Archives: Regulatory

Subscribe to Regulatory RSS Feed

EU Commission Publishes Proposal for e-Privacy Regulation: The Top Nine Key Points You Need to Know

On January 10, 2017, the European Commission published a Proposal for a Regulation  that if adopted would have significant and far-reaching implications for Internet-based services and technologies. The proposal seeks to revise the current EU ePrivacy Directive. It creates strict new rules regarding confidentiality of electronic communications, including content and metadata. In addition, the proposal … Continue Reading

FCC Orders Far-Reaching New Privacy and Data Security Rules

As expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs’ collection, use, sharing, and protection of their customers’ information, including information ISPs … Continue Reading

Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal … Continue Reading

The EU-U.S. Privacy Shield Is Adopted and Available as of August 1, 2016

On July 12, 2016, the EU Commission and the U.S. Secretary of Commerce announced the adoption of the EU-U.S. Privacy Shield (Privacy Shield). This announcement follows today’s adequacy decision by the College of EU Commissioners which recognizes that the Privacy Shield provides an adequate level of protection under EU data protection law. The adequacy decision … Continue Reading

HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. As part of the settlement, CHCS will pay … Continue Reading

EU Cyber Security and Incident Notification Rules Enacted

On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services. The NIS Directive was enacted as part of … Continue Reading

ISPs Could Face New Privacy Regulations Under FCC Proposed Rulemaking

On March 31, 2016, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that proposed to establish new privacy guidelines for broadband Internet service providers (ISPs).1 The FCC designed the proposal to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”2 To … Continue Reading

FTC Increases Maximum Civil Penalties for HSR Act, COPPA, and Other Violations from $16,000 to $40,000

On June 30, 2016, the Federal Trade Commission (FTC) issued an interim final rule that substantially increases the maximum civil penalties for violations of the competition and consumer protection laws enforced by the FTC that authorize the assessment of civil penalties. The increased amounts will apply to penalties assessed on or after August 1, 2016, even … Continue Reading

WSGR Alert: FTC Brings First Privacy Enforcement Action Against a Mobile Ad Network

On June 22, 2016, the Federal Trade Commission (FTC) announced that it has settled charges that InMobi, a Singapore-based mobile advertising company, deceptively tracked the locations of hundreds of millions of consumers, including children, to deliver geo-targeted advertising, and violated both the FTC Act and the Children’s Online Privacy Protection Act (COPPA). This is the … Continue Reading

Monitoring and Recording Consumers’ Calls in California Can Be a Risky Practice

Many businesses monitor or record customer service, telemarketing, and other telephone calls with consumers to help them improve customer service and for evidentiary reasons. Under federal and many state laws, calls may lawfully be monitored or recorded by businesses as long as those businesses have permission from their employees who participate on the calls. However, … Continue Reading

Tennessee Updates Data Breach Notification Law

The State of Tennessee recently amended its data breach notification statute, Tenn. Code Ann. § 47-18-2107, which is set to go into effect on July 1, 2016. Numerous commentators have proclaimed that the amendment1 marks a watershed moment—that with the enactment of S.B. 2005, Tennessee becomes the first state to eliminate the encryption safe harbor … Continue Reading

CFPB Brings First Data Security Enforcement Action

The Consumer Financial Protection Bureau (CFPB) recently brought its first data security enforcement action, adding itself to the growing list of federal regulators tackling data security issues. The CFPB’s enforcement action was against Dwolla Inc., a Des Moines, Iowa-based online payment platform. The CFPB alleged that Dwolla misrepresented its data security practices, and as a … Continue Reading

HHS Issues HIPAA Guidance for Mobile Health Apps

The U.S. Department of Health and Human Services (HHS) recently issued guidance to help mobile application developers analyze whether the Health Insurance Portability and Accountability Act of 1996 (HIPAA) may apply to them.1 Not every mobile application developer that handles personal health information is subject to HIPAA regulation, and determining whether HIPAA applies is situation-dependent … Continue Reading

Uncertainty Increases Around EU-U.S. Data Flows

Two recent developments have significantly increased the already uncertain legal landscape surrounding transatlantic data flows. Earlier today, the EU Parliament voted out a resolution calling on the European Commission (EU Commission) to further negotiate the terms of the EU-U.S. Privacy Shield (Privacy Shield). And yesterday, the Irish Data Protection Commissioner (DPC) announced the launch of … Continue Reading

WSGR Alert: Article 29 Working Party Calls for Improvements to the EU-U.S. Privacy Shield

On April 13, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued its opinion on the new EU-U.S. Privacy Shield. The WP29 acknowledged that progress has been made with the Privacy Shield, but called for several significant changes to the shield before it can be found to provide protection that … Continue Reading

WSGR Alert: EU Commission Publishes EU-U.S. Privacy Shield

On February 29, 2016, the European Commission unveiled the text of the EU-U.S. Privacy Shield. The Privacy Shield is designed to replace the invalidated EU-U.S. Safe Harbor Framework and to provide a new legal framework for data transfers from the EU to the U.S. Although the Privacy Shield is based on the same principles as … Continue Reading

WSGR Alert: FTC Settles with Manufacturer of Home Network Routers over Alleged Data Security Flaws

On February 23, 2016, the Federal Trade Commission (FTC) announced a settlement with computer hardware maker ASUSTeK Computer, Inc. (ASUS). The ASUS settlement highlights the FTC’s position regarding security in the connected device market: connected device manufacturers are responsible for security shortcomings in their devices and are expected to promptly update or patch any identified … Continue Reading

EU Reaches Political Agreement on New Data Protection Regulation

On December 15, 2015, the European Parliament and the Council of the European Union reached a political agreement on the text of the EU General Data Protection Regulation (GDPR).1 This is a major step toward the official adoption of the GDPR, which is now expected in Spring 2016. The GDPR will have a significant impact … Continue Reading

The FCC’s Open Internet Order and the EU’s Network Neutrality Regulation: A Comparison and Key Takeaways for Players in the Telecommunications Sector

The Internet has transformed the ways that we access, consume, and use information. For years, debates have raged in both the United States and Europe over so-called “network neutrality”—the extent to which the government should require entities that provide Internet access services to treat the content that they transmit equally. In the past several months, … Continue Reading

FTC Approves Facial Recognition as Method of Obtaining Parental Consent to Collect Children’s Information

The Federal Trade Commission (FTC) recently approved a new method for website operators and mobile application developers (“operators”) to obtain parental consent to collect personal information from children.1 Under this new method, which is the first to use biometric identifiers to verify that a parent is providing consent for a child, the FTC will permit … Continue Reading

HHS Ends 2015 with Three HIPAA Enforcement Settlements

In late 2015, the U.S. Department of Health and Human Services (HHS) announced three settlements in which the agency will collect over $5 million in collective penalties for alleged non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to the monetary penalties, each of the settlements requires compliance with a … Continue Reading

WSGR Alert: EU Data Protection Authorities Issue Statement Following Agreement on EU-U.S. Privacy Shield

On February 3, 2016, the body of European data protection regulators—the Article 29 Working Party (WP29)—issued a statement following the announcement of a political agreement regarding a new transatlantic data transfer scheme, the EU-U.S. Privacy Shield. This is the second guidance document issued by the WP29 following the invalidation of the EU-U.S. Safe Harbor Framework … Continue Reading

WSGR Alert: EU and U.S. Reach a Political Agreement on Transatlantic Data Transfer Deal

On February 2, 2016, the European Commission announced that a political agreement on a new legal framework for data transfers has been reached between the European Union (EU) and the U.S. Today’s agreement introduces the new “EU-U.S. Privacy Shield.” Although the details of the new agreement have not yet been released, this is a crucial … Continue Reading
LexBlog