Apple to Require New Privacy Disclosures for Apps as of December 8, 2020

During its annual Worldwide Developers Conference this summer, Apple announced a handful of new consumer-oriented privacy features coming to its software and devices. One feature will require app publishers to disclose information regarding their apps’ data collection and use practices in what some are referring to as a privacy “nutrition label.” Another significant privacy feature will require businesses to assess whether they are “tracking” users of their apps and, if so, obtain opt-in consent from users to continue the practice.

Privacy Nutrition Labels

On November 5, 2020, Apple announced that the privacy nutrition label requirement will apply to new apps and updates submitted on or after December 8, 2020. Starting December 8, all new apps and app updates must include the required privacy information before they can be published in the App Store. For most companies, a member of the product development team will be responsible for providing the required privacy information to Apple when submitting a new app or an app update. Accordingly, businesses and their legal departments should proactively prepare to address the new disclosure obligations and ensure that the information aligns with the organization’s other public disclosures concerning its privacy practices (e.g., online privacy policies). Providing inaccurate information in this context could trigger a violation of the App Store’s terms of use, which could result in suspension or removal of an app or provoke allegations of unfair and deceptive practices under Section 5 of the Federal Trade Commission Act or analogous state laws regarding unfair competition. For more information on state enforcement actions brought against app publishers, see this blog post. Continue Reading

BakerHostetler Named a Cybersecurity “Pacesetter” in ALM Intelligence Inaugural Ranking

We are extremely proud to announce that BakerHostetler has been named the only law firm included in the ALM Cybersecurity “Pacesetter” inaugural ranking. Our DADM Group – and the Digital Risk Advisory and Cybersecurity team in particular – was identified in this national pacesetter report as leading the law firm peer group in “how it leverages its experience in research-based thought leadership,” including our annual Data Security Incident Response Report (DSIR). Also noted was our expansion earlier this year to offer legal advisory and other services by launching the firm’s sixth practice group, enabling us to provide services aligned to the lifecycle of data.

We thank our clients who count on us to provide them with superior counsel as regards digital assets and risks.  We are grateful to the ALM independent research team for this recognition. 

Read more.

European Authorities Release Back-to-Back Drafts Addressing Cross-Border Data Transfers

Last week, both the European Data Protection Board (EDPB) and the European Commission released highly anticipated draft documents offering guidance to organizations that engage in cross-border data transfers involving EU personal data.

The EDPB, an independent body responsible for consistent application of data protection rules throughout the EU, published draft recommendations on supplemental measures for transfer mechanisms to ensure compliance with EU personal data protection standards (the “Transfer Recommendations”). Simultaneously, the EDPB issued an update to the April 2016 version of the recommendations on European Essential Guarantees for surveillance measures. Meanwhile, the EU’s executive branch, the European Commission, issued a draft of new Standard Contractual Clauses (SCCs) for compliant data transfers to non-EU countries under the EU’s General Data Protection Regulation (GDPR).

These drafts are subject to public consultation periods: the EDPB’s Transfer Recommendations through November 30, 2020, and the European Commission’s SCCs through December 10, 2020. On November 20, 2020, the EDPB extended their public consultation period to December 21, 2020.

EDPB Transfer Recommendations

Following the Court of Justice of the European Union’s (CJEU’s) July 2020 Schrems II decision, which invalidated the EU-U.S. Privacy Shield and raised questions about the continued use of SCCs, the EDPB issued FAQs about GDPR-compliant personal data transfers and promised more guidance to come. Almost four months later, that additional guidance has arrived (at least in draft form), providing a six-step framework for data exporters to analyze the compliance of their personal data transfers:

  1. Use data mapping to identify and understand all personal data transfers, including onward transfers.
  2. Evaluate the transfer mechanism in place for each transfer (such as an adequacy decision, Article 49 derogation, binding corporate rules or standard contractual clauses). If the transfer cannot be based on an adequacy decision or Article 49 derogation, the analysis continues to the next step.
  3. Assess the legal framework around data protection in the recipient jurisdiction(s) to ensure the transfer mechanism is effective in practice. For example, SCCs would not be effective in practice if the data importer may be prevented from complying with its contractual obligations.
  4. As appropriate (or necessary) further to Step 3, identify and adopt supplementary measures to ensure an essentially equivalent level of data protection to that which is guaranteed by the GDPR.
  5. Undertake any required formal procedural steps applicable to the transfers; for example, it may be necessary to notify supervisory authorities in some jurisdictions.
  6. Regularly assess and monitor the level of data protection in the recipient jurisdiction(s) to ensure ongoing compliance.

