United States: Defense And Aerospace Industry Perspectives On Recent International And Domestic Privacy And Information Security Regulations

Companies in the defense and aerospace industries are facing increasing obligations with regard to overlapping national and transnational data protection and information security regimes. These overlapping and complex regimes may, on first glance, appear to differ significantly from one another, yet a closer read shows that they often include similar obligations. Developing a high-level approach to compliance can help companies meet cross-regime minimum requirements efficiently, reserving time and energy for more complicated regime-specific requirements.

This White Paper seeks to provide defense and aerospace companies with a blueprint for tackling cross-regime compliance by providing a working set of proactive measures to implement now. These measures are not intended to ensure full compliance; rather, they offer a jumping-off point for comparing the various regulatory regimes in play and identifying key points of overlap. To facilitate this process, this White Paper examines key provisions applicable to the defense and aerospace industries in the European Union's (EU) General Data Protection Regulation (GDPR), the EU directive on security of network and information systems (the "NIS Directive" or "Directive"), the Asia-Pacific Economic Cooperation (APEC) Cybersecurity Framework (the "APEC Framework"), and the new California Consumer Privacy Act (CCPA) and related California statutes. Using the EU, APEC and California regimes as points of comparison, this White Paper highlights key requirements that are increasingly becoming expected measures.

As we recently discussed in a prior white paper, 2018 has already witnessed a number of related developments for defense and aerospace companies in terms of changes to the U.S. Department of Defense's (DoD) acquisition-related guidance and updates to the National Institute of Standards and Technology (NIST) guidelines.1 Similar developments and related, increasing compliance burdens appear only set to continue.

To help address these expanding compliance burdens, there are a number of proactive measures that defense and aerospace companies can take now to facilitate cross-regime compliance. The most important of these include (1) understanding what you have, where you have it and why you have it; (2) implementing an appropriate, industry-recognized information security framework to ensure adoption of reasonable or appropriate security measures; (3) drafting strong contracts to limit liability for vendor and subcontractor vulnerabilities; (4) crafting processes for tracking protected information and responding to requests related to the same; and (5) bolstering internal governance and oversight of privacy and information security measures. A more comprehensive discussion of these and other proactive measures in provided in Section 2.

Comparing the GDPR, the NIS Directive, the APEC Framework and the CCPA

The GDPR, the NIS Directive, the APEC Framework and the CCPA are each, in their own way, groundbreaking measures. The GDPR, which went into effect on May 25, 2018, enshrines a complex set of rules that are designed to protect data subjects' fundamental privacy rights and update existing privacy laws to reflect and keep pace with new technologies and legal developments, as well as impose a unified and consistent data protection and privacy regime across all EU Member States.2 The NIS Directive is a first-of-its-kind directive laying out information security principles and objectives that each EU Member State is expected to transpose into its national laws as it sees fit.3 Its focus is on security, not privacy. The APEC Framework is a set of principles and implementation guidelines that were created in order to establish effective privacy protections aimed at reducing barriers to information flow, and ensuring continued trade and economic growth among the 27 members of APEC. Finally, the CCPA, the newest statute of the group, is focused wholly on privacy concerns and is intended to give California residents greater insight into what information companies collect about them, where that information is collected from, and whether and why the information is sold or shared.

Unlike both the GDPR and the CCPA, the NIS Directive and the APEC Framework rely on member countries' willingness to transpose their general principles into respective national laws. The Directive had a clear deadline of May 9, 2018, for this transposition, while the APEC Framework leaves the timing up to members. To date, only eight or so Member States have fully transposed the Directive, while a handful of others have done so in a partial manner. On July 19, the European Commission sent warnings to the 17 Member States that failed to transpose any portion of the Directive, giving them two months to respond or face further proceedings.4

The GDPR and the CCPA, in contrast, have set enforcement deadlines – May 25, 2018, for the GDPR and January 1, 2020, for the CCPA. On those dates, the two statutes either became, or will become, fully enforceable without further action required by regulated territories.5

In the following subsections, we compare key elements of these four statutes. The GDPR, the APEC Framework and the CCPA overlap most consistently, since all three deal with privacy and data protection. The NIS Directive is focused on information security and overlaps with the other three statutes only with regard to certain security issues. The points of overlap between any of these statutes are issues of particular importance since those are areas that businesses can target to further efficient cross-regime enforcement efforts.

