Fifteen months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework (Framework) along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices. Continue Reading
In a thorough legal analysis of the EU-U.S. Privacy Shield framework, a report from Hogan Lovells says the framework would stand up in the Court of Justice of the European Union (CJEU), and that the true level of data protection afforded by the Privacy Shield framework will only be demonstrated by its functioning and the practices of its participants.
Last week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched the long-awaited Phase 2 HIPAA Audit Program. Earlier this month, the agency posted two resolution agreements that continue the trend toward big dollar settlement amounts and a focus on security risk assessments and business associate agreements. With Phase 2 HIPAA Audits underway and more full-scale compliance reviews triggered by data breach reports, it is more important than ever to appropriately protect health information.
Hogan Lovells announced today that Julie Brill will join the firm as a partner and co-director of the Privacy and Cybersecurity practice on 1 April. Brill is a Commissioner at the Federal Trade Commission and her service will conclude on 31 March.
As co-director of the Privacy and Cybersecurity practice, Brill succeeds co-director and founding partner Christopher Wolf, who will transition to a senior status at the firm. She will be joined in leadership with Marcy Wilder, co-director of the Privacy and Cybersecurity practice; Harriet Pearson, leader of the firm’s Cybersecurity Solutions Group and Cyber Risk Services business unit; and Eduardo Ustaran, a partner in the firm’s London office, and leader of the firm’s European data protection practice.
The February 29, 2016 announcement of the new EU-U.S. data transfer framework—the Privacy Shield—was accompanied by over 130 pages of documentation and significantly more operational details than its predecessor, Safe Harbor. We have reviewed the Privacy Shield materials and published a comprehensive breakdown of the changes from Safe Harbor to Privacy Shield and the practical impact on business: Inside the New and Improved EU-U.S. Data Transfer Framework.
In general, the Privacy Shield imposes more specific and exacting measures on U.S. organizations wishing to join the framework. It also includes additional checks and balances designed to make sure that the rights of EU individuals can be exercised when their data is being processed in the United States. That said, the seven Privacy Shield Principles are largely aligned with the privacy practices followed by Safe Harbor participants and found in other global privacy compliance programs, and should not be an insurmountable burden for companies looking to shift from Safe Harbor compliance to Privacy Shield compliance.
To access the full text of Inside the New and Improved EU-U.S. Data Transfer Framework, first published on Law360, click here.
On Thursday, Federal Communications Commission (“FCC”) Chairman Tom Wheeler circulated a highly anticipated broadband data privacy and security Notice of Proposed Rulemaking (“NPRM”) to the other Commissioners, slating the proposals for a full Commission vote at the agency’s March 31 Open Meeting. The rules would apply to internet service providers (“ISPs”), but organizations throughout the online data ecosystem will want to pay close attention to this rulemaking and be prepared to comment on the FCC’s proposals.
As reported in The New York Times, Hogan Lovells represented a diverse group of 15 major technology companies, such as Google, Facebook, Microsoft, Snapchat, and Cisco, in filing last week an amicus brief in In re Search of an Apple iPhone. The Times reports:
“‘These companies, which are often fierce competitors, have joined together to voice concern about the attempted government overreach in this case, which threatens the integrity and security of their products and privacy rights of consumers in general,’ said Neal Katyal, a lawyer at Hogan Lovells for the tech companies and a former acting solicitor general of the United States.”
For a copy of the brief, click here.
The US government has been increasingly active in cybersecurity legislation and enforcement. Congress recently passed the Cybersecurity Act of 2015, which has spurred renewed attention to cybersecurity requirements and cyber threat information sharing. The US government continues to draw attention to how organizations can align their cybersecurity programs with the NIST Cybersecurity Framework. Moreover, a number of federal agencies including the Consumer Financial Protection Bureau, Federal Trade Commission, and Federal Communications Commission have all issued settlements relating to cybersecurity enforcement actions in recent months. In the health sector, the US Department of Health and Human Services (HHS) has been increasingly focused on cybersecurity, primarily through its HIPAA enforcement activities. Against that backdrop, three recent developments demonstrate the ways in which HHS and the health sector are expanding their cybersecurity focus beyond HIPAA Security Rule compliance.
The Chronicle is happy to report that March will see our Privacy and Cybersecurity attorneys speaking around the globe.
Please see below for a full list of our March 2016 PaC events.
Significant changes are afoot for processors. With the text of the European Union General Data Protection Regulation (GDPR) now published, processors will need to begin to acclimatise to the new regime under the GDPR. Although the GDPR still places the lion’s share of compliance responsibilities on controllers, it also extends direct application of the law to processors and renders them subject to fines, in an effort to allocate responsibility between the parties. Continue Reading