WSGR Alert: Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

 On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal challenge, the Privacy Shield is a valid tool for companies transferring data from the EU to the U.S. Companies can begin registering for the Privacy Shield on August 1, 2016.

The WP29 statement indicates that it will pay close attention to the annual joint review called for in the framework and to ensuring that individuals may effectively exercise their rights under the Privacy Shield. The WP29 emphasizes that it will closely monitor the functioning of the Privacy Shield and will not hesitate to request changes that it believes are warranted as a result of the first annual review of the Privacy Shield framework.

Click here to read our complete WSGR Alert discussing the WP29 statement.

WSGR Alert: The EU-U.S. Privacy Shield Is Adopted and Available as of August 1, 2016

 On July 12, 2016, the EU Commission and the U.S. Secretary of Commerce announced the adoption of the EU-U.S. Privacy Shield (Privacy Shield). This announcement follows today’s adequacy decision by the College of EU Commissioners which recognizes that the Privacy Shield provides an adequate level of protection under EU data protection law. The adequacy decision represents formal approval of the Privacy Shield as a legal basis for data transfers from the EU to the U.S.

Privacy Shield certification will be available to companies as of August 1, 2016. Although the adoption of the Privacy Shield is a welcome development, it does not eliminate the recent legal uncertainty that has surrounded data transfers from the EU to the U.S., as the Privacy Shield is expected to face legal challenges before DPAs and courts.

Certification to the Privacy Shield is not a mere formality. Before certifying, companies should carefully review the Privacy Shield principles and the supplemental principles to assess whether it is a workable data transfer solution for their business. Noncompliance may expose companies to significant sanctions.

Click here to read our complete WSGR Alert discussing the new Privacy Shield.

 

WSGR Alert: HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

 On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. As part of the settlement, CHCS will pay $650,000 and must implement a corrective action plan (CAP).

CHCS provides management and information technology services to six skilled nursing facilities and, as such, is considered a “business associate” under HIPAA. Business associates, which are organizations that provide certain types of services to HIPAA-covered entities, must comply with the HIPAA Security Rule. According to HHS, CHCS violated the Security Rule by failing to conduct an accurate and thorough assessment of the potential security risks to the electronic protected health information it held. HHS alleged that CHCS also failed to implement appropriate measures to reduce these risks to a reasonable and appropriate level. HHS initiated its investigation after receiving notice from the nursing homes that a CHCS mobile device was stolen. Protected health information of 412 individuals was stored on the device and, according to HHS, the device was not encrypted or password-protected.

Click here to read our complete WSGR Alert on the enforcement action.

WSGR Alert: EU Cyber Security and Incident Notification Rules Enacted

 On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services.

The NIS Directive was enacted as part of the European Commission’s broader initiative to strengthen cyber security capabilities in the EU and will take effect in August 2016 (20 days after its publication in the EU Official Journal). However, like all EU Directives, it must be implemented into national law to be fully effective. EU member states will have 21 months to implement the NIS Directive into their national laws. As a result, businesses should expect the rules to come into final force no later than May 2018.

Click here to read our complete WSGR Alert on the NIS Directive.

ISPs Could Face New Privacy Regulations Under FCC Proposed Rulemaking

 On March 31, 2016, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that proposed to establish new privacy guidelines for broadband Internet service providers (ISPs).1 The FCC designed the proposal to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”2 To accomplish this goal, the NPRM proposes to apply the privacy requirements of Section 222 of the Communications Act3 to ISPs that offer broadband Internet access service (or, in the NPRM’s terminology, “BIAS”).4 The FCC asserted that applying the privacy requirements set forth in Section 222 would “give broadband customers the tools they need to make informed decisions about how their information is used by their ISPs and whether and for what purposes [their information may be shared] with third parties.”5 Continue Reading

WSGR Alert: FTC Increases Maximum Civil Penalties for HSR Act, COPPA, and Other Violations from $16,000 to $40,000

ThinkstockPhotos-516780641-webOn June 30, 2016, the Federal Trade Commission (FTC) issued an interim final rule that substantially increases the maximum civil penalties for violations of the competition and consumer protection laws enforced by the FTC that authorize the assessment of civil penalties. The increased amounts will apply to penalties assessed on or after August 1, 2016, even if the associated violation occurred before August 1, 2016.

Click here to read our complete WSGR Alert on the FTC’s increases to maximum civil penalties.

LexBlog