Scope

Under any of these regimes, defense and aerospace companies may be subject to regulatory requirements, either due to their own status as entities processing data from the respective jurisdictions or as a result of a subsidiary's status as a covered entity.

GDPR: The GDPR divides organizations involved in processing personal data into two categories: (1) data controllers—any person or entity that determines the purposes and means of the processing of personal data, and (2) data processors—any person or entity that processes personal data on behalf of a controller. Defense and aerospace companies are generally controllers, and their subcontractors are usually processors.

The GDPR applies to only controllers or processors that (1) maintain an establishment in the EU, if they process personal data in the context of that establishment; (2) are not established in the EU, but offer goods or services to data subjects in the EU; or (3) are not established in the EU, but process the personal data of data subjects in the EU and that data is related to monitoring the behavior of data subjects that occurs in the EU. These categories effectively expand the jurisdiction of data protection authorities beyond the territorial limits of the EU. It is likely that defense and aerospace companies would likely fall within Category 1 or 3.

APEC: The APEC Framework applies to both individuals and organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information ("personal information controllers" or PIC). Individuals are not considered PICs if they collect, hold, process or use personal information for only personal, family or household affairs. The APEC Framework also applies to individuals or entities that instruct others to engage in any of the aforementioned processing activities. In this way, the APEC Framework directly applies to only PICs. It does not apply to entities that might be considered data processors under the GDPR.

CCPA: The CCPA applies to companies that (1) do business in California;6 (2) collect personal information or, on the behalf of which, personal information is collected; and (3) satisfy one of the following three thresholds: (A) have annual gross revenue of more than $25 million (this is global, not California-specific, revenue); (B) alone or in combination annually, buy, receive for commercial purposes, sell or share the personal information of 50,000 or more consumers, households or devices; or (C) derive 50 percent or more of their annual revenue from selling consumers' personal information. Any entity that controls, or is controlled by, a company meeting the above description and shares common branding with that entity is also covered.

NIS: The more specific requirements of the Directive, as put into place by Member States, will effectively apply to two types of entities: operators of essential services (OES) and digital service providers (DSP). Each Member State will determine what types of organizations fall into each category. OESs are organizations operating in vital sectors as specified by each Member State. Vital sectors generally include energy, transport, banking, finance, health, water or digital infrastructure. DSPs are organizations that provide a digital service, including search engines, online market places and cloud computing services.7

Covered Data

GDPR: The GDPR generally applies to the processing of personal data, which is any information relating to an identified or identifiable natural person, or a "data subject." Guidance from the Article 29 Working Party provides specific examples of the types of information that may fall within this broad definition, including things like IP addresses and GPS coordinates.8 Additional protection is afforded under the GDPR for "sensitive data"9 or personal data that reveals information about a data subject's ethnicity, religion, sexuality, etc.10

APEC: The APEC Framework generally applies to personal information on individuals (natural, living persons) in the various APEC member countries. "Personal information" is defined as information about an identified or identifiable individual, as well as information that would not meet this criterion alone, but, when put together with other information, would identify an individual. The APEC Framework has limited (if any) application to publicly available information.11

CCPA: The CCPA generally applies to consumers' (meaning residents of California) personal information. Personal information under the CCPA includes any information that relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The CCPA's expansive definition of personal information includes (1) personal identifiers; (2) characteristics associated with protected classifications, as provided for by California or federal law; (3) commercial information (records of personal property, products or services purchased, or consumption tendencies); (4) biometric information; (5) geolocation data; (6) audio, electronic, visual, thermal, olfactory or similar sensory information; (7) professional or employment-related information; (8) educational information; and (9) any inferences drawn from any of the information identified to create a profile about a consumer. The CCPA generally does not apply to publicly available information.12

NIS: The NIS Directive does not cover this issue.

