Presentation is loading. Please wait.

Presentation is loading. Please wait.

Francoise Gilbert Cybersecurity & Privacy

Published byMarilynn Caldwell Modified over 5 years ago

Similar presentations

Presentation on theme: "Francoise Gilbert Cybersecurity & Privacy"— Presentation transcript:

1 Privacy & Cybersecurity Enforcement in the United States and European Union
Francoise Gilbert Cybersecurity & Privacy Greenberg Traurig - Silicon Valley & San Francisco © Francoise Gilbert April 24, 2019

2 Francoise Gilbert Shareholder / Partner, Greenberg Traurig LLP, Silicon Valley, California (USA) Practice focused on Information Privacy & Security, and Disruptive Technologies Author & Editor, Global Privacy & Security Law (2 volumes, 3,600 pages, 68 countries) (Aspen / Wolters Kluwer Law & Business) Founding Member & General Counsel, Cloud Security Alliance CIPP/US, CIPP/Europe, and CIPM certifications from the International Association of Privacy Professionals (IAPP) Admitted to practice law in California, Illinois and France

3 US Privacy & Cybersecurity

4 Privacy & Cybersecurity In the United States
US Legal Frameworks: Sectoral approach Federal Laws State Laws Unfair & Deceptive Practices Laws: FTC, State AG’s, competitors Standards: PCI DSS, ISO 27001, ISO 27002 Agencies: FTC, FCC, SEC Digital Advertising Groups: DAA, NAI, IAB Who enforces the laws Government Agencies Federal Trade Commission State Attorneys Other, e.g., HHS, SEC Private Litigants Individuals, competitors, Class Action

5 US Enforcement Examples
Federal Trade Commission July & November 2018: Privacy Shield violations April 2018: Privacy and Security misrepresentation April 2018: Violation of Children Online Privacy Protection Act State Attorneys General CA 2019: $935,000, violation of CA law (envelope revealing HIV status) Multistate 2018: $148 Million (Uber / failure to report data breach) Multistate 2018: 36 states sent letter to Facebook (Cambridge Analytica) Multistate 2017: $18.5 Million (Target / Credit Cards) Class Action Litigation TCPA Violations Security breach

6 California Consumer Privacy Act of 2018
Effective Jan. 1, 2020 CCPA gives consumers unprecedented control over their personal information Expanded definition of personal information Right of information + specified content of Privacy Notice Right of access to data collected about them Right of data portability Right of erasure Right to opt-out of sale of their personal information Protection for children under 16 Allows businesses to provide financial incentives to consumer in exchange for the ability to make commercial use of their personal information Provides for enforcement by the CA State Attorney General; fines Includes a limited private right of action for security breaches; right to damages

7 Ohio Data Protection Act
“An Act … to provide a legal safe harbor to covered entities that implement a specified cybersecurity program” (effective as of November 2, 2018) Safe harbor, in the form of an affirmative defense to any tort action (negligence, invasion of privacy) brought against the business alleging that its failure to implement reasonable information security controls resulted in a data breach concerning personal information, if the business has implemented one of the approaches designated in the Act To obtain the benefit of the affirmative defense, the business must create, maintain and comply with a written cybersecurity program that: Contains administrative, technical and physical safeguards for the protection of personal information that reasonably conforms to an industry recognized cybersecurity framework as described in the Act Is designed to do ALL of the following Protect the security and confidentiality of the information Protect against any anticipated threats or hazards to the security & integrity of the information Protect against unauthorized access to, and acquisition of information Is appropriate in scale and scope to the information, vulnerabilities, sensitivity of information

8 Ohio Safe Harbor For all businesses NIST Cybersecurity Framework
NIST SP NIST SP & 53-A FedRAMP Center for Internet Security Critical Security Controls for Effective Cyber Defense ISO 27000, 27001, 27002 For regulated businesses HIPAA Security Rule Subpart C HITECH Act GLBA Title V Security Safeguards FISMA PCI DSS Standards

9 EU GDPR

10 EU GDPR Enforcement Overview
Regulatory Enforcement Supervisory authorities have broad powers to investigate and enforce on their own initiative The bulk of enforcement actions is complaint driven Private Enforcement GDPR contains special remedies for individuals and companies Material and non-material damages Class action rights for non-profit consumer organizations

11 Powers of Supervisory Authorities
Investigation Order companies to provide information Audit Obtain access to information, premises, equipment, means of processing Corrective Issue warnings Issue reprimands (infringements) Order compliance with data protection rights Order to bring processing in compliance Order ban on processing / suspension of data flows Withdraw certifications Impose administrative fines Advisory / Authorization Advisory in context of prior consultation Issue opinions concerning codes of conduct; accreditation of certification bodies Adopt standard contractual clauses; approve BCRs

