TECHNOLOGY, OUTSOURCING, AND COMMERCIAL TRANSACTIONS
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS

On August 1, the US Secretary of Commerce announced the launch of the self-certification process for organizations to participate in the EU-US Privacy Shield Framework (Privacy Shield), a new voluntary framework for the transfer of EU personal data to the United States and the successor to the invalidated EU Safe Harbor program.

By self-certifying with the Privacy Shield, US organizations will be able to receive personal data from EU-based organizations without specific consent or special agreements in place with the EU data exporters. Morgan Lewis partners Pulina Whitaker, Gregory Parks, Reece Hirsch, and Mark Krotoski examined the implications of this new option for transatlantic data transfers in their recent LawFlash.

Based on the popularity of games like Pokémon GO, augmented reality (AR) games are sure to become even more popular. However, unlike standard games, the interactive nature of AR games poses new legal issues.

AR games allow players to travel through the real world while interacting with digital characters or objects that have been programmed to appear like they exist in physical space. For example, Pokémon GO uses a smartphone’s GPS to direct players to real-life locations where they catch fictional creatures called Pokémon that appear as superimposed images through the phone’s camera feature.

The sudden popularity of Pokémon GO will likely bring about a slew of legal issues. AR game developers would be wise to address these issues in their terms of service and privacy policies.

The Federal Trade Commission (FTC) recently warned that Internet of Things (IoT) products and services that are no longer operational, updated, or supported present significant issues related to consumer expectations, security, and privacy. Although the FTC noted the industry’s bright future within a product sunset context, the implied “parade of horribles” could have been framed in the grim style of poet Archibald MacLeish as an “ever climbing shadow.”

Internet-connected devices that cease functioning properly, or as expected, could lead to problems on several levels. For example, some IoT devices and services will be serving safety and other important roles, and malfunctions could lead to injury, property damage, and theft, especially if consumers are unaware of product limitations. Second, out-of-date IoT products are more likely to be vulnerable to hackers and bugs. Finally, because IoT products will be tangled in a web of connections, security failures in one device could spill over to other devices and “put consumers’ sensitive data at risk.”

Senator Mark Warner of Virginia recently sent a letter to the Federal Trade Commission (FTC) expressing concern over the potential explosion of collection, storage, and usage of children’s personal information in connection with the Internet of Things (IoT), including mobile apps and so-called “smart toys.”

In the letter, Senator Warner noted that the scope and duration of data collection is expanding rapidly, enabled by the falling cost of digital storage and internet connectivity, and “more and more Internet-connected devices are making their way into children’s hands.” Thus, seemingly simple everyday purchases—such as toys—could raise complex privacy and safety issues that consumers may struggle with or not fully comprehend.

According to a recent Everest Group report, large application outsourcing in the banking sector is surging to record levels. Although many IT application projects at banks continue to concentrate on running and managing the business, digital transformation efforts appear to be driving an increase in application outsourcing.

Yesterday, the EU-US Privacy Shield was approved, and US organizations will be able to certify compliance with its principles and receive personal data from EU-based organizations beginning on August 1, 2016. In their LawFlash (EU-US Privacy Shield Approved), partners Pulina Whitaker, Gregory Parks, Reece Hirsch, and Mark Krotoski examine the implications of this new option for transatlantic data transfers. Since the landmark decision of the European Court of Justice (ECJ) in Maximillian Schrems v. Data Protection Commissioner that invalidated the Safe Harbor program, personal data transfers from the European Union to the United States have been in a state of uncertainty. Although the European Commission considers the United States to be a country with “inadequate” data protection laws, US organizations that certify compliance with the EU-US Privacy Shield principles will be able to receive personal data from EU-based organizations without specific consent or any agreements in place with EU data exporters.

Most website and mobile application operators are aware of the Children’s Online Privacy Protection Act (COPPA), but did you know that California has enacted additional data privacy protection measures for minors?

What Is California’s Online Eraser Law?

On January 1, 2015, California’s “Online Eraser” law took effect. The law requires the operator of an internet website, online service, online application, or mobile application (“Service”) to permit a minor who is a registered user of the operator’s Service to remove, or to request and obtain removal of, content or information that was posted on the operator’s Service by the minor. Unlike COPPA, which applies to personal information from and marketing to users under the age of 13, the Online Eraser law applies to users under the age of 18 who reside in California.

The American Civil Liberties Union (ACLU) recently filed an action in the US District Court for the District of Columbia challenging the constitutionality of the Computer Fraud and Abuse Act (CFAA). The lawsuit, Sandvig v. Lynch, was brought by the ACLU on behalf of a group of academic researchers and a media organization against US Attorney General Loretta Lynch.

The CFAA provision at issue in the suit, which prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access” and thereby obtaining information from a computer that is used in or affects interstate or foreign commerce or communication, has been interpreted by some courts to permit a criminal action against parties that violate a website’s terms of service or terms of use (TOU). Of particular importance in the action are provisions of TOU that prohibit providing false information, creating multiple accounts, or collecting data, including publicly available data, through automated methods (called “scraping”). See below for examples of some typical provisions that could be implicated by the suit:

Recent guidance on cyber resilience for financial market infrastructures (FMIs), published by the Bank for International Settlements and the International Organization of Securities Commissions, urges each FMI to develop an adaptive cyber resilience framework in line with certain principles and in collaboration with its ecosystem.

The guidance recognizes that FMIs are critical to financial stability and offers comprehensive insight into enhancing cyber resilience, some of which is particularly relevant to the financial industry and much of which is generally applicable.

We highlight a few key takeaways below:

  • Given the extensive interconnections in the financial system and the stealthy and dynamic nature of cyberattacks, each FMI should collaborate with its participants, vendors, regulators, other FMIs, and other stakeholders within its ecosystem. Such coordinated efforts should be ongoing and should include
    • a strong cyber threat intelligence and information sharing program, encompassing (a) bilateral undertakings with trusted stakeholders to dovetail security measures and augment recovery of uncorrupted data, and (b) multilateral arrangements to facilitate cohesive and safe responses to sweeping incidents;
    • resilience solution design, strategy, and implementation;
    • scenario-based tests, penetration tests, and other testing exercises—periodically and as systems are updated and deployed; and
    • system logging policies, including retention, to facilitate forensic investigations of cyber incidents.

Our privacy and cybersecurity colleagues have offered some guidance on data privacy compliance considerations for UK companies and their business partners in the wake of the United Kingdom’s referendum decision to leave the European Union. In their LawFlash (UK Data Privacy Laws in a Post-Brexit World), partners Pulina Whitaker, Matthew Howse, Mark Krotoski, Reece Hirsch, and Gregory Parks explain the current status of and potential for post-Brexit modifications to data privacy standards that govern UK businesses, including those with broader European connections. The piece particularly emphasizes the standards relating to cross-border data transfers and data breach reporting obligations.

Our Brexit Resource Centre will continue to provide guidance on the legal and business implications of the United Kingdom’s decision to leave the union. To view alerts, and to gain immediate access to our most recent guidance on Brexit, please visit the Morgan Lewis Brexit Resource Centre.