Series: Practical Advice from a Former Chief Compliance...
The Real Deal Webinar Series: Practical Advice from a Former Chief Compliance...
 
The Current M&A Environment
The Current M&A EnvironmentThe Current M&A Environment
The Current M&A Environment
 

Recently uploaded

一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
bd2c5966a56d
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
Delhi Call girls
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
bd2c5966a56d
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
nyabatejosphat1
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
E LSS
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
PoojaGadiya1
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
SS A
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
seri bangash
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
E LSS
 

Recently uploaded (20)

$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
$ Love Spells^ 💎 (310) 882-6330 in Utah, UT | Psychic Reading Best Black Magi...
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
Performance of contract-1 law presentation
Performance of contract-1 law presentationPerformance of contract-1 law presentation
Performance of contract-1 law presentation
 
Doctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddpptDoctrine of Part-Performance.ddddddddddppt
Doctrine of Part-Performance.ddddddddddppt
 
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
一比一原版(UC毕业证书)堪培拉大学毕业证如何办理
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
 
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
一比一原版(QUT毕业证书)昆士兰科技大学毕业证如何办理
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt3 Formation of Company.www.seribangash.com.ppt
3 Formation of Company.www.seribangash.com.ppt
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
Clarifying Land Donation Issues Memo for
Clarifying Land Donation Issues Memo forClarifying Land Donation Issues Memo for
Clarifying Land Donation Issues Memo for
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
The doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statuteThe doctrine of harmonious construction under Interpretation of statute
The doctrine of harmonious construction under Interpretation of statute
 

