Privacy & Information Security Law Blog

This post has been updated. 

On April 27, 2017, the German Federal Parliament adopted the new German Federal Data Protection Act (Bundesdatenschutzgesetz) (“new BDSG”) to replace the existing Federal Data Protection Act of 2003. The new BDSG is intended to adapt the current German data protection law to the EU General Data Protection Regulation (“GDPR”), which will become effective on May 25, 2018.

Earlier this month, the New York State Department of Financial Services (“NYDFS”) recently published FAQs and key dates for its cybersecurity regulation (the “NYDFS Regulation”) for financial institutions that became effective on March 1, 2017.

On April 19, 2017, the FTC announced that it is seeking public comment on proposed changes to TRUSTe, Inc.’s safe harbor program under the Children’s Online Privacy Protection Rule (the “Proposed Changes”). As we previously reported, New York Attorney General Eric T. Schneiderman announced that TRUSTe agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. The Proposed Changes are a result of the settlement agreement between TRUSTe and the New York Attorney General.

On April 13, 2017, the North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information published an English translation of the draft Standard Data Protection Model (“SDM”). The SDM was adopted in November 2016 at the Conference of the Federal and State Data Protection Commissioners. 

On April 12, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Metro Community Provider Network (“MCPN”) that stemmed from MCPN’s lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information (“PHI”).

On April 12, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a discussion paper on Certifications, Seals and Marks under the GDPR and Their Roles as Accountability Tools and Cross-Border Data Transfer Mechanisms (the “Discussion Paper”). The Discussion Paper sets forth recommendations concerning the implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions on the development and use of certification mechanisms. The GDPR will become effective on May 25, 2018. The EU Commission, the Article 29 Working Party, individual EU data protection authorities (“DPAs”) and other stakeholders have begun to consider the role of GDPR certifications and how to develop and implement them. CIPL’s Discussion Paper is meant as formal input to that process.

On April 6, 2017, New Mexico became the 48th state to enact a data breach notification law, leaving Alabama and South Dakota as the two remaining states without such requirements. The Data Breach Notification Act (H.B. 15) goes into effect on June 16, 2017.

On April 6, 2017, New York Attorney General Eric T. Schneiderman announced that privacy compliance company TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. According to Attorney General Schneiderman, the enforcement action taken by the NY AG is the first to target a privacy compliance company over children’s privacy.

On April 4, 2017, the Massachusetts Attorney General’s office announced a settlement with Copley Advertising LLC (“Copley”) in a case involving geofencing.

On April 4, 2017, the Article 29 Working Party (“Working Party”) adopted its draft Guidelines on Data Protection Impact Assessment and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (the “Guidelines”). The Guidelines aim to clarify when a data protection impact assessment (“DPIA”) is required under the EU General Data Protection Regulation (“GDPR”). The Guidelines also provide criteria to Supervisory Authorities (“SAs”) to use to establish their lists of processing operations that will be subject to the DPIA requirement.

On April 4, 2017, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the Proposed Regulation of the European Commission for the ePrivacy Regulation (the “Proposed ePrivacy Regulation”). The Proposed ePrivacy Regulation is intended to replace the ePrivacy Directive and to increase harmonization of ePrivacy rules in the EU. A regulation is directly applicable in all EU Member States, while a directive requires transposition into national law. 

On April 5, 2017, the Article 29 Working Party (“Working Party”) adopted the final versions of its guidelines (the “Guidelines”) on the right to data portability, Data Protection Officers (“DPOs”) and Lead Supervisory Authority (“SA”), which were first published for comment in December 2016. The final publication of these revised guidelines follows the public consultation which ended in February 2017.

The Cybersecurity Law of China, which was passed in November of 2016, introduced a data localization requirement requiring “operators of key information infrastructure” to retain, within China, critical data and personal information which they collect or generate in the course of operating their business in China. If an entity has a genuine need resulting from a business necessity to transmit critical data or personal information to a destination outside of China, it can do so provided it undergoes a “security assessment.”

On April 3, 2017, President Trump signed a bill which nullifies the Broadband Consumer Privacy Rules (the "Rules") promulgated by the FCC in October 2016. The Rules largely had not yet taken effect. In a statement, FCC Chairman Ajit Pai praised the elimination of the Rules, noting that, “in order to deliver that consistent and comprehensive protection, the Federal Communications Commission will be working with the Federal Trade Commission to restore the FTC’s authority to police Internet service providers’ privacy practices.” ...

Haim Ravia and Dotan Hammer of Pearl Cohen Zedek Latzer Baratz recently published an article outlining Israel’s new Protection of Privacy Regulations (“Regulations”), passed by the Knesset on March 21, 2017. The Regulations will impose mandatory comprehensive data security and breach notification requirements on anyone who owns, manages or maintains a database containing personal data in Israel.

The Regulations will become effective in late March 2018.

Read Pearl Cohen’s full article.

In March 2017, Syed Ahmad, a partner with Hunton & Williams LLP’s insurance practice, and Eileen Garczynski, partner at insurance brokerage Ames & Gough, co-authored an article, Protecting Company Assets with Cyber Liability Insurance, in Mealey’s Data Privacy Law Report. The article describes why cyber liability insurance is necessary for companies and provides tips on how it can make a big difference. Ahmad and Garczynski discuss critical questions companies seeking to protect company assets through cyber insurance should be asking.

Read the full article.

Recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer.