News and Alerts for April 5, 2022

Russian Lawsuits Highlight Flaws in UK Data Privacy Law

Russian Oligarchs are using the United Kingdom’s General Data Protection Regulation to sue journalists and others who possess unflattering information about them—including typed notes and compromising photos. According to the Washington Post, “British law is already notoriously friendly to plaintiffs who want to stop the publication of an unflattering article or other information they allege is untrue under libel law.” The UK’s data law—which was modeled after the EU’s General Data Protection Regulation (GDPR)—considers journalists to be “data collector[s].” This legal exploit has resurfaced in Parliamentary deliberations recently. Lawmakers assert that allowing Russian oligarchs to avoid scrutiny was not the intent of the law, though historically the tactic has worked. In 2020, Orbis Business Intelligence owner Christopher Steele was found liable for violating UK data privacy law because he improperly stored inaccurate information (about Russian oligarchs’ close ties to Vladmir Putin) on his computer, qualifying him as a data controller.

EHI Releases Guidance for Protecting Health Data

The Executives for Health Innovation (EHI) last week released new guidance for health data that’s not protected by The Health Insurance Portability and Accountability Act (HIPAA). In the last two years, EHI, a Washington D.C.-based nonprofit, has released several frameworks for health tech companies aimed at protecting non-HIPAA data, including the Consumer Privacy Framework for Health Data in February 2021. Its latest report serves as a followup to that framework, and specifically addresses the issue of accountability, arguing that the Federal Trade Commission (FTC) needs to do more to protect health data, asserting that, “Although the FTC has used [its] authority to bring actions against consumer health technology products whose data practices harm consumers, the FTC is not currently set up to be an efficient and nimble privacy enforcer. Its rule-making authority is limited and it lacks adequate resources.”

Hackers Employ “Vishing” in Morgan Stanley Breach

As social engineering evolves, so too does its terminology. One of the latest schemes, vishing (voice-fishing), involves hackers purchasing a domain name that’s similar to that of a legitimate company, then impersonating that company’s IT department, calling employees and tricking them into downloading spyware or providing login credentials. (A variation of this scheme, smishing, involves using SMS messaging to carry out the scheme, as text messaging is generally trusted more than emails.) If you’re still reading, vishing was employed by criminals against Morgan Stanley Wealth Management clients last month. The financial firm just notified customers last week of the ploy, noting that a cybercriminal called several Morgan Stanely clients and impersonated Morgan Stanley employees, obtaining login credentials and conducting fraudulent Zelle transfers from clients’ accounts.

EU Bans Anonymous Crypto Transactions

Lawmakers in the European Parliament last week voted to outlaw anonymous cryptocurrency transactions, a move that privacy professionals have spoken out against. According to CoinDesk, “The proposals are intended to extend anti-money laundering (AML) requirements that apply to conventional payments over EUR 1,000 ($1,114) to the crypto sector. They also scrap the floor for crypto payments, so payers and recipients of even the smallest crypto transactions would need to be identified, including for transactions with unhosted or self-hosted wallets.”

* * * * *

On March 25, the European Commissioner for Justice Didier Reynders, and U.S. Secretary of Commerce Gina Raimondo issued a joint statement announcing a preliminary replacement for the Privacy Shield framework. The Trans-Atlantic Data Privacy Framework will allow data transfers between the EU and the U.S., which have been on shaky legal legs or on hold since Privacy Shield was struck down by the Court of Justice of the European Union in August 2020.

To read our coverage on the new Privacy Shield Agreement announced just last week, click here.

On March 18, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (PDPA) and became the first South Asian Country to enact comprehensive data protection legislation. The PDPA is modeled after the EU’s General Data Protection Regulation (GDPR), establishes a new Data Protection Authority (DPA) in Sri Lanka, and requires covered entities to create a Data Protection Officer role.

To read our coverage on Sri Lanka’s Personal Data Protection Act, click here.