2017: Privacy Issues on the Horizon

  • 1. 2017: Privacy Issues on the Horizon January 19, 2017
  • 2. Today’s Presenters 2 Liisa M. Thomas Chair, Privacy and Data Security Practice Chicago, London lmthomas@winston.com Robert H. Newman Partner, Privacy and Data Security Practice Chicago rnewman@winston.com
  • 3. Overview • Data Breach • The European Privacy Landscape • The “Internet of Things” • Privacy and Security in China • Industry-Specific Privacy Requirements • Mobile Tracking 3
  • 5. Audience Question One As a consumer, do you feel protected by breach notice laws? 5
  • 6. New U.S. State Laws That Took Effect in 2016 6
  • 7. GDPR: Beginning May 2018 72 hours 7
  • 10. Audience Question Two As a consumer, when (not if) you get a notice that your personal information has been breached, do you feel harmed? 10
  • 11. Spokeo: Why Aren’t There Fewer Cases? • Spokeo, Inc. v. Robins (May 2016) • Court held that statutory violations, alone, aren’t enough to satisfy the injury requirement for Article III standing • Because the harm to the plaintiff from a defendant’s mere statutory violation is not “concrete” • However, a “concrete” harm need not necessarily be “tangible” What is a concrete harm is thus unclear 11
  • 12. No Harm • Kamal v. J. Crew Grp., Inc. (U.S. District Court for the District of New Jersey) • J. Crew printed more than five credit card digits on in-store sales receipts, in potential violation of FACTA • Court held that the supposed harm of the FACTA violation (a heightened risk of potential future identity theft) is not concrete 12
  • 13. Harm • Flaum v. Doctor’s Associates Inc. (U.S. District Court for the Southern District of Florida) • Subway operator printed five debit card digits plus an expiration date on in-store sales receipts, in potential violation of FACTA • Carlos Guarisma v. Microsoft Corp (U.S. District Court for the Southern District of Florida) • Microsoft retail store printed first six digits of credit card, plus last four, on plaintiff’s printed sales receipt, in potential violation of FACTA • Courts reasoned that FACTA confers a substantive right (rather than a procedural right) • In Guarisma, court held “Where Congress has endowed plaintiffs with a substantive legal right, as opposed to creating a procedural requirement, the plaintiffs may sue to enforce such a right without establishing additional harm” 13
  • 14. How Courts Will Rule… Right now not easy to predict, cases thus likely to continue… 14
  • 16. The European Privacy Landscape
  • 17. GDPR Will Usher in New EU Privacy Regime • May 2018: General Data Protection Regulation (GDPR) will repeal and replace the EU Data Privacy Directive 17 Key Changes from Data Protection Directive EU-wide regulation (not country- by-country) Opt-in consent for data processing Right to be forgotten Record keeping requirements Data Protection Officers
  • 18. Audience Question(s) Three Will your company be adding a Data Protection Officer (DPO) to address GDPR? If not, is it because you already have a DPO? If not, is it because you don’t have EU operations? 18
  • 19. Do You Need a Data Protection Officer Under GDPR? Companies with core activities that require regular and systematic monitoring of individuals on a large scale. Article 37(1)(b). But what does that mean in practice? 19
  • 20. Core Activities Those that are key to achieving a company’s goals (e.g., processing of patient data by a hospital) 20 Processing patient data Hospital Monitoring shopping center Security company
  • 21. Regular and systematic Ongoing or recurring on a fixed basis in a manner that shows some planning or strategy 21 Online profiling Online tracking Retargeting Location tracking Loyalty program Monitoring fitness (wearable)
  • 22. Large scale Standards likely to develop over time… 22 Processing customer geo- location data for statistical purposes related to the company’s services Processing customer data in “regular course of business”
  • 24. Privacy Shield: Will it Gain Traction? But even if not … it can help to go through the process and get your “privacy house in order” 24 Will EC re-evaluate effectiveness annually? Will Department of Commerce really give greater scrutiny than under Safe Harbor? How burdensome will vendor management be for enforcing contractual provisions? How will the new U.S. administration impact certainty and predictability?
  • 25. Reminder: Alternatives to Privacy Shield 25 Model Clauses Binding Corporate Rules
  • 26. The “Internet of Things”
  • 27. Audience Question Four Do you have a connected device (a wearable fitness monitor, baby monitor, home security camera, Internet-connected fridge, Internet-connected thermostat)? 27
  • 28. What is the Risk? October 2016: Massive DDoS attack of Dyn web servers using connected “smart” consumer devices with default usernames and passwords 28
  • 29. Regulators Taking Notice FTC settlement with ASUSTeK • A cloud computing and router company • FTC alleged that gaps in ASUSTeK’s products’ security violated its promises to protect consumer information (i.e., a deceptive act) 15 state AGs settle with Adobe for $1 million • Data breach impacted more than half a million users • AGs were concerned by Adobe’s alleged lack of mechanisms to detect and respond to unauthorized activity in its systems 29
  • 32. Audience Question Five Does your organization have operations in China or work with third parties (like suppliers) from China? 32
  • 33. Draft Regulations to Update Consumer Rights Protection Law • Reiterates existing data privacy rules under the 2013 Consumer Rights Protection Law • E.g., disclosure and consent requirements, data security measures • New requirements • Data collection must be relevant to the business operations • No electronic marketing or telemarketing without consent • “Personal information” expanded to include biometric data • New exception: Operators may transfer data without consent if it has been desensitized so an individual cannot be identified 33
  • 34. New Cybersecurity Law Raises Concerns for Non-Chinese Organizations • Broad new powers for Chinese government to investigate crime and protect IT systems • Permits the Chinese government to audit organizations and require security certification • Potential effect: Chinese government could obtain proprietary information (e.g., source code) and encryption keys for sensitive systems • Also requires companies to store data locally • Potential impact on cross-border data transfers • Data processors must obtain government permission before transferring consumer or other important information out of the country • Will take effect June 2017 34
  • 37. Audience Question Six Do you feel like you have a strong handle on existing legal requirements about how your organization can collect, use, and store information, including how your organization can interact with consumers using their information? 37
  • 38. Everyone “Wants In” on the Privacy Game • Requirements on organizations continue to proliferate • Critical to understand what information a company holds, how it gets it, how it is used, and how it is protected 38 FTC
  • 40. FCC’s Recently Finalized Privacy Regulations • Applies to Internet service providers (ISPs) • New rules for collecting “sensitive data” • Defined to include children’s information, health and financial information, geolocation records, and Internet browsing history • ISPs must get express prior consent (i.e., opt-in consent) from customers before collecting “sensitive” data 40
  • 41. FCC Regs vs. Other Regulatory Oversight • FCC (opt-in) vs. FTC (opt-out) for collecting • If FCC preempts state law, yet another layer of complication 41 Confusion State AGs FCC FTC
  • 42. CFPB Begins Privacy Enforcement Efforts (Financial Services) First enforcement against Dwolla (online payment platform) • Settlement over alleged misrepresentations over data security claims • Claimed to be “safe” and “secure” • Per CFPB: Dwolla allegedly failed to encrypt sensitive data, conduct risk assessments, or train employees 42 Board responsible for implementing and overseeing compliance $100,000 civil penalty Annual audits to identify security flaws 2x per year internal security assessments Appoint someone to lead data security program Employee training Draft / implement data security plan
  • 44. Audience Question Seven Do you play Pokémon GO? 44
  • 45. Pokémon GO and Geolocation Tracking Disclosures 45
  • 47. FTC’s Take on Geolocation • FTC recs: “Mobile Privacy Disclosures: Building Trust Through Transparency” • InMobi settlement (June 2016) • Mobile advertising network allegedly bypassed location settings on users’ phones to collect location data 47 Annual audits for 20 years Must delete improperly obtained location data Must get EXPRESS consent for location tracking Nearly $1 million civil penalty Just-in-time disclosures Affirmative consent
  • 48. Industry Self-Regulation on Geolocation • Digital Advertising Alliance mobile privacy guidelines on precise location data and third-parties • DAA Accountability Program enforcement against iTriage • Mobile app allegedly failed to disclose collection/sharing of location data with third parties for interest-based advertising • Settlement terms • Ceased collecting and sharing precise location data with third parties • Added just-in-time notifications for data collection in app 48 Provide notice of third-party collection or sharing (“clear, meaningful, and prominent”) Get consent for third-party collection or sharing
  • 49. Want More Information? • Winston Privacy Year In Review 2016 • http://cdn2.winston.com/images/content/1/1/v2/118486/Privacy-YIR- DEC2016.pdf 49
  • 50. Thank You. 50 Liisa M. Thomas Chair, Privacy and Data Security Practice Chicago, London lmthomas@winston.com Robert H. Newman Partner, Privacy and Data Security Practice Chicago rnewman@winston.com