FCC Orders Far-Reaching New Privacy and Data Security Rules

ThinkstockPhotos-516657408_webAs expected, the Federal Communications Commission (FCC) has handed down sweeping new privacy and security rules for Internet service providers (ISPs). On Thursday, October 27, 2016, a sharply divided commission voted to enact these new rules, which impose strict new requirements for ISPs’ collection, use, sharing, and protection of their customers’ information, including information ISPs receive about their customers’ geolocation and online activities. Consequently, ISPs will soon be subject to heightened notice and consent requirements for activities such as behavioral advertising and other online tracking, as well as more robust security and data breach notification obligations. Up until now, there have not been specific FCC privacy rules that govern ISPs’ handling of such data. ISPs and members of the online advertising industry objected strenuously to numerous aspects of the FCC’s proposed rules, including the FCC’s classification of web browsing behavior as sensitive information subject to opt-in consent, an approach at odds with that of the Federal Trade Commission (FTC), the nation’s primary regulator of commercial privacy and security interests. Ultimately, the FCC waved off those objections in adopting its final rules.

The FCC’s action today represents the culmination of a rulemaking process that the FCC initiated in 2015. At that time, as part of the Open Internet Order, the FCC made the decision to apply the privacy requirements of Section 222 of the Communications Act—which had previously only governed telephone services—to the world of broadband. The FCC adopted a Notice of Proposed Rulemaking (NPRM) in March 2016 to address a host of questions regarding how Section 222 applies to broadband providers. On October 6, 2016, FCC Chairman Tom Wheeler circulated to his fellow commissioners a proposed Order, which was approved earlier today by a 3-2 vote. The final Order has not yet been released.

Click here to read our complete WSGR Alert summarizing the aspects of the FCC’s decision that we believe will be of the greatest significance to our clients.

Article 29 Working Party Issues Statement Following Adoption of EU-U.S. Privacy Shield

 On July 26, 2016, the body of European Data Protection Authorities (DPAs)—the “Article 29 Working Party” (WP29)—issued a statement commending the improvements made to the EU-U.S. Privacy Shield (Privacy Shield). Although the WP29 continues to have some of the concerns raised in its April 2016 opinion, and the Privacy Shield will most likely face legal challenge, the Privacy Shield is a valid tool for companies transferring data from the EU to the U.S. Companies can begin registering for the Privacy Shield on August 1, 2016.

The WP29 statement indicates that it will pay close attention to the annual joint review called for in the framework and to ensuring that individuals may effectively exercise their rights under the Privacy Shield. The WP29 emphasizes that it will closely monitor the functioning of the Privacy Shield and will not hesitate to request changes that it believes are warranted as a result of the first annual review of the Privacy Shield framework.

Click here to read our complete WSGR Alert discussing the WP29 statement.

The EU-U.S. Privacy Shield Is Adopted and Available as of August 1, 2016

 On July 12, 2016, the EU Commission and the U.S. Secretary of Commerce announced the adoption of the EU-U.S. Privacy Shield (Privacy Shield). This announcement follows today’s adequacy decision by the College of EU Commissioners which recognizes that the Privacy Shield provides an adequate level of protection under EU data protection law. The adequacy decision represents formal approval of the Privacy Shield as a legal basis for data transfers from the EU to the U.S.

Privacy Shield certification will be available to companies as of August 1, 2016. Although the adoption of the Privacy Shield is a welcome development, it does not eliminate the recent legal uncertainty that has surrounded data transfers from the EU to the U.S., as the Privacy Shield is expected to face legal challenges before DPAs and courts.

Certification to the Privacy Shield is not a mere formality. Before certifying, companies should carefully review the Privacy Shield principles and the supplemental principles to assess whether it is a workable data transfer solution for their business. Noncompliance may expose companies to significant sanctions.

Click here to read our complete WSGR Alert discussing the new Privacy Shield.


HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

 On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. As part of the settlement, CHCS will pay $650,000 and must implement a corrective action plan (CAP).

CHCS provides management and information technology services to six skilled nursing facilities and, as such, is considered a “business associate” under HIPAA. Business associates, which are organizations that provide certain types of services to HIPAA-covered entities, must comply with the HIPAA Security Rule. According to HHS, CHCS violated the Security Rule by failing to conduct an accurate and thorough assessment of the potential security risks to the electronic protected health information it held. HHS alleged that CHCS also failed to implement appropriate measures to reduce these risks to a reasonable and appropriate level. HHS initiated its investigation after receiving notice from the nursing homes that a CHCS mobile device was stolen. Protected health information of 412 individuals was stored on the device and, according to HHS, the device was not encrypted or password-protected.

Click here to read our complete WSGR Alert on the enforcement action.

EU Cyber Security and Incident Notification Rules Enacted

 On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services.

The NIS Directive was enacted as part of the European Commission’s broader initiative to strengthen cyber security capabilities in the EU and will take effect in August 2016 (20 days after its publication in the EU Official Journal). However, like all EU Directives, it must be implemented into national law to be fully effective. EU member states will have 21 months to implement the NIS Directive into their national laws. As a result, businesses should expect the rules to come into final force no later than May 2018.

Click here to read our complete WSGR Alert on the NIS Directive.

ISPs Could Face New Privacy Regulations Under FCC Proposed Rulemaking

 On March 31, 2016, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that proposed to establish new privacy guidelines for broadband Internet service providers (ISPs).1 The FCC designed the proposal to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”2 To accomplish this goal, the NPRM proposes to apply the privacy requirements of Section 222 of the Communications Act3 to ISPs that offer broadband Internet access service (or, in the NPRM’s terminology, “BIAS”).4 The FCC asserted that applying the privacy requirements set forth in Section 222 would “give broadband customers the tools they need to make informed decisions about how their information is used by their ISPs and whether and for what purposes [their information may be shared] with third parties.”5 Continue Reading