Privacy & Cybersecurity Enforcement in the United States and European Union Francoise Gilbert Cybersecurity & Privacy Greenberg Traurig - Silicon Valley & San Francisco gilbertf@gtlaw.com 650-804-1235 www.globalprivacybook.com. www.francoisegilbert.com © 2019 Francoise Gilbert April 24, 2019

Francoise Gilbert Shareholder / Partner, Greenberg Traurig LLP, Silicon Valley, California (USA) Practice focused on Information Privacy & Security, and Disruptive Technologies Author & Editor, Global Privacy & Security Law (2 volumes, 3,600 pages, 68 countries) (Aspen / Wolters Kluwer Law & Business) Founding Member & General Counsel, Cloud Security Alliance CIPP/US, CIPP/Europe, and CIPM certifications from the International Association of Privacy Professionals (IAPP) Admitted to practice law in California, Illinois and France

US Privacy & Cybersecurity

Privacy & Cybersecurity In the United States US Legal Frameworks: Sectoral approach Federal Laws State Laws Unfair & Deceptive Practices Laws: FTC, State AG’s, competitors Standards: PCI DSS, ISO 27001, ISO 27002 Agencies: FTC, FCC, SEC Digital Advertising Groups: DAA, NAI, IAB Who enforces the laws Government Agencies Federal Trade Commission State Attorneys Other, e.g., HHS, SEC Private Litigants Individuals, competitors, Class Action

US Enforcement Examples Federal Trade Commission July & November 2018: Privacy Shield violations April 2018: Privacy and Security misrepresentation April 2018: Violation of Children Online Privacy Protection Act State Attorneys General CA 2019: $935,000, violation of CA law (envelope revealing HIV status) Multistate 2018: $148 Million (Uber / failure to report data breach) Multistate 2018: 36 states sent letter to Facebook (Cambridge Analytica) Multistate 2017: $18.5 Million (Target / Credit Cards) Class Action Litigation TCPA Violations Security breach

California Consumer Privacy Act of 2018 Effective Jan. 1, 2020 CCPA gives consumers unprecedented control over their personal information Expanded definition of personal information Right of information + specified content of Privacy Notice Right of access to data collected about them Right of data portability Right of erasure Right to opt-out of sale of their personal information Protection for children under 16 Allows businesses to provide financial incentives to consumer in exchange for the ability to make commercial use of their personal information Provides for enforcement by the CA State Attorney General; fines Includes a limited private right of action for security breaches; right to damages

Ohio Data Protection Act “An Act … to provide a legal safe harbor to covered entities that implement a specified cybersecurity program” (effective as of November 2, 2018) Safe harbor, in the form of an affirmative defense to any tort action (negligence, invasion of privacy) brought against the business alleging that its failure to implement reasonable information security controls resulted in a data breach concerning personal information, if the business has implemented one of the approaches designated in the Act To obtain the benefit of the affirmative defense, the business must create, maintain and comply with a written cybersecurity program that: Contains administrative, technical and physical safeguards for the protection of personal information that reasonably conforms to an industry recognized cybersecurity framework as described in the Act Is designed to do ALL of the following Protect the security and confidentiality of the information Protect against any anticipated threats or hazards to the security & integrity of the information Protect against unauthorized access to, and acquisition of information Is appropriate in scale and scope to the information, vulnerabilities, sensitivity of information

Ohio Safe Harbor For all businesses NIST Cybersecurity Framework NIST SP 800-171 NIST SP 800-53 & 53-A FedRAMP Center for Internet Security Critical Security Controls for Effective Cyber Defense ISO 27000, 27001, 27002 For regulated businesses HIPAA Security Rule Subpart C HITECH Act GLBA Title V Security Safeguards FISMA PCI DSS Standards

EU GDPR

EU GDPR Enforcement Overview Regulatory Enforcement Supervisory authorities have broad powers to investigate and enforce on their own initiative The bulk of enforcement actions is complaint driven Private Enforcement GDPR contains special remedies for individuals and companies Material and non-material damages Class action rights for non-profit consumer organizations

Powers of Supervisory Authorities Investigation Order companies to provide information Audit Obtain access to information, premises, equipment, means of processing Corrective Issue warnings Issue reprimands (infringements) Order compliance with data protection rights Order to bring processing in compliance Order ban on processing / suspension of data flows Withdraw certifications Impose administrative fines Advisory / Authorization Advisory in context of prior consultation Issue opinions concerning codes of conduct; accreditation of certification bodies Adopt standard contractual clauses; approve BCRs

Remedies for Consumers & Companies Right to file complaints with Supervisory Authority (Art. 77) Every data subject Right to effective judicial remedy against a controller or processor (Art. 79) Right to an effective remedy against the Supervisory Authority (Art. 78) Every data subject or legal person Against a legally binding decision of the Supervisory Authority concerning them or in case of non-action of the Supervisory Authority Right to compensation Any data subject who has suffered material or non-material damages as a result of GDPR infringement Right to be represented by a non-profit consumer organization (Art. 80) NPO active in the field of protection of individuals’ rights and freedoms regarding the protection of personal data. Applies to complaints under Art. 78, 79, 80 and 82

EU GDPR - Status of Enforcement, Litigation Throughout EEA, Supervisory Authorities are reporting: Significant increase in complaint rates Significant increase in data breach notifications Actions initiated by consumer organizations seeking compensation for prior alleged violations of individuals’ rights Complaints re online privacy notices that are not fully in line with the GDPR Incomplete notices Legal basis for processing is unclear or non compliant Vague and unclear language Notable increase in complaint rates

EU GDPR - Statistics published in February 2019 95,180 complaints made with EU supervisory authorities, regarding GDPR violations. The majority concerning: Telemarketing Promotional emails Video surveillance / CCTV 225 cross-border investigations Fines issued: France: 50 Million Euros against Google; lack of consent to personalized ads Germany: 200,000 Euros on social network; failure to protect information UK: 60,000 UK Pounds: unsolicited direct marketing emails w/o consent Austria: 5,280 Euros; unlawful video surveillance UK: 4,350 UK Pounds: failure to pay data protection fee Increase in breach notifications: 41,502 notices of breach of security filed

EU GDPR - Consumer Non Profit Actions NOYB (Schrems) complaints Location France: against Google Android Belgium: against Facebook / Instagram Germany (Hamburg): against Facebook / WhatsApp Austria: against Facebook Grounds Company processing data on the basis of invalid consent Bundled on the entire platform Withdrawing consent not possible without detriment Other organizations France: TestAchats

Questions? Francoise Gilbert Cybersecurity – Privacy – Disruptive Technologies +1 650 804 1235 gilbertf@gtlaw.com www.francoisegilbert.com @francoisegilbrt www.globalprivacybook.com Greenberg Traurig LLP 1900 University Avenue, 5th Floor - East Palo Alto, CA 94303 4 Embarcadero Center, 30th Floor – San Francisco, CA 94111