On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive"). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).
On July 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements with two large public health centers, Oregon Health & Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”), over alleged HIPAA violations.
On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.
On July 25, 2016, Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was interviewed on KUCI 88.9 FM radio’s Privacy Piracy show. Lisa discussed the changing regulatory landscape, information security enforcement actions, the threat actors who attack companies’ data and how to manage the aftermath of a data breach. “There is no industry sector that is exempt [from being targeted],” Lisa says. She notes that, because “data can be sold for a monetary sum, data is now the equivalent of cash.”
On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.
Background
Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.
On July 26, 2016, Isabelle Falque-Pierrotin, the Chairwoman of the Article 29 Working Party of data protection regulators, announced that EU data protection regulators will not challenge the adequacy of the EU-U.S. Privacy Shield (“Privacy Shield”) for at least one year (i.e., until after summer 2017). The European Commission is scheduled to conduct a mandatory review of the adequacy of the Privacy Shield by May 2017.
On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the ...
On July 26, 2016, the U.S. Department of Commerce announced that it has launched a new website that provides individuals and companies with additional information regarding the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Among other things, the website provides information about complying with, and self-certifying to, the Privacy Shield’s principles. The Department of Commerce’s website will begin accepting certifications on August 1, 2016.
On July 19, 2016, Advocate General Saugmandsgaard Oe (“Advocate General”), published his Opinion on two joined cases relating to data retention requirements in the EU, C-203/15 and C-698/15. These cases were brought following the Court of Justice for the European Union’s (“CJEU's”) decision in the Digital Rights Ireland case, which invalidated Directive 2006/24/EC on data retention. The two cases, referred from courts in Sweden and the UK respectively, sought to establish whether a general obligation to retain data is compatible with the fundamental rights to privacy and data protection under EU law.
This post has been updated.
On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities.
On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).
The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.
On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.
On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).
This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.
On July 6, 2016, the UK government decided to close its controversial care.data scheme after concerns were raised about the safeguards in place to protect individuals’ health care data and issues with patient transparency.
On July 8, 2016, EU representatives on the Article 31 Committee approved the final version of the EU-U.S. Privacy Shield (“Privacy Shield”) to permit transatlantic transfers of personal data from the EU to the U.S.
On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.
On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.
On July 5, 2016, the European Commission announced the launch of a new public-private partnership (the “Partnership”) on cybersecurity, as part of its Digital Single Market and EU Cybersecurity strategies. In this context, the European Commission released several documents, including a Commission Decision establishing a contractual arrangement of the new Partnership for cybersecurity industrial research, and a Staff Working Document on the preparation activities for the Partnership.
On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”). This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013. The HIPAA Omnibus Rule made business associates directly liable for their violations of the HIPAA rules. The settlement with CHCS is also notable because it involved a breach that affected fewer than 500 individuals.
On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).
According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers' knowledge or consent.
On June 28, 2016, the State Internet Information Office of the People’s Republic of China published the Administrative Provisions on Information Services for Mobile Internet Applications (the “App Administrative Provisions”). This is the first regulation that expressly regulates mobile apps in the People’s Republic of China. Before the App Administrative Provisions were published, the P.R.C. Ministry of Industry and Information Technology had published a draft of the Interim Provisions on the Preinstallation and Management of the Distribution of Mobile Intelligent Terminal Applications (“Interim Provisions”). The comment period for the Interim Provisions draft expired six months ago and i’s still uncertain when it will become effective. According to unofficial statistics, domestic app stores have more than 4 million apps in inventory presently, and the number is growing. Those apps will now become highly regulated products under the App Administrative Provisions.
On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament (“Joint Committee”) reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code