The EU-U.S. Privacy Shield Is Adopted and Available as of August 1, 2016

 On July 12, 2016, the EU Commission and the U.S. Secretary of Commerce announced the adoption of the EU-U.S. Privacy Shield (Privacy Shield). This announcement follows today’s adequacy decision by the College of EU Commissioners which recognizes that the Privacy Shield provides an adequate level of protection under EU data protection law. The adequacy decision represents formal approval of the Privacy Shield as a legal basis for data transfers from the EU to the U.S.

Privacy Shield certification will be available to companies as of August 1, 2016. Although the adoption of the Privacy Shield is a welcome development, it does not eliminate the recent legal uncertainty that has surrounded data transfers from the EU to the U.S., as the Privacy Shield is expected to face legal challenges before DPAs and courts.

Certification to the Privacy Shield is not a mere formality. Before certifying, companies should carefully review the Privacy Shield principles and the supplemental principles to assess whether it is a workable data transfer solution for their business. Noncompliance may expose companies to significant sanctions.

Click here to read our complete WSGR Alert discussing the new Privacy Shield.


HHS Brings Landmark HIPAA Enforcement Action Against a Business Associate for Alleged Data Security Failures

 On June 29, 2016, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), settling charges that CHCS failed to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. As part of the settlement, CHCS will pay $650,000 and must implement a corrective action plan (CAP).

CHCS provides management and information technology services to six skilled nursing facilities and, as such, is considered a “business associate” under HIPAA. Business associates, which are organizations that provide certain types of services to HIPAA-covered entities, must comply with the HIPAA Security Rule. According to HHS, CHCS violated the Security Rule by failing to conduct an accurate and thorough assessment of the potential security risks to the electronic protected health information it held. HHS alleged that CHCS also failed to implement appropriate measures to reduce these risks to a reasonable and appropriate level. HHS initiated its investigation after receiving notice from the nursing homes that a CHCS mobile device was stolen. Protected health information of 412 individuals was stored on the device and, according to HHS, the device was not encrypted or password-protected.

Click here to read our complete WSGR Alert on the enforcement action.

EU Cyber Security and Incident Notification Rules Enacted

 On July 6, 2016, the European Parliament adopted the first-ever pan-European law on cyber security. The law, entitled the “Directive on the Security of Network and Information Systems” (NIS Directive), imposes security requirements and security incident notification obligations on digital service providers and operators of essential services.

The NIS Directive was enacted as part of the European Commission’s broader initiative to strengthen cyber security capabilities in the EU and will take effect in August 2016 (20 days after its publication in the EU Official Journal). However, like all EU Directives, it must be implemented into national law to be fully effective. EU member states will have 21 months to implement the NIS Directive into their national laws. As a result, businesses should expect the rules to come into final force no later than May 2018.

Click here to read our complete WSGR Alert on the NIS Directive.

ISPs Could Face New Privacy Regulations Under FCC Proposed Rulemaking

 On March 31, 2016, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that proposed to establish new privacy guidelines for broadband Internet service providers (ISPs).1 The FCC designed the proposal to “ensure broadband customers have meaningful choice, greater transparency and strong security protections for their personal information collected by ISPs.”2 To accomplish this goal, the NPRM proposes to apply the privacy requirements of Section 222 of the Communications Act3 to ISPs that offer broadband Internet access service (or, in the NPRM’s terminology, “BIAS”).4 The FCC asserted that applying the privacy requirements set forth in Section 222 would “give broadband customers the tools they need to make informed decisions about how their information is used by their ISPs and whether and for what purposes [their information may be shared] with third parties.”5 Continue Reading

FTC Increases Maximum Civil Penalties for HSR Act, COPPA, and Other Violations from $16,000 to $40,000

ThinkstockPhotos-516780641-webOn June 30, 2016, the Federal Trade Commission (FTC) issued an interim final rule that substantially increases the maximum civil penalties for violations of the competition and consumer protection laws enforced by the FTC that authorize the assessment of civil penalties. The increased amounts will apply to penalties assessed on or after August 1, 2016, even if the associated violation occurred before August 1, 2016.

Click here to read our complete WSGR Alert on the FTC’s increases to maximum civil penalties.

WSGR Alert: FTC Brings First Privacy Enforcement Action Against a Mobile Ad Network

 On June 22, 2016, the Federal Trade Commission (FTC) announced that it has settled charges that InMobi, a Singapore-based mobile advertising company, deceptively tracked the locations of hundreds of millions of consumers, including children, to deliver geo-targeted advertising, and violated both the FTC Act and the Children’s Online Privacy Protection Act (COPPA). This is the FTC’s first enforcement action against a mobile advertising network. The FTC alleges that, in instances when consumers had set their device settings to deny access to location information, InMobi inferred consumers’ locations based on the WiFi networks near their devices and served them geo-targeted ads. As part of the settlement, InMobi has agreed to implement a comprehensive privacy program, to collect or infer location information only after obtaining consumers’ affirmative express consent, and only in a manner consistent with consumers’ device location settings, and to pay a civil penalty of $950,000 to resolve the alleged COPPA violations.

Click here to read our complete WSGR Alert examining the FTC settlement.