Status Update on the EU e-Privacy Regulation Proposal Discussions

On January 10, 2017, the European Commission published a Proposal for a Regulation (Proposal) relating to privacy rules for the electronic communications sector. The Proposal will impose new, more rigorous privacy regulatory obligations on nearly all companies doing business in the EU over the Internet. It will address a host of important issues including the processing of communications content and metadata, and the use of Wi-Fi and Bluetooth tracking for Internet-based services and technology providers.  Once enacted, the Proposal will replace the e-Privacy Directive and will complement the EU General Data Protection Regulation (GDPR).

As part of the legislative process, the European Parliament Committee (one of two legislative bodies charged with reviewing the Proposal) issued a Draft Report  in June 2017 and is reviewing more than 800 proposed amendments to the Proposal. In addition, the Article 29 Working Party (WP29)—the body of EU data protection authorities—published a non-binding opinion (the Opinion) on the Proposal in April 2017, urging a number of revisions that would impose even more obligations on covered companies.

This article provides a status update about the Proposal, including the main requirements currently under discussion at the European Parliament and an overview of the next steps. Read our previous WSGR Alert for more information about the Proposal and the Draft Report. Continue Reading

Hello, Dolly: What You Need to Know About Connected Smart Toys and Privacy

As connected devices become ubiquitous, it comes as no surprise that interactive toys that connect to the internet are more popular than ever. At the same time, regulators have taken note of the privacy and security concerns raised by lawmakers and privacy advocates about the proliferation of smart toys that collect personal information from kids. Recent guidance issued by both the Federal Trade Commission (FTC) and the Federal Bureau of Investigation (FBI) suggests that the agencies may be taking a closer look at the rapidly expanding connected toy market, a small part of the largely unregulated “Internet of Things.” Continue Reading

Ashley Madison: Life Is Short. Settle.

On July 21, 2017, Judge John A. Ross of the U.S. District Court for the Eastern District of Missouri issued a preliminary approval of a settlement agreement between the owner of and the class representing former users whose personal information was breached in July 2015. Under terms of the settlement, Ruby Corp, the operator of the Ashley Madison website, is scheduled to pay $11.2 million. For some, the settlement announcement is a missed opportunity: the litigation represented a chance to clarify the scope of actionable consumer harm in breach-related litigation, as unlike in other notable breaches, the mere identification of individuals who used the website (and were thus affected by the breach) likely produced unwanted consequences. Nonetheless, the settlement agreement is interesting by itself, as it offers unique solutions to address class members seeking financial remuneration but wishing to avoid further publicity regarding their connection to Continue Reading

New EU e-Privacy Regulation: European Parliament Committee Publishes Draft Report

ThinkstockPhotos-479430151-webThe EU Parliament Committee in charge of reviewing the EU Commission’s Proposal for an e-Privacy Regulation (Proposal) recently released a Draft Report proposing amendments to the regulation.

The e-Privacy Regulation will regulate new electronic communication services such as instant messaging, VOIP services, web-based email, and IoT devices, and will impose significant additional obligations on Internet services and related technologies, including cookies and similar technologies. It supplements the General Data Protection Regulation (GDPR) adopted last year, which becomes effective May 25, 2018.

The Draft Report is the EU Parliament’s first legislative step towards the adoption of the e-Privacy Regulation, after the EU Commission Proposal earlier this year. We expect the final position of the EU Parliament to come in a Fall 2017 vote. However, this week’s Draft Report sets the tone for forthcoming discussions.

For more information, please see our complete WSGR Alert, which provides background information, identifies the main takeaways of the Draft Report, and gives an overview of the next steps.  


The Serious and Immense Impact of a Medical Device Hack

On August 25, 2016, investment firm Muddy Waters Research announced it had taken a short position in St. Jude Medical, Inc., and released a report suggesting a “strong possibility that close to half of” St. Jude revenues were about to disappear for a period of roughly two years because St. Jude’s implantable cardiac devices were allegedly vulnerable to cyberattacks. The report further stated that the cyberattacks included crash attacks that cause devices to malfunction—including by apparently pacing at a potentially dangerous rate and  battery drain attack that could be particularly harmful to device-dependent users.

In the Summer 2017 edition of The Life Sciences Report, a group of attorneys from Wilson Sonsini Goodrich & Rosati explore select ramifications of a medical device hack, and provide some suggested best practices for companies that offer medical devices to the public. Click here to read the complete article.

New Cybersecurity Rules Now in Effect for Entities Regulated by New York State Department of Financial Services

ThinkstockPhotos-524882074_webOn March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.

Who Is Regulated? 

The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS. Continue Reading