News Alerts and Breach Report for Week of December 12, 2022
Ireland’s DPC Probes Musk’s Twitter
Elon Musk, the new owner of Twitter, has announced he’ll make vast troves of Twitter user data available to journalists. But Ireland’s Data Protection Commission might not let him, and is seeking On the U.S. side of the pond, Bloomberg reports that “Facebook’s former CISO, Alex Stamos, who posited publicly that a Twitter thread posted yesterday by one of the reporters given access by Musk “should be enough for the FTC to open an investigation of the consent decree.”
Cybersecurity Predictions for 2023
Morrison Foerster has published a list of predictions about the evolving cybersecurity landscape in 2023 from experts in the field. Among these forecasts include a resurgence in Russian-sponsored cyberattacks, a decrease in ransomware payment amounts, new cybersecurity rules from the SEC, a continued push for protecting data belonging to children, and probably another year without a federal data privacy law in the U.S.
EU-U.S. Reaches Decision on Data Transfers
Today, the European Commission announced it has begun the process of adopting an adequacy decision for the EU-U.S. Data Privacy Framework. The announcement comes after a ruling known as Schrems II, in which the Court of Justice of the European Union struck down a previous data exchange agreement—known as Privacy Shield—in July 2020.
At the core of the debate—and the primary reason it’s taken so long to replace Privacy Shield with this new adequacy framework—lies the question of U.S. surveillance services. Put simply, President Biden had to promise—via an executive order signed in October, that EU citizens’ data would be protected from overreach by U.S. surveillance services, and that they’d have a right to correct violations of this guarantee.
The draft of the new framework notes that, after an in-depth assessment, the U.S. can and will provide an adequate level of protection in regards to data belonging to EU citizens—and that the U.S. will limit access to that data by its law enforcement and national security services. The European Commission’s announcement included a list of “elements” that must be taken into account when determining if a third-country can exchange data with the EU. These include, “the existence of core data protection principles, individual rights, independent supervision and effective remedies.”
When it comes to data gathering by law enforcement, these rules must be followed: “Processing should be based on clear, precise and accessible rules (legal basis); Necessity and proportionality with regards to legitimate objectives pursued need to be demonstrated; The processing has to be subject to independent oversight; and, Effective remedies need to be available to the individuals.”
Now that the European Commission has announced its decision, the European Data Protection Board (EDPB), a committee of EU member states and the European Parliament will need to review it. But the decision to adopt the framework lies entirely with the European Commission, making this draft decision a major milestone to finalization in the next six months. That timeline comes from Didier Reynders, the EU’s justice commissioner, who theorized at a Politico event this week that a final decision could happen before July of next year.
Of course, that doesn’t mean the framework can’t be challenged, though Reynders also noted that the adequacy decision has a “seven or eight out of 10 chance” of withstanding a legal challenge. If such a challenge were to occur (and Austrian Privacy Activist Max Schrems has already said he plans to challenge any framework) the decision will have to be brought back to the Court of Justice. In the meantime, the European Commission advises businesses to continue using its Standard Contractual Clauses, which we explain here.
BREACH REPORT:
* * * * * * *
To read our article on how to prepare for the January 1 enforcement of the California Privacy Rights Act (CPRA), click here.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
83 | Geofence Warrants and January 6: Constitutional and Privacy Issues (with guest Matthew Esworthy)
82 | A Look at the Consequences of the Uber and Twitter CISO Cases (with guest Ron Raether)
81 | Looking at Cyber Leadership & Costly Mistakes (with guests Rachel Briggs and Richard Brinson)
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.