After a prolonged debate and months-long consideration of amendments, on Tuesday the Senate passed S. 754, which includes the Cybersecurity Information Sharing Act (“CISA”) of 2015, by a vote of 74-21. CISA has the support of the White House and many industry stakeholders, but some of the most well-recognized privacy advocacy organizations oppose it. The House of Representatives must now decide whether to pass CISA or work with the Senate on compromise legislation that incorporates the House cybersecurity information sharing bills, H.R. 1560 and H.R. 1731. It remains to be seen what form the final cybersecurity information sharing bill will take, but the Senate’s overwhelming vote for CISA suggests that the chances for overall passage are stronger than ever.
At its core, CISA creates liability protections for entities that monitor their information systems and share cyber threat information with, or receive information from, the federal government through the mechanisms established in the bill. Privacy advocates argue that these liability protections facilitate ever-increasing government collection of citizens’ data without sufficient privacy safeguards. The authors of CISA try to mitigate these concerns by requiring that certain personal information be removed from the information that is shared with the government. However, the authors maintain the liability protections in the bill because they are viewed as fundamental to encouraging participation in the voluntary information sharing program. Continue Reading
We are now almost two months into the era of Russia’s Data Localization Law, which came into force on 1 September. While some expected immediate enforcement, the Russian Data protection Authority, Roskomnadzor, has not yet taken any action for a violation of data localization requirements. Last month, Roskomnadzor did take formal enforcement action to block a website and add it to register of violators of data subject rights (link in Russian) for maintaining an illegal Internet database containing the contact details of over 1.5 million Russian citizens. This enforcement, however, was not for violation of the data localization law, but rather for the illegal collection and dissemination of personal data under other Russian data protection laws. Continue Reading
Data privacy and security regulators don’t always agree. That’s no surprise to those observing the discussions that have followed the European Court of Justice’s decision to invalidate the adequacy of the EU-U.S. Safe Harbor framework. But the disputes aren’t always global. Sometimes regulators from the same country, working in the same agency, disagree about how to regulate data privacy and security issues.
Take a look at the Federal Trade Commission (“FTC”) for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk.
On Thursday, November 5, 2015, the Future of Privacy Forum (“FPF”) will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues, including: Continue Reading
In a decision issued late last Friday, the United States District Court for the District of Minnesota rejected an effort by class action Plaintiffs to access materials created in the course of Target’s investigation of its 2013 payment card breach that Target claimed were protected by the attorney-client privilege and work product doctrine. Continue Reading
Speaking at a recent conference organized jointly by AmCham and EY on “the Internet of Things, Opportunities and Challenges for the Protection of Personal Data”, Sophie Nerbonne, Head of Compliance at the French data protection authority (the CNIL) explained how the CNIL views the opportunities and risks raised by connected devices, focusing particularly on smart meters as a scheme that may apply to other devices. Continue Reading
The EU’s Article 29 Working Party issued a statement today on the recent Schrems decision invalidating the adequacy of the EU-U.S. Safe Harbor framework, emphasizing that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” In response, we publish here a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.
The HHS Office for Civil Rights (OCR) has launched an online portal designed to solicit questions from mHealth developers regarding compliance with HIPAA privacy and security requirements. The portal is designed to demystify HIPAA for app developers while providing guidance to regulators about which aspects of HIPAA may require clarification.
OCR emphasized that the site will not be used to inform or identify potential enforcement actions. Instead, OCR hopes that the site will be a cooperative platform, allowing app developers to guide OCR’s selection and focus of future guidance topics. OCR senior adviser Linda Sanches has stressed that app developers should be candid and forthcoming with their questions, which will be anonymous to OCR and moderated for appropriateness. Continue Reading
In our previous post we outlined the key issues regarding mHealth devices and services from a privacy law perspective. Now, we go further into the details and discuss the scope of the personal data involved, especially relating to sensitive health data. We introduce the relevant statutory requirements in the EU and the legal opinions of the Article 29 Working Party and the European Data Protection Supervisor as well as having a look at the upcoming European General Data Protection Regulation. Against this legal background, one core question we will examine is whether information collected and processed by lifestyle apps and devices must be classified as health data and fall under the strict requirements of European data protection laws. Continue Reading
Thank you to everyone who participated in today’s webinar “Safe Harbor Invalidated – What Next?”, in which we analyzed the implications of yesterday’s decision by the Court of Justice of the European Union invalidating the EU-U.S. Safe Harbor Framework. In the webinar, we explored:
- What is the status of data transfers currently being legitimized by Safe Harbor?
- What alternative options are available for Safe Harbor members to lawfully receive data from Europe?
- What steps must Safe Harbor members take to transition to those other options?
- What are Safe Harbor members required to do with EU data already in the U.S.?
- How should companies respond to enquiries from EU clients and regulators concerned about the lack of a lawful basis for transfers?
To access the a copy of the slide deck, click here.
To access the recorded webinar (1 hr 6 mins), click here.
Stay tuned to the blog for future updates , including any interpretations or next-steps guidance from the European data protection authorities, the U.S. Department of Commerce, or the Federal Trade Commission.
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU-US Safe Harbor framework invalid as a mechanism to legitimize transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful.
Safe Harbor was jointly devised by the European Commission and the U.S. Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. Following a dispute between Austrian law student Max Schrems and the Irish Data Protection Commissioner, the CJEU was asked to consider whether a data protection supervisory authority was bound by the European Commission’s decision that Safe Harbor provided an adequate level of protection for European data.
In its ruling, the CJEU goes beyond this specific question and takes the view that Safe Harbor does not in fact provide an adequate level of data protection, because it is unable to prevent large-scale access by the U.S. intelligence authorities to data transferred from Europe.
What is the practical effect of the decision?
The decision invalidating Safe Harbor has the following consequences: Continue Reading