The Download - August 2019

Introduction

In this issue, we cover the House Financial Services Committee's hearing on "alternative data." We also highlight Congressional and agency discussions of children's privacy matters and report on the at least $650 million settlement Equifax reached with the Federal Trade Commission (FTC) related to a 2017 data breach. We discuss the European Commission's report on the impact of GDPR one year later and the United Kingdom's Information Commissioner's blog posts on consumer privacy preferences and children's privacy.

Contents

Heard on the Hill

• House Financial Services Committee's Fintech Task Force Holds Hearing on the Use of Alternative Data to Expand Credit Access
• Children's Online Privacy Receives New Focus in Congress and at the FTC

Around the Agencies and the Executive Branch

• Equifax set to Pay at Least $650 Million in Largest-Ever Data Breach Settlement

International

• European Commission Reports on the Impact of the GDPR One Year Later
• United Kingdom's Information Commissioner Discusses Consumer Privacy Preferences in Blog Post
• United Kingdom's Information Commissioner Posts Blog on Children's Privacy

Heard on the Hill

House Financial Services Committee's Fintech Task Force Holds Hearing on the Use of Alternative Data to Expand Credit Access

On July 25, 2019, the House Committee on Financial Services' (Committee) Task Force on Financial Technology (Fintech Task Force) convened a hearing on "Examining the Use of Alternative Data in Underwriting and Credit Scoring to Expand Access to Credit." "Alternative data" is information drawn from non-traditional sources that summarizes consumers' financial histories. The Fintech Task Force was created on May 9, 2019, alongside the Committee's Task Force on Artificial Intelligence ("AI Task Force"). Upon the formation of the AI and Fintech Task Forces, Committee Chairwoman Maxine Waters (D-CA) noted that the Task Forces were established to examine developments in the fintech and AI spaces, and to ensure that the Committee is equipped to develop AI and fintech policy.¹

The hearing included witnesses representing a nonprofit organization, industry, academia, and the Government Accountability Office (GAO), and featured discussion of a host of matters related to the use of alternative data in credit underwriting, such as the following: (1) data privacy and security; (2) how alternative data may increase credit access for underserved individuals; (3) draft credit legislation and existing credit laws; and (4) whether the formation of regulatory sandboxes in the alternative data space is necessary.

During questioning, Fintech Task Force Chairman Stephen Lynch (D-MA) expressed concern that consumers are unable to control whether and how companies collect and use alternative data in credit underwriting. Separately, Fintech Task Force Ranking Member French Hill (R-AR) noted that the question of whether consumers have a property right for data about them needs to be addressed by lawmakers. Throughout the hearing, witnesses stated that the use of certain alternative data in credit determinations helps consumers access credit. Witnesses also cautioned Fintech Task Force Members that using other types of alternative data, including consumers' Internet browsing histories and zip codes, could lead to discrimination.

On numerous occasions throughout 2019, Committee Chairwoman Waters has indicated that reforming the "broken" U.S. credit reporting system is a priority of hers. To this end, the Committee has already convened several hearings examining the credit industry during the 116th Congress. Similarly, Task Force Chairman Lynch has also expressed interest in credit matters, having identified extending credit access to underserved consumers as a worthwhile goal for the Fintech Task Force.

Children's Online Privacy Receives New Focus in Congress and at the FTC

This summer, members of Congress and the Federal Trade Commission (FTC) have zeroed in on children's online privacy and related concerns. Members of Congress have sent letters to both technology companies and the FTC focusing on children's online privacy. For example, Members of Congress raised concerns regarding the Federal Trade Commission's (FTC) recently reported a settlement with a technology platform over alleged Children's Online Privacy Protection Act (COPPA) violations. In a letter to the FTC dated July 30, 2019, , Congressmen David N. Cicilline (D-RI) and Jeff Fortenberry (R-NE) reminded the FTC that they had previously raised concerns with this technology platform regarding algorithmic targeting of children on the platform, actual knowledge of children's use of the platform, and the breadth of content directed toward children. The members of Congress suggested that the settlement provides for a number of remedies, including that the technology platform ensure the deletion of data for users under the age 13, the use of third party qualified human reviewers to assure appropriateness of child-directed programming, and a restriction on the platform's launching of child-directed services before review and approval of an independent panel of privacy and child development experts.