Key Takeaways

  • Access = Transfer. The Transfer Recommendations make clear that remote access to EU personal data from outside the EU, including cloud storage maintained outside the EU, is to be considered a “transfer” that requires implementation of an appropriate data transfer mechanism.
  • Data Subject Rights. Analysis of any transfer must consider whether EU data subjects will have adequate opportunity to exercise their rights over their transferred personal data and to seek redress, if necessary, in the recipient jurisdiction.
  • Potential Government Access. Prior to transferring EU personal data, organizations must evaluate relevant requirements for the disclosure of personal data to public authorities in the recipient jurisdiction and assess whether such obligations may interfere with EU data subjects’ rights. The European Essential Guarantees for surveillance measures detail specific issues the exporter should consider when analyzing the justification for public authority access to personal data in other countries and the risks associated with such access.
  • Accountability. Businesses must be able to demonstrate their efforts to ensure adequate data protection, including their oversight of the administrative, technical and organizational measures implemented relevant to the transfers. This will require documentation of their assessments and ongoing monitoring of data protection practices.

Supplemental Measures

In terms of analyzing potential transfers of EU personal data to the United States, the Schrems II decision is helpful to the extent that it includes an assessment of U.S. data protection practices; unfortunately for exporters to the U.S. (and their importing counterparties), the CJEU found those practices were not “essentially equivalent” to the data protection offered in the EU. Accordingly, absent meaningful changes to certain U.S. government surveillance activities, it appears transfers to the U.S. will require implementation of supplemental measures to meet the GDPR’s standards for protecting EU personal data. That said, the EDPB’s Recommendations seem to indicate that even supplemental measures will be insufficient to address U.S. government surveillance concerns unless the measures effectively prevent access to the EU personal data by a U.S. importer.

  • Supplemental measures may be implemented as part of a contract between the parties to the transfer. They also may be technical or organizational measures.
  • Supplemental measures may need to be combined or layered, building on each other to attain an appropriate level of data protection.
  • Where the concern is government access to EU personal data, particularly with respect to surveillance, the Transfer Recommendations indicate that using technical measures that impede public authority access may be the only truly effective way to comply with EU data protection standards (though these may be combined with additional contractual and organizational measures).
  • Annex 2 of the Transfer Recommendations lists examples of supplemental measures that could be implemented in various scenarios, as well as examples of transfer scenarios that could not be remedied through the use of supplemental measures. Many of the supplemental measures suggested by the EDPB are reflected in the new draft SCCs.

The European Commission’s New SCCs

European Commission-approved Standard Contractual Clauses are one of the most popular GDPR-compliant mechanisms for transferring personal data out of the EU to countries, such as the United States, that are not considered to provide “adequate” data protection. Following the invalidation of the EU-U.S. Privacy Shield Framework in Schrems II, many businesses turned to SCCs to cover their transatlantic personal data transfers.

The European Commission’s existing sets of SCCs (adopted in 2001, 2004 and 2010) have been in need of an update for some time; among other issues, they still reference the now-defunct 1995 EU Data Protection Directive and they cannot readily be applied to many common transfer arrangements. For example, the current SCCs only apply to controller-controller and controller-processor transfers without allowing for other types of business relationships and data flows. The new draft SCCs address these issues but also introduce new obligations.

Practical Updates

  • The draft SCCs are presented as a single document with different modules applicable to varying transfer relationships: controller-controller, controller-processor, processor-processor and processor-controller.
  • Multiple controllers and processors may sign on to the same set of SCCs, addressing a limitation of the existing clauses which only contemplate a single exporter and a single importer as signatories.
  • An optional docking clause allows for the possibility of adding parties after the execution of the agreement, subject to approval by all parties.

The flexibility introduced by these changes should streamline the contracting process by more accurately capturing  how personal data may be transferred in different scenarios and eliminating the need to implement multiple sets of SCCs for various parties within the same business relationship.