Lawful Basis for Processing/Using Information

GDPR: Under the GDPR, a controller may process an EU data subject's personal data only if it meets one of the six lawful bases for doing so. Three of those bases are particularly relevant here: (1) for the performance of, or for entry into, a contract with a particular data subject; (2) to comply with a legal obligation to which the controller is subject under EU or Member State law; or (3) for the purposes of legitimate interests pursued by the controller or third party (except as overridden by the interests or certain rights and freedoms of the data subject). Absent another lawful basis, a controller can lawfully process personal data only if it can obtain express consent from the data subject. Consent must be freely given, specific, informed and unambiguous. It must be as easy for a data subject to withdraw consent as it is to give it.

APEC: Under the APEC Framework, personal information should be obtained in a fair and lawful manner; where appropriate, individual notice or consent should be provided or obtained regarding that collection, and only so much personal information should be collected as is relevant to the purposes for which it is being collected. Personal information that has been collected should be used to fulfill only the purposes, or closely related purposes, for which it was collected, unless one of the following three exceptions applies: (1) an individual consents to the PIC's use of personal information for additional purposes; (2) use of the information is necessary to provide the individual with a product or service requested by the individual; or (3) laws, legal proclamations or legal instruments authorize the use of information for purposes beyond those specified during the initial collection.

CCPA: The CCPA, unlike the GDPR or the APEC Framework, does not restrict the actual collection of that data. Rather, it focuses on giving consumers information about the collection and use of their data.

NIS: The NIS Directive does not consider this issue.

Requirement to Provide Information and Access to Data

GDPR: Under the GDPR, controllers must provide certain specified information to data subjects at the time that personal data is obtained. Data subjects must be provided at minimum with the following: (1) the purpose of the processing, (2) the categories of recipients that receive their data, (3) whether data is transferred out of the EU and related safeguards, (4) the period that data is retained (5) and an overview of their rights. They should also be provided with general information on how their information is processed and, if they ask, a copy of their personal data maintained by the controller.

APEC: Pursuant to the APEC Framework, individuals should be granted the right to (once they verify their identity) (1) know what information, if any, is being collected about them; (2) challenge the accuracy of the personal information that is collected about them; and (3) where appropriate, have their personal information rectified, completed, amended or, in some cases, entirely deleted. The ability to access and correct personal information is not an absolute right under the APEC Framework. Rather, it must be balanced against the legitimate needs of the PIC or public entity that is collecting the information. This is a similar approach to that taken by the GDPR and the CCPA. A PIC is not required to provide an individual with information under the APEC Framework where doing so would violate the privacy of persons other than the requester. PICs are required to provide individuals with requested information (assuming that they are under an obligation to do so) within a reasonable time and in a reasonable form that is generally understandable.

CCPA: Under the CCPA, consumers have a right to request and receive (once the business verifies their request) (1) the categories and specific pieces of personal information that the business has collected about them, (2) the categories of sources from which the personal information is collected, (3) the business purposes for which the personal information is collected, (4) the categories of third parties with which the business shares consumers' personal information and (5) the categories of personal information that the business sold or disclosed about the consumer for a business purpose. The CCPA requires that a business provide a consumer with information for the 12-month period preceding the consumer's request.13

NIS: The NIS Directive does not consider this issue.

Right to Erasure/Deletion and to Rectification

GDPR: The GDPR grants data subjects two corresponding rights related to correcting or erasing their data: the right to correct inaccurate, or add to incomplete, personal data (right to rectification), and the right to erase personal data (right to erasure). There are six exceptions that permit companies to avoid erasure.14 In addition, personal data must be erased immediately if the data are no longer needed for their original purpose, the data subject has withdrawn consent, the data subject has objected or erasure is required to fulfill a statutory obligation.

APEC: As previously noted, the APEC Framework empowers individuals to both request access to their personal information and correct their personal information. A PIC need not comply with an individual's request where (1) the individual does not verify his or her identity, (2) the cost or burden to the PIC would be disproportionate to the risk presented to the individual, (3) the PIC is required, or permitted, by law to retain the information; (4) disclosure could present legal or security risks to the PIC, including dissemination of confidential commercial information; or (5) compliance could violate the privacy of persons other than the requester. Where the PIC possesses a lawful and justifiable basis for denying an individual's request, it is required to provide the individual with an explanation as to its basis for denial and how the individual can challenge the denial. No explanation is necessary where providing an explanation would, by itself, violate a law or other judicial order.

CCPA: The CCPA grants certain consumers the right to request and have (if the request is verified) their personal information deleted. Businesses that do so must also direct service providers to do the same. There is no independent requirement that businesses delete consumer data absent receipt of a consumer request. There is no right to correct or add to information.

NIS: The NIS Directive does not cover this issue.

To view the full article click here

Footnotes

1 Akin Gump, White Paper – Recent Department of Defense Guidance on Cybersecurity Requirements and Related Export Control Issues, available at https://www.akingump.com/images/content/8/0/v2/80337/cybersecurity-white-paper-053118.pdf.

2 The GDPR is a mandatory measure that must be adopted by all EU Member States in a consistent manner. In addition to EU Member States, various countries in the European Economic Area (EEA) have also adopted pieces of the GDPR and implemented the same through their national laws.

3 To date, approximately eight European countries have transposed the NIS Directive into their national laws. Other countries are in the process of doing so.

4 The countries targeted by the July 19 warnings were Austria, Bulgaria, Belgium, Croatia, Denmark, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, the Netherlands, Poland, Portugal, Romania and Spain.

5 Efforts are under way to amend various provisions of the CCPA. One proposed revision would delay enforcement of the CCPA to the earlier of July 1, 2020, or six months from the date that the California Attorney General's Office publishes its final CCPA-related regulations. Thus, although the CCPA as a whole will go into force on January 1, 2020, it may not be enforceable for another six months

6 Doing business in this context means that a business located outside of California actively engages in a transaction for the purpose of financial or pecuniary gain or profit in California.

7 The NIS Directive contains certain exemptions for businesses that might otherwise fall within this definition, but that have fewer than 50 employees or less than €10 million in gross revenue.

8 Recital 30 of the GDPR also specifies that natural persons may be associated with online identifiers provided by their devices, applications tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

9 We use the term "sensitive data" to refer to what the GDPR has determined are "special categories of personal data."

10 Sensitive data is data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning a data subject's sex life or sexual orientation, certain health data, certain genetic data and biometric data if processed for the purpose of uniquely identifying a natural person.

11 Publicly available information under the APEC Framework means information that an individual knowingly makes or permits to be made available to the public, or that is legally obtained and accessed from (1) publicly available government records, (2) journalistic reports, or (3) information required by law to be made available to the public.

12 Publicly available information under the CCPA means information that is lawfully made available from federal, state or local government records, but excludes biometric information collected without a consumer's knowledge and personal information used for a purpose different from the one for which the data is maintained and made available in the government records or otherwise publicly maintained.

13 Reading the CCPA as it is now worded suggests that businesses may need to have processes and systems in place to provide such information as of January 1, 2019 (12 months before the CCPA takes effect).

14 Under the GDPR, the right to erasure does not apply if the processing of the personal data in question is necessary (1) to exercise the right to freedom of expression; (2) to comply with a legal obligation; (3) for the performance of a task that is carried out in the public interest or in the exercise of official authority; (4) for reasons of public interest in the area of public health; (5) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or (6) for the establishment, exercise or defense of a legal claim.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Mason Hayes & Curran
Wilson Elser Moskowitz Edelman & Dicker LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Mason Hayes & Curran
Wilson Elser Moskowitz Edelman & Dicker LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions