Cleary Cybersecurity and Privacy Watch

Global Legal Developments related to Cybersecurity Incidents, Cyber Corporate Governance and Regulation Issues, and Privacy and Data Protection Laws

Latest from Cleary Cybersecurity and Privacy Watch

On April 10, 2019, the Department of Justice (“DOJ”) released a white paper titled Promoting Public Safety, Privacy, and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act.  This white paper is the first official DOJ statement about the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) and reflects the DOJ’s current perspective on its scope and implications.  Below we summarize the CLOUD Act and discuss the…
On March 27, 2019, journalists affiliated with Reuters reported that the Kunlun Group (“Kunlun”), a China-based tech firm, was preparing to sell its wholly owned subsidiary, Grindr, after the Committee on Foreign Investment in the United States (“CFIUS”) informed the group that Kunlun’s continued ownership of Grindr constituted a national security risk.  This forced divestiture of Grindr is a pointed reminder that CFIUS remains focused on protecting the sensitive personal data of U.S. citizens, has…
On April 3, 2019, staff of the Securities and Exchange Commission released (1) a framework providing principles for analyzing whether a digital asset constitutes an investment contract, and thus a security, as defined in SEC v. W.J. Howey Co. and (2) a no-action letter permitting TurnKey Jet, Inc., without satisfying registration requirements under the Securities Act of 1933 and the Securities Exchange Act of 1934, to offer and sell “tokenized” cards that are recorded on a permissioned…
On March 20, 2019, in Frank v. Gaos, the Supreme Court remanded a case challenging Google’s practice of disclosing users’ search terms to third parties, directing the lower courts to address whether class plaintiffs had Article III standing to bring the privacy action in light of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).[1]  Frank v. Gaos was originally notable because it had been resolved by a cy pres-only class action settlement,…
On Friday, March 15, 2019, the U.S. Federal Trade Commission (“FTC”) issued its 2018 Privacy & Data Security Update (the “Update”) detailing its activities last year in seven “zones” of privacy and data security: enforcement, advocacy, rules, workshops, reports and surveys, consumer education and business guidance, and international engagement. …
On 12 February 2019, the European Data Protection Board (“EDPB”)[1] adopted its first opinion on an “administrative arrangement,” which provides a new mechanism for the transfer of personal data between European Union (“EU”) financial supervisory authorities and securities agencies and their non-EU counterparts. Under the EU’s General Data Protection Regulation 2016/679 (“GDPR”), personal data cannot be transferred from the European Economic Area (“EEA”) to a third country unless the European Commission has decided that…
In summer 2018, a new Indian Personal Data Protection Bill was released by a Committee of Experts formed under the Chairmanship of Justice B.N. Srikrishna (the “Bill”), accompanied by a report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians.” After several months’ hiatus, reports are emerging of renewed impetus from India’s Ministry of Electronics and Information Technology (“MEITY”) for the Bill to be put before Parliament. The proposed introduction of the Bill…
On January 24 2019, Canada’s Office of the Superintendent of Financial Institutions (“OSFI”) released an Advisory detailing new requirements for Canadian federally regulated financial institutions (“FRFIs”) to report cyber incidents within 72 hours.  FRFIs include banks, trust companies, loan companies, life insurance companies, property and casualty insurance companies, and fraternal benefit societies. The new reporting requirements become effective on March 31, 2019.…
On February 20, the Securities and Exchange Commission (the “SEC” or “Commission”) issued a cease-and-desist order against Gladius Network LLC (“Gladius”) concerning its 2017 initial coin offering (“ICO”).  The SEC found that the Gladius ICO violated the Securities Act of 1933’s (“Securities Act”) prohibition against the public offer or sale of any securities not made pursuant to either an effective registration statement on file with the SEC or under an exemption from registration.[1] …
On February 7, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service.  After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position.  For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the…