The FTC has issued a request for public comment on the effectiveness of the 2013 amendments to the COPPA Rule and whether additional changes are needed. The COPPA Rule went into effect in 2000 and requires, among other things, that certain online services provide notice to parents and obtain verifiable parental consent before collecting, using, or disclosing personal information from children under the age of 13.²  The 2013 amendments to the COPPA Rule expanded the definition of children's personal information to include cookies, geolocation information, photos, videos, and audio recordings.³  Amongst other things, the FTC seeks comment regarding the COPPA Rule's "definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and safe harbor provisions" and whether the 2013 amendments "have resulted in stronger protections for children and greater parental control over the collection of personal information from children, as well as whether these changes have had any negative consequences." To this end, the FTC is holding a workshop entitled, "The Future of the COPPA Rule: An FTC Workshop" on October 7, 2019, in Washington, D.C. Written comments must be received by October 23, 2019.

Around the Agencies and the Executive Branch

Equifax set to Pay at Least $650 Million in Largest-Ever Data Breach Settlement

On July 22, 2019, a federal judge gave preliminary approval to a settlement agreement between Equifax, consumer class plaintiffs, regulatory agencies, and state attorneys general related to claims arising from Equifax's 2017 data breach. Equifax has been negotiating for months to finalize the settlement and set aside $690 million in the second quarter of 2019 to cover the settlement's anticipated costs. If finalized as is, the data breach settlement will be the Federal Trade Commission's (FTC) largest settlement in terms of dollar amount and number of consumers impacted.⁴

According to the terms of the settlement agreement, Equifax would pay at least $380.5 million to compensate consumers affected by the 2017 breach. At least $300 million of that amount would be added to a consumer fund to, in part, provide affected consumers credit-monitoring services or a $125 cash payout. $31 million of the $300 million, however, will be eligible to fund cash payouts. As a result, to the extent the $31 million is depleted, cash payouts will be provided on a pro-rata basis. The fund will also compensate consumers who bought credit or identity-monitoring services from Equifax and paid other out-of-pocket expenses as a result of the 2017 data breach. Equifax would be required to add up to $125 million to the consumer fund if the initial $300 million is insufficient to reimburse consumers for out-of-pocket losses resulting from the data breach. The remaining $80.5 million would be set aside for attorneys' fees and legal costs.

The company also agreed to pay $100 million in fines to end investigations by the Consumer Financial Protection Bureau and the FTC. The FTC, however, did not fine Equifax, citing its limited authority to issue civil penalties for a first-time violator. In response, the Chairman of the FTC called on Congress to pass a law giving the FTC more explicit authority to fine companies for first-time violations. In addition to federal regulators, Equifax agreed to pay $175 million in fines to end investigations by 48 states, the District of Columbia, and Puerto Rico. The remaining two states, Massachusetts and Indiana, have filed separate suits against Equifax.

In addition to the monetary relief to consumers, Equifax is also slated to enter into an FTC order requiring the company to implement a comprehensive information security program. The order would require the company to undertake several measures including designating an employee to oversee its security program; conducting annual assessments; testing and monitoring the effectiveness of its security safeguards. and; obtaining annual certifications from senior leadership attesting that the company complies with the terms of the order.

International

European Commission Reports on the Impact of the GDPR One Year Later

On July 23, 2019, the European Commission (Commission) published a report reviewing the impact of the General Data Protection Regulation (GDPR) since its implementation and discussing further-needed improvements. The report concluded that all but three European Union (EU) Member States (Greece, Portugal, and Slovenia) have set in place the necessary legal framework (i.e., updated their respective national data protection law), but ongoing efforts are needed. Specifically, the Commission found:

• A need for continuing efforts to greater harmonization – EU Member States have introduced national requirements on top of the Regulation, including many sectoral laws, leading to fragmentation and unnecessary regulatory burdens. The Commission is working to harmonize Member State efforts by engaging in bilateral dialogue with national authorities and reinforcing GDPR requirements in national court systems—even if it means invalidating provisions in national laws which depart from the Regulation.⁵
• Data protection authorities are using their new powers – During the first year, national data protection authorities (DPAs) made use of their new powers when necessary. The DPAs imposed several fines with some as little as €5,000, and up to €50 million levied against a company in France. Data protection authorities also cooperated more closely with the European Data Protection Board (Board).⁶  By the end of June 2019, the Board had managed 516 cross-border cases. The Commission recommended that the Board step up its leadership and continue building an EU-wide data protection culture. The Commission also encouraged DPAs to pool their efforts, for example, with joint investigations. The Commission plans to continue to fund DPAs in their efforts to reach out to stakeholders.
• Businesses are adapting GDPR practices – The Commission found that complying with the GDPR has helped companies increase the security of their data and develop privacy as a competitive advantage. The Commission will support a GDPR toolbox for businesses to facilitate compliance, such as standard contractual clauses, codes of conduct, and new certification mechanisms. Also, the Commission will continue supporting small- and medium-sized enterprises through, among other things, issuing guidelines and funding grants for DPAs to produce resources.
• The GDPR stands as a reference for stronger data protection standards across the globe – According to the Commission, more and more countries across the globe are using the GDPR as a reference point to implement data protection standards for non-EU-based customers. The Commission found that this upward convergence is opening new opportunities for safe data flows between the EU and outside countries. The Commission will continue its "adequacy" determinations for data exchange with countries outside of the EU. Japan has already received an adequacy determination, making it easier to exchange information freely between the two countries. South Korea, Chile, Brazil, India, Indonesia, and Taiwan are currently undergoing adequacy negotiations with the EU.