Expanded Obligations

New provisions in the draft SCCs also respond to concerns articulated in the CJEU’s Schrems II decision, including by introducing additional security requirements and strengthening existing language around security measures; addressing limitations on public authority requests for personal data; and emphasizing assessment and audit processes to ensure compliance. While the new SCCs are still in draft form, organizations should consider the following suggestions to prepare for the transition:

  • Understand personal data flows. Although the modular format of the new SCCs offers greater flexibility, businesses will need to carefully examine their EU personal data flows and their role(s) with respect to each (for example, importer vs. exporter, controller vs. processor) in order to understand all applicable obligations. Now is a good time to update data maps – or to create them if you have not yet done so.
  • Develop an SCC compliance assessment. The new SCCs set forth data protection considerations that must be evaluated and documented in advance; such documentation will have to be provided to supervisory authorities upon request. These considerations include the specific circumstances of the personal data transfer, safeguards in place to protect the personal data and any non-EU laws relevant to the data transfer. Parties must warrant that they have no reason to believe that the applicable non-EU laws would prevent the data importer from fulfilling any obligations under the SCCs.
  • Prepare security statements. Annex II of the new SCCs requires extensive information about data security measures, so businesses should be prepared to provide these details and establish a process for regular updates. Certain data security information may be withheld if the SCCs are to be produced in response to a data subject request, but a meaningful summary of the security measures must be provided instead. The SCCs also introduce more explicit data retention requirements, and retention limits must be listed in Annex I.
  • Enhance record-keeping processes and compliance documentation. EU supervisory authorities as well as other parties to SCCs will have the ability – and possibly an obligation – to ask for documentation of a company’s data protection posture. Businesses should review their compliance materials and develop protocols to ensure the documents are accurately maintained and easy to produce on request.
  • Develop or revise public authority personal data request handling procedures. The new SCCs require additional transparency around public authority requests, including notification to the data controller (and potentially affected data subject(s)) and reporting regarding such requests. They also introduce record-keeping requirements related to law enforcement requests and a protocol for reviewing the legality of public authority requests and challenging them, as appropriate.
  • Consider supplemental clauses. As with the existing SCCs, parties cannot modify the approved text of the new SCCs; however, there may be a little more leeway to insert additional detail. Drawing on GDPR Recital 109, the new SCCs will allow for adding “other clauses or additional safeguards” as long as these do not either contradict the SCCs or “prejudice the fundamental rights or freedoms of data subjects.”

What’s Next?

The final SCCs are expected to be adopted in early 2021, but first:

  • In addition to the public consultation process, the new SCCs also must pass through “comitology” – a type of EU committee process allowing representatives of the Member States to discuss the draft and issue an opinion.
  • At the European Commission’s request, the EDPB and the European Data Protection Supervisor will issue a joint opinion on the draft before the SCCs are finalized. In light of the EDPB’s Transfer Recommendations, it seems likely the EDPB could recommend changes.

Assuming the European Commission’s SCCs implementing decision is adopted as drafted, the following changes will apply:

  • All prior versions of the SCCs will be repealed and can no longer be used for GDPR-compliant data transfers.
  • Organizations with the existing SCCs in place will have a one-year transition period from the adoption date to implement the new SCCs, provided no changes are made to the underlying agreement during that time. Note that supplemental data protection measures may be required in the interim.
  • If the underlying agreement between the parties is renegotiated or otherwise changed during the year following the implementing decision’s effective date, this transitional “grace period” ends and the new SCCs (or another transfer mechanism) must be implemented at that time.

Podcast: BakerHostetler Blockchain University: What You Need to Know About the Most Common Blockchain Networks

The third episode in the series focuses on the differences and similarities between the Ethereum Network, HyperLedger, and other key blockchain networks. Topics discussed include smart contracts, public versus private blockchains, distributed autonomous organizations (DAOs), blockchain “forks” and more.

Questions & Comments:,

Listen to the episode.
Download Episode Transcript

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn

Podcast: AD-ttorneys@law: CBD Marketing: A Path Through the Legal Fog

Being the best means continually building knowledge and pushing forward. And in a world of digital disruption, consumer marketers can’t afford to stumble. To navigate today’s most complex issues, thousands of subscribers read BakerHostetler’s AD-ttorneys@law weekly newsletter and blog and appreciate how the firm’s renowned team of advertising, marketing and digital media lawyers distills issues and offers practical takeaways. Now that same team brings you AD-ttorneys@law, the podcast.