12 Remedies for Consumers & Companies
Right to file complaints with Supervisory Authority (Art. 77) Every data subject Right to effective judicial remedy against a controller or processor (Art. 79) Right to an effective remedy against the Supervisory Authority (Art. 78) Every data subject or legal person Against a legally binding decision of the Supervisory Authority concerning them or in case of non-action of the Supervisory Authority Right to compensation Any data subject who has suffered material or non-material damages as a result of GDPR infringement Right to be represented by a non-profit consumer organization (Art. 80) NPO active in the field of protection of individuals’ rights and freedoms regarding the protection of personal data. Applies to complaints under Art. 78, 79, 80 and 82

13 EU GDPR - Status of Enforcement, Litigation
Throughout EEA, Supervisory Authorities are reporting: Significant increase in complaint rates Significant increase in data breach notifications Actions initiated by consumer organizations seeking compensation for prior alleged violations of individuals’ rights Complaints re online privacy notices that are not fully in line with the GDPR Incomplete notices Legal basis for processing is unclear or non compliant Vague and unclear language Notable increase in complaint rates

14 EU GDPR - Statistics published in February 2019
95,180 complaints made with EU supervisory authorities, regarding GDPR violations. The majority concerning: Telemarketing Promotional s Video surveillance / CCTV 225 cross-border investigations Fines issued: France: 50 Million Euros against Google; lack of consent to personalized ads Germany: 200,000 Euros on social network; failure to protect information UK: 60,000 UK Pounds: unsolicited direct marketing s w/o consent Austria: 5,280 Euros; unlawful video surveillance UK: 4,350 UK Pounds: failure to pay data protection fee Increase in breach notifications: 41,502 notices of breach of security filed

15 EU GDPR - Consumer Non Profit Actions
NOYB (Schrems) complaints Location France: against Google Android Belgium: against Facebook / Instagram Germany (Hamburg): against Facebook / WhatsApp Austria: against Facebook Grounds Company processing data on the basis of invalid consent Bundled on the entire platform Withdrawing consent not possible without detriment Other organizations France: TestAchats

16 Questions? Francoise Gilbert
Cybersecurity – Privacy – Disruptive Technologies @francoisegilbrt Greenberg Traurig LLP 1900 University Avenue, 5th Floor - East Palo Alto, CA 94303 4 Embarcadero Center, 30th Floor – San Francisco, CA 94111

Download ppt "Francoise Gilbert Cybersecurity & Privacy"

Similar presentations

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP www.ScottandScottllp.com.

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Per Anders Eriksson

Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
© 2010 Dorsey & Whitney LLP Social Media Friday, September 17, 2010 The Committee on Finance & Information Technology (CFIT)

© 2010 Dorsey & Whitney LLP Social Media Friday, September 17, 2010 The Committee on Finance & Information Technology (CFIT)
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Data Privacy and Security Prof Sunil Wattal. Consumer Analytics  Analytics with consumer data to derive meaningful insights on actions and behaviors.

Data Privacy and Security Prof Sunil Wattal. Consumer Analytics  Analytics with consumer data to derive meaningful insights on actions and behaviors.
The U.S. Approach to Consumer Protection in the Online World U.S. Presentation FTAA Joint Government Private Sector Committee on Electronic Commerce 13th.

The U.S. Approach to Consumer Protection in the Online World U.S. Presentation FTAA Joint Government Private Sector Committee on Electronic Commerce 13th.
Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215) 496-7241

Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)
How Can We Deal with Risks from the Internet: Why Privacy Legislation Is Hot Right Now Professor Peter Swire Ohio State University/Center for American.

How Can We Deal with Risks from the Internet: Why Privacy Legislation Is Hot Right Now Professor Peter Swire Ohio State University/Center for American.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC 20006 202/887-1549

1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
THE TENTH NATIONAL HIPPA SUMMIT ELECTRONIC HEALTH RECORDS NATIONAL HEALTH INFORMATION INFRASTRUCTURE LEGAL ISSUES APRIL 7, 2005 Paul T. Smith, Esq. Partner,

THE TENTH NATIONAL HIPPA SUMMIT ELECTRONIC HEALTH RECORDS NATIONAL HEALTH INFORMATION INFRASTRUCTURE LEGAL ISSUES APRIL 7, 2005 Paul T. Smith, Esq. Partner,
Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

Similar presentations

Ads by Google