As part of its next steps, the Commission will report on the GDPR's latest implementation in 2020 to assess the progress of the GDPR after the two-year mark.

United Kingdom's Information Commissioner Discusses Consumer Privacy Preferences in Blog Post

On July 31, 2019, Elizabeth Denham, the Information Commissioner in the United Kingdom (UK), published a blog post, "People care more about how their personal data is used. But what aspects cause them most concern?," describing the results of her office's annual survey of UK citizens' attitudes toward digital privacy. Her blog post reviewed the survey's results, noting that they investigated how UK citizens view the use of personal data on the Internet and the awareness that they have about their rights over such uses. This survey occurred a little over a year after the enforcement date of the General Data Protection Regulation (GDPR) on May 25, 2018.

Ms. Denham indicated that cybersecurity is the most important concern expressed by survey respondents. The blog indicated that this interest was driven by high-profile cyberattacks that made headlines in the past year, and the personal impact those incidents had on UK citizens. She stated that these concerns impact the trust citizens have with businesses that use personal data. The blog post also noted that trust in a company's use of personal data is important in the innovative use of personal data. She indicated that her office's sandbox project saw numerous innovative ideas for the use of personal information, and that trust and confidence are crucial to the creation of those innovations.

Ms. Denham's blog post noted that the processing of children's personal data is also a key concern. She indicated that the GDPR's requirements of fairness and transparency lifted standards for data processing, but that the survey showed that more work must be done to increase trust. To that end, she indicated that her office's increased enforcement efforts create a paradox, in that exposing unexpected data processing activity reduces trust in the short term but increase awareness of such activity amongst citizens. She concluded by noting that, according to the survey, there is a greater awareness of data protection rights and that enforcers and companies should work to respond to the demand for increased access to personal data and citizen rights about how personal data will be collected and processed.

United Kingdom's Information Commissioner Posts Blog on Children's Privacy

On August 7, 2019, Elizabeth Denham, the Information Commissioner in the United Kingdom (UK), published a blog post, "Protecting children online: update on the progress of ICO Code," reporting the Information Commissioner's Office (ICO)'s progress on creating a draft Code of Practice (Code) integrating General Data Protection Regulation (GDPR) requirements into design standards for online services, as part of the work to protect children online.

The ICO previously launched a consultation on a Code to help protect children online in April of 2019. Introduced by the Data Protection Act of 2018, the draft Code includes 16 standards of age-appropriate design that online services need to comply with to protect the privacy of children online. The draft code applies to "information society services likely to be accessed by children" in the UK, such as apps, social media platforms, online games, connected toys, streaming services, and educational websites. The draft Code is not restricted to services specifically directed at children.

Standards include ensuring transparency of privacy policies and community standards in clear language suited to the age of the child, minimizing the amount of personal data that is collected and retained, and providing children with age-appropriate information when parental controls are available. Default settings must be set to "high privacy" unless there is a compelling reason for a different default setting, and geolocation options should be switched off by default. The draft Code sets forth "the best interests of the child" as the primary consideration of developers when designing and developing online services.

In the blog post, Commissioner Denham stated, "The GDPR already sets out rules on how data can be used and the importance of protecting children. Our Code will make the requirements clearer and help designers and developers understand what is expected of them." She opined that the ICO does "not want to create any barriers to children accessing news content," nor does the ICO "want to see an age-gated internet." She noted that the ICO's aim is not "to keep children from online services, but to protect them within it."

The blog post notes that the final version of the Code is expected to be delivered to the Secretary of State ahead of the statutory deadline of November 23, 2019. A transition period of up to one year is expected to allow companies time to implement and comply with the standards of the Code.

Endnotes

[1] House Financial Services Committee press release on Fintech and AI Task Forces, available at https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=403738.
[2] See 16 C.F.R. § 312.5(a).
[3] See 16 C.F.R. § 312.2.
[4] Equifax to Pay to Least $650 Million in Largest-Ever Data Breach Settlement, NY Times, (July 22, 2019), https://www.nytimes.com/2019/07/22/business/equifax-settlement.html.
[5] National courts have invalidated provisions in both Germany and Spain that conflict with the GDPR.
[6] The European Data Protection Board has legal personality and is composed of the heads of the national data protection supervisory authorities and the European Data Protection Supervisor.