On April 16, 2019, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert addressing all registered broker-dealers and investment advisers’ (together, “Firms”)[1] privacy-related obligations under Regulation S-P (“Reg S-P”).  The Risk Alert set out the most frequent Reg S-P deficiencies OCIE identified during examinations over the past two years, and encouraged registrants to review their written privacy policies and procedures as well as the consistency with which these policies and procedures have been implemented.  The Alert is the latest in a series of recent privacy and cybersecurity guidance documents issued by the SEC, including the February 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures and October 2018 Report of Investigation on cyber-related frauds and public company accounting controls.

This Risk Alert is consistent with the SEC’s approach of seeking to influence the conduct of registrants by providing guidance on specific compliance issues, followed by Risk Alerts noting common exam deficiencies, prior to pursuing enforcement actions.  Investment advisers and broker-dealers should  take this as a prompt to review their relevant policies and procedures to ensure they are appropriate and being followed in practice. Continue Reading SEC Privacy Risk Alert may Foreshadow Upcoming Reg S-P Enforcement Against Broker-Dealers, Investment Advisers

On April 9, 2019, an appellate court in Illinois held in Liu v. Four Seasons Hotel, Ltd.[1] that an employee’s allegations of violations of the state’s Biometric Information Privacy Act (“BIPA” or the “Act”) do not constitute allegations of “a wage or hour violation,” even where collection of biometric data is being used to monitor hours worked.  Coming on the heels of the Illinois Supreme Court’s decision in Rosenbach v. Six Flags Entertainment Corporation,[2] which held that plaintiffs are not required to allege harm beyond a “technical” violation of the Act in order to bring an action under BIPA, Liu demonstrates a developing pattern of recognition of broad privacy rights in Illinois courts. Continue Reading Illinois Appellate Court Holds Employee Biometric Privacy Claims Are Independent Of Wage and Hour Disputes

On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act.  This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications.  Below we summarize the CLOUD Act and discuss the DOJ’s key observations. Continue Reading DOJ Releases White Paper Addressing Scope & Implications of CLOUD Act

On March 27, 2019, journalists affiliated with Reuters reported that the Kunlun Group (“Kunlun”), a China-based tech firm, was preparing to sell its wholly owned subsidiary, Grindr, after the Committee on Foreign Investment in the United States (“CFIUS”) informed the group that Kunlun’s continued ownership of Grindr constituted a national security risk.  This forced divestiture of Grindr is a pointed reminder that CFIUS remains focused on protecting the sensitive personal data of U.S. citizens, has the power to upend closed deals that have not been cleared by the committee, and is dedicating increased resources to the review of transactions that are not notified to CFIUS. Continue Reading CFIUS Forces Kunlun to Unwind 2016 Acquisition of Grindr Over Concerns About the Protection of Sensitive Personal Data

On April 3, 2019, staff of the Securities and Exchange Commission released (1) a framework providing principles for analyzing whether a digital asset constitutes an investment contract, and thus a security, as defined in SEC v. W.J. Howey Co. and (2) a no-action letter permitting TurnKey Jet, Inc., without satisfying registration requirements under the Securities Act of 1933 and the Securities Exchange Act of 1934, to offer and sell “tokenized” cards that are recorded on a permissioned blockchain and can be used for the limited purpose of purchasing air charter services.

The framework and no-action letter are a logical expansion of prior SEC statements and actions applying Howey to digital assets, but raises important interpretative issues for newly issued digital assets.

Please click here to read the full alert memorandum.

On March 20, 2019, in Frank v. Gaos, the Supreme Court remanded a case challenging Google’s practice of disclosing users’ search terms to third parties, directing the lower courts to address whether class plaintiffs had Article III standing to bring the privacy action in light of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).[1]  Frank v. Gaos was originally notable because it had been resolved by a cy pres-only class action settlement, which had been appealed by objecting class members as inconsistent with Federal Rule of Civil Procedure 23.  As part of the remand, the Court vacated the settlement without opining on its validity. Continue Reading Supreme Court Vacates Approval of Class Action Settlement and Remands to Determine Article III Standing in Data Privacy Case

On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement.  Continue Reading Federal Trade Commission Issues 2018 Privacy and Data Security Update

On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts.

Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that such third country is “adequate” from a data protection laws perspective, or “appropriate safeguards” are in place to ensure that the treatment of personal data in the hands of the recipient reflects the GDPR’s high standards. Article 46 of the GDPR provides for various safeguarding options, including the possibility of “provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.[2] No such “administrative arrangements” have been approved by the EDPB until now. Continue Reading EDPB Issues First Opinion on Administrative Arrangements Under the GDPR for Cross-Border Data Flows Between EU and Non-EU Securities Agencies

In summer 2018, a new Indian Personal Data Protection Bill was released by a Committee of Experts formed under the Chairmanship of Justice B.N. Srikrishna (the “Bill”), accompanied by a report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” After several months’ hiatus, reports are emerging of renewed impetus from India’s Ministry of Electronics and Information Technology (“MEITY”) for the Bill to be put before Parliament.

The proposed introduction of the Bill continues a global trend in the revision of data protection laws: from California to Canada, from Bahrain to Brazil, many jurisdictions have recently proposed, or are in the process of adopting, new, stricter data protection legislation that, to varying degrees, bears the hallmarks of the recently-effective EU General Data Protection Regulation (“GDPR”).

As the global data protection map evolves, what should multinational organisations do to remain compliant? National legislatures are contributing to a global patchwork of data protection policy and each new law has been shaped by different political and cultural motivations. Consequently, areas of incompatibility between regimes are becoming visible.

This article recaps on the key provisions of the proposed Bill, examines potential incompatibilities with the GDPR, and concludes with what this means for multinational organisations who may be required to navigate both frameworks.

Please click here to read the full article.

On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours.  FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies.

The new reporting requirements become effective on March 31, 2019. Continue Reading Canadian Financial Regulator Publishes New Cyber Incident Reporting Guidelines Effective March 2019