The European Union will soon have its own first-ever cybersecurity rules, which will impact a broad range of industries, such as transportation, energy, and online marketplaces. On December 7, 2015, the European Parliament and the Council of the European Union, which is comprised of representatives of the 28 EU countries, reached a political agreement on the draft Directive on Network and Information Security (the NIS Directive).1 Although the final text is still being finalized at the technical level, it is expected to be formally adopted in early 2016.
Continue Reading EU Agrees to New Cybersecurity and Incident Notification Rules

In late 2015, the U.S. Department of Health and Human Services (HHS) announced three settlements in which the agency will collect over $5 million in collective penalties for alleged non-compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In addition to the monetary penalties, each of the settlements requires compliance with a Corrective Action Plan (CAP), calling for the organizations to invest significant resources toward HIPAA compliance.
Continue Reading HHS Ends 2015 with Three HIPAA Enforcement Settlements

On February 3, 2016, the body of European data protection regulators—the Article 29 Working Party (WP29)—issued a statement following the announcement of a political agreement regarding a new transatlantic data transfer scheme, the EU-U.S. Privacy
Continue Reading WSGR Alert: EU Data Protection Authorities Issue Statement Following Agreement on EU-U.S. Privacy Shield

On February 2, 2016, the European Commission announced that a political agreement on a new legal framework for data transfers has been reached between the European Union (EU) and the U.S. Today’s agreement introduces the

Continue Reading WSGR Alert: EU and U.S. Reach a Political Agreement on Transatlantic Data Transfer Deal

On December 17, 2015, the Federal Trade Commission (FTC) announced its first Children’s Online Privacy Protection Act (COPPA) enforcement actions challenging the use of persistent identifiers to engage in targeted advertising to children. The FTC
Continue Reading WSGR Alert: FTC Brings First Enforcement Actions Against Kids Apps Using Persistent Identifiers for Targeted Advertising

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor framework as a legal basis for transferring personal data from the European Union to the U.S.1 The judgment was delivered in Schrems v. Data Protection Commissioner, a case in which Max Schrems, an Austrian student, complained to the Data Protection Authority (DPA) in Ireland about the transfer of his personal data by Facebook to its servers in the U.S.

The Schrems judgment is of major importance to the over 4,000 companies that relied on Safe Harbor to transfer personal data from the EU to the U.S. This article details the background of the case, analyzes its holdings and consequences, and summarizes the main developments that have occurred since the judgment was issued.
Continue Reading What’s Next for U.S.-EU Data Transfers? An Analysis of Recent Developments Following Schrems