Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy

FCC Privacy Rules Break New Ground

shutterstock_162985193

On November 2, 2016 the Federal Communication Commission’s (FCC) released its long-awaited – and much debated – Report and Order adopting privacy rules for Internet Service Providers (ISPs).  In the Order, the FCC applied the Communications Act’s privacy requirements to broadband Internet access service (BIAS), which it called “the most significant communications technology of today.”

Several of the FCC requirements are particularly notable for being more restrictive than the Federal Trade Commission’s (FTC) standards for consumer online privacy.  In this post we provide an overview of some of the new FCC rules and highlight key areas where the FCC’s requirements diverge from the FTC’s framework.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity November 2016 Events

Please join us for our November 2016 Privacy and Cybersecurity Events.

November 1
Privacy, Cybercrime, and National Security
Harriet Pearson interviewed U.S. Attorney for New Jersey Paul Fishman during a fireside chat hosted by the Princeton Club of New York entitled “How Much Should Privacy Yield in the Fight Against Cybercrime and National Security Threats and Who Should Decide?”
Location: Washington, D.C.

 

November 1
IoT Cybersecurity
Julie Brill delivered the opening remarks for the afternoon panels at the 2016 Winnik International Telecoms and Internet Forum: The Internet of Things: Legal Challenges and Opportunities. Tim Tobin moderated a panel on “Protecting your Privacy in the IoT” and Harriet Pearson moderated a panel on “The Security of Challenges in the Internet of Things.”
Location: Hogan Lovells’ office in Washington, D.C.

 

Continue Reading

Posted in International/EU Privacy

EU-U.S. Umbrella Agreement Gets ‘Amber Light’ from Article 29 Working Party

shutterstock_431564224The Article 29 Working Party has issued a revealing statement about the so-called EU-U.S. Umbrella Agreement, which is aimed at creating a high-level data protection framework in the context of transatlantic cooperation on criminal law enforcement.

As a sign of support for the deal, the Working Party welcomes the initiative to set up a general data protection framework in relation to law enforcement cooperation.  In a fairly positive tone, the Working Party states that the Umbrella Agreement “considerably strengthens the safeguards in existing law enforcement bilateral treaties with the US, some of which were concluded before the development of the EU data protection framework.” The Working Party also explicitly “recognises the legitimate case for efficient exchange of information in the context of co-operation between law enforcement authorities”. Continue Reading

Posted in Consumer Privacy

FTC Litigation Prompts Changes to Congressional Oversight

shutterstock_300304307Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s (FTC) data security enforcement practices.  Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities.  To the extent Congress questioned the FTC’s enforcement decisions in this pre-Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets.  Wyndham and LabMD fundamentally shifted this debate.

Continue Reading

Posted in International/EU Privacy

Russian Court Decrees LinkedIn Blocked in Russia for Non-Compliance with Data Localization Law

shutterstock_387241471Media reports this week broke the news that a Russian court of first instance ruled this past August to block LinkedIn from Russian Internet users for violating Russia’s data localization law, which requires websites and other businesses that collected personal data from Russian citizens to store that data within the territory of Russia. According to the available court ruling (in Russian), an appeal was filed and a hearing is scheduled for that appeal on 10 November 2016.

Continue Reading

Posted in Health Privacy/HIPAA

New HHS Guidance Makes Clear HIPAA Applies in the Cloud

HHSCloud service providers are on notice: you are HIPAA business associates, even if you are unable to access the HIPAA protected information in your cloud. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance making clear that cloud service providers (CSPs) that create, receive, maintain, or transmit electronic protected health information (PHI) are covered by HIPAA.

Continue Reading

Posted in News & Events

We’ve Been Nominated – Help Us Win!

shutterstock_413924527We are proud to announce that the Hogan Lovells Chronicle of Data Protection blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for the award of Best AmLaw Blog of 2016. Our editors at The Chronicle strive to provide you with the most relevant and timely legal news, practical legal analysis, and business insights relating to privacy and cybersecurity. We appreciate the recognition for this work and your continued readership.

But that’s not all! The 2016 Best Legal Blog title will be won by votes. If you have enjoyed the analysis you’ve read at The Chronicle, we would appreciate if you took a moment to communicate your sentiment by casting a vote in our favor, here. In the meantime, we look forward to providing you with continued coverage and analysis of privacy and cybersecurity news and trends.

Posted in International/EU Privacy

The Ever-Expanding Concept of Personal Data

shutterstock_419561389The Court of Justice of the European Union (CJEU) has ruled that dynamic IP addresses are capable of constituting personal data under certain circumstances, ending years of speculation about whether such essential building blocks of the Internet qualified for protection under the EU Data Protection Directive.

In Patrick Breyer v Bundesrepublik Deutschland, the German Federal Court referred two questions to the CJEU in a case brought by Patrick Breyer, a member of the Pirate Party. He challenged the collection and use of dynamic IP addresses (binary numbers assigned by Internet Service Providers (ISPs) to devices to allow data on a website to be transferred to the correct recipient, where a new number is assigned to the device for each connection) from websites run by the German Federal Government. The government justified this practice by reference to the prevention of crime, in particular denial-of-service attacks. Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

FTC Workshop Analyzes Privacy Implications of Drones

shutterstock_271586207On October 13, the Federal Trade Commission (FTC) held a workshop on drone privacy and cybersecurity as part of its Fall Technology Series.  Close watchers of the drone privacy debate would recognize the arguments presented at the FTC workshop as reminiscent of the comprehensive and productive debate over drone privacy played out before the National Telecommunications and Information Administration (NTIA) earlier this year.  The NTIA process concluded with the release of Best Practices for drone privacy supported by a diverse group of industry members and civil society representatives.  Although the FTC’s workshop was in many ways a reprise of the NTIA multi-stakeholder debate, the workshop was notable insofar as the public gained new insights into FTC staff views on drone privacy and cybersecurity.

Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Online Trust Alliance Releases Privacy and Security Checklist for IoT Consumers

shutterstock_371253775Some of the largest cyber attacks in recent memory have employed an army of connected home devices to achieve their goals. This co-opting of connected home devices owned by consumers around the world occurs without those consumers’ knowledge or consent. For example, in mid-September, several thousand devices—home routers, Internet-connected video cameras, and digital video recorders—were used to create a “botnet” that collectively pounded the security researcher Brian Krebs’ website with 620 gigabits of data per second. At the time, the attack was thought to be the largest in history.  An even larger army was assembled a few days later for an attack on the French hosting provider OVH that peaked at over one terabit of traffic per second. These distributed denial-of-service (DDoS) attacks were successful because they exploited basic security vulnerabilities in connected home devices, such as default passwords used to access administrator settings.

Continue Reading