Our first podcast covers CBD Marketing. Cannabidiol, or CBD derived from hemp, is now legal under federal law, and is everywhere — CBD perfumes, facial oils, cosmetics, gummies, chocolates, lotions, slushies, candles. BakerHostetler attorneys Randy Shaheen and Jack Ferry explain the legal issues companies should think about before they hit the ground running to enter the burgeoning market.

Questions & Comments:

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

California Voters Approve Reworking of Landmark Consumer Privacy Law – What CCPA 2.0 Will Mean for Businesses and Consumers

The nation awoke the morning after Election Day 2020 with much still unresolved.  By early morning Pacific Time, however, it was called by various media outlets that California voters approved a ballot measure, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA).

Referred to by some as CCPA 2.0, the CPRA amends certain provisions of the paradigm shifting 2018 California Consumer Privacy Act (CCPA), which went into effect in January 2020 and became subject to enforcement in July 2020. Moreover, the CPRA will introduce a number of new provisions and concepts to a law that regulators are still fleshing out and businesses are struggling to understand. Like the CCPA, the CPRA will be supplemented by future regulations to be issued by a new privacy protection agency; however, the nature and the extent of the CPRA’s regulatory mandates far exceed those of the CCPA. Continue Reading

OFAC Doubles Down on Malware Cyber Actors

The Office of Foreign Assets Control (OFACas added another cyber actor to the SDN list.  As a result, U.S. persons are prohibited from engaging in any dealings with the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a Russian government research institution that is said to be connected to the destructive Triton malware. The Triton malware – also known as TRISIS and HatMan in open source reporting – was designed specifically to target and manipulate industrial safety systems. The prohibition against dealing with TsNIIKhM extends to the payment of ransom. This new designation follows OFAC’s October 1 issuance of an Advisory regarding potential sanctions risks of making or facilitating ransom payments in connection with malware attacks. We discussed the Advisory and related considerations in our recent post and alert. This is the fifth occasion on which OFAC has designated malicious cyber actors – the Triton malware joins Cryptolocker, SamSam, WannaCry 2.0 and Dridex on the list of malware subject to OFAC sanctions risk in the ransom payment context. The OFAC Advisory promised additional designations, so it is likely the designation of the Triton developer will not be the last.

CISA Updates Advisory on Large-Scale Impending and Credible Ransomware Threat to Healthcare to Include Additional IOCs

On Oct. 28, a joint cybersecurity advisory was published by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the Department of Health & Human Services. The advisory warned of an imminent cybercrime threat to U.S. hospitals and healthcare providers – specifically that a large-scale ransomware attack may be on the very near horizon. BakerHostetler’s coverage of the initial alert, including proactive measures organizations can take, can be found here. Continue Reading

ONC Announces Delay of Information Blocking Provisions

The Department of Health and Human Services’ (HHS)’ Office of the National Coordinator (ONC) published an interim final rule today delaying several key compliance deadlines in the ONC 21st Century Cures Act final rule – including that of the information blocking provisions, which were slated to become effective on November 2, 2020 – until April 5, 2021. According to the ONC press release, the decision to delay the information blocking compliance deadline was made to allow hospitals and provider groups more flexibility and time to respond to the ongoing COVID-19 pandemic. These delays have been heralded as much-needed by numerous provider groups, including the American Hospital Association, due to the operational and financial challenges facing the provider community as a result of the pandemic.

The ONC’s National Coordinator, Don Rucker, noted in the press release that “[t]o be clear, ONC is not removing the requirements advancing patient access to their health information that are outlined in the Cures Act Final Rule. Rather, we are providing additional time to allow everyone in the health care ecosystem to focus on COVID-19 response.” The ONC has also been urged to use this additional time to publish comprehensive education and guidance to provide additional clarity to the industry around the requirements of the information blocking rule.

The ONC also delayed a number of compliance deadlines in the health IT regulations in the interim final rule that are largely applicable to health IT developers, including deadlines related to the 2015 edition health IT certification updates and new standardization application-programming interface, which will now require compliance by Dec. 31, 2022.

The new compliance deadlines set forth in the ONC’s interim final rule, as published earlier today in the ONC’s press release, are set forth below. We will continue to monitor regulatory guidance from the ONC and provide a more detailed summary of the interim final rule in upcoming blog posts.