Hashed & Salted | A Privacy and Data Security Update
Welcome to Issue 4 of Hashed & Salted! We are still buzzing from the excitement of being back live at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C., last week. After two years of virtual meetings, it was good to see many of you in person at the conference and our reception.
IAPP put on a great event this year. From Apple CEO Tim Cook to FTC Chair Lina Khan, and panels featuring U.S. and EU regulators, news of forthcoming SCCs from Brazil, and sessions on the privacy challenges arising out of emerging technologies, there was a lot to digest. FTC Chair Khan, speaking at one of the keynote sessions, expressed the view that the FTC must “reassess the frameworks we presently use to assess unlawful conduct,” in particular that “present market realities may render the ‘notice and consent’ paradigm outdated and insufficient.” In its place, Khan suggested: “I believe we should approach data privacy and security protections by considering substantive limits rather than just procedural protections, which tend to create process requirements while sidestepping more fundamental questions about whether certain types of data collection and processing should be permitted in the first place,” and noted that “[p]rivacy legislation from Congress could also help usher in this type of new paradigm.” It is clear that we have a lot of work ahead of us.
The activity at the state level continues. We are watching Connecticut very closely over the next two weeks. Connecticut’s legislative session ends on May 4, and its comprehensive privacy bill continues to progress toward floor votes in the House and Senate. While state legislatures across the country continue to propose and debate new privacy bills (leaving us all watching to see whether and when the next law makes it over the finish line), we heard from the California Attorney General’s Office that the right to know under the California Consumer Privacy Act of 2018 (CCPA) entitles consumers to know what “inferences” businesses draw about them, whether generated internally by the business or obtained from another source.
In this issue, we cover the international front, as Allison Cohen, of counsel at Loeb, takes a deep dive into the announcement from President Joe Biden and European Commission President Ursula von der Leyen last month of a new agreement for transatlantic data transfers; significant details still need to be finalized.
In our second article, associate Alaa Salaheldin provides a roadmap for businesses dealing with a ransomware attack and offers suggestions for proactively minimizing the risk. And in our team member spotlight, senior counsel Robyn Mohr shares how she is watching the developing state privacy law landscape—and requests an important recommendation!
In This Issue
- Transatlantic Data Transfers—Expect the Unexpected
- What Now? A Business Guide to Navigating a Ransomware Attack
- Event Spotlight: Jessica Lee, Co-Chair of Loeb’s Privacy, Security & Data Innovations
- In Case You Missed It’: California AG: Businesses Must Disclose Inferences Drawn From Consumers’ Personal Information
- Team Member Spotlight: Robyn Mohr
Transatlantic Data Transfers—Expect the Unexpected
The rules for transfers of data of European Union data subjects to U.S. companies have created an ever-evolving legal and political landscape for decades. In this digital age of the 21st century, the U.S. and the EU maintain an extensive trade and investment relationship driven in large part by the exchange of data across the pond. However, fundamental differences in law and policy surrounding data privacy and protection have contributed to an unstable framework for transatlantic data transfers. Read the full alert here.
What Now? A Business Guide to Navigating a Ransomware Attack
An organization that wakes up to a locked screen and a ransom demand may understandably ask, “What now? How do I get my business back up and running?” In recent years, ransomware has become a common source of business disruption for large and small organizations alike. Media headlines are littered with news of ransomware attacks debilitating business operations of entities across sectors, including critical infrastructure service providers, IT service companies and financial institutions. Read the full alert here.
Event Spotlight: Jessica Lee, Co-Chair of Loeb’s Privacy, Security & Data Innovations
Jessica Lee, Co-Chair of Loeb’s Privacy, Security & Data Innovations practice, spoke on the panel “Innovations in the Health Data Marketplace: Protecting Patients & Privacy” at the IAPP Global Privacy Summit April 12. Read here.
In Case You Missed It’: California AG: Businesses Must Disclose Inferences Drawn From Consumers’ Personal Information
Certain California businesses must disclose upon request the “inferences” they derive about consumers based on the personal information provided and publicly available data, according to an opinion recently issued by the state’s Attorney General’s office. The CCPA gives consumers in the state a suite of privacy rights, including the right to know what information a covered business is holding about them and the right to opt out of sales of their personal information. According to the opinion released by Attorney General Rob Bonta and Deputy Attorney General Susan Duncan Lee, the right to know entitles consumers to know what inferences these businesses draw about them, whether the inferences are generated internally by the business or are obtained from another source. However, the opinion also made clear that the CCPA does not require businesses to disclose to consumers any trade secrets related to generating such inferences. Read the full alert here.
How did you develop your area of focus?
Privacy has always been interesting to me. As technology gets more sophisticated, so does how data is collected and used. Data has become so much a part of everyday life. As federal and state governments start to regulate data collection and use practices, clients need lawyers who understand not only these laws but also their practical effects on businesses and the products and services we use every day.
What is exciting you/grabbing your attention right now?
Right now I’m paying careful attention to state privacy laws. It seems like we have new legislation proposed every day, and I’m so interested to see which proposed laws ultimately make it across the finish line.
What is one thing most people would be surprised to know about you?
If I could eat one thing for the rest of my life, it would be chocolate chip cookies. So if you have a favorite, you’ll have to let me know!
Sign up for our Hashed & Salted newsletter by creating an account and selecting Privacy, Security & Data Innovation as your area of interest here.