Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Regulators provided key insights into enforcement trends and potential changes to HIPAA regulations at the 11th Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference in October co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Continue Reading

Posted in International/EU Privacy

Data Protection and the Draft EU-UK Withdrawal Agreement: Ten Initial Conclusions

The draft text of the EU-UK withdrawal agreement was published by the UK Government and the European Union yesterday, providing some of the first concrete indicators of the possible direction of travel in the area of data protection. Analysis of the text has barely started, but some of our initial conclusions are outlined below. Continue Reading

Posted in International/EU Privacy

Update: Vietnam’s New Cybersecurity Law

On June 12, 2018, the Vietnamese National Assembly passed the Law on Cybersecurity (the “Cybersecurity Law“), which will take effect on January 1, 2019. Among other aims, the law seeks to regulate data processing methods of technology companies that operate in Vietnam and restrict the Internet connections of users who post “prohibited” content. The seemingly broad application of the law’s provisions understandably caused concern among foreign tech companies serving Vietnamese end-users with fears of mandatory data localization and requirements to establish a physical presence in Vietnam.

As is common in Vietnam, the Cybersecurity Law was drafted quite broadly with further specifics to be provided through future implementing guidance issued by the relevant authorities. While earlier drafts of the implementing guidance saw the authorities pushing forward on all provisions of the Cybersecurity Law, the latest draft implementing decree published on October 31, 2018 has, to an extent, allayed concerns with an apparent narrowing of the law’s scope of application. Issues do, however, remain.

We discuss below key aspects of the Cybersecurity Law and the current draft implementing decree.

Continue Reading

Posted in International/EU Privacy

Busting the Myth: Compliance with the ‘Gold Standard’ of the GDPR Does Not Buy You a ‘Free Pass’ Under China’s New Personal Information Guidelines

On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology Personal Information Security Specification (GB/T 35273-2017, “Specification”), which officially came into effect on May 1, 2018.

Although the Specification is only a recommended (as opposed to a mandatory) national standard, we have in the months since its introduction seen regulatory authorities in China point to the Standard as providing a more granular and specific treatment of the generally-worded data protection requirements set out in the PRC Cyber Security Law that came into effect on June 1, 2017 (“Cyber Security Law”). The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law, and other enactments and measures. Continue Reading

Posted in International/EU Privacy, Privacy & Security Litigation

U.S. Court Allows Video Deposition Over EU Deponent’s Privacy Objections

A U.S. court has recently ruled that an EU citizen’s privacy rights and the GDPR do not trump a U.S. litigant’s right to obtain discovery, including video-taped depositions. In d’Amico Dry d.a.c. v. Nikka Finance, Inc., CA 18-0284-KD-MU, Dkt. No. 140 (Adm. S.D. Ala. Oct. 19, 2018), a federal magistrate denied an EU citizen’s motion for protective order, holding that the deponent could not rely on EU privacy law to withhold consent to a duly-noted video-recorded deposition scheduled to take place in London.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity November 2018 Events

Please join us for our November 2018 events.

November 8
Cyber Risk
Paul Otto will discuss cybersecurity risk assessment on the panel, “Evaluating ‘Reasonable’ Cyber Risk Using the Center for Internet Security Risk Assessment Method,” at the NIST Cybersecurity Risk Management Conference.
Location: Baltimore, Maryland


November 8
Privacy Issues
Mark Brennan will lead a discussion on privacy issues at the EEI’s Fall Cybersecurity Law Conference.
Location: Phoenix, Arizona


November 8
Current State of the Automotive Industry
Tim Tobin will discuss the current state of the automotive industry and the impact of technology, regulations, and trade at the Hogan Lovells event, “Mexico at the Crossroads: The Automotive Industry – Present and Future.”
Location: Mexico City


Continue Reading

Posted in Employment Privacy

California Consumer Privacy Act: The Challenge Ahead – CCPA and Employee Data

This is the seventh installment in Hogan Lovells’ series on the California Consumer Privacy Act.

The application of the California Consumer Privacy Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records. Continue Reading

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Proposed Changes to FDA Guidance for the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: What you Should Know

October is National Cybersecurity Awareness Month and the Food and Drug Administration (FDA or the agency) has been busy.

On October 18, 2018, FDA issued a long-awaited draft revision to its existing guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices“(premarket cybersecurity guidance). This coincided with release of the FDA-supported “Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook” for health delivery organizations (HDOs), the announcement of two new Information Sharing Analysis Organizations (ISAOs), and FDA’s recent news release discussing the agency’s enhanced cybersecurity partnership with the U.S. Department of Homeland Security (DHS) earlier this month. Consistent with the U.S. Department of Health and Human Services – Office of Inspector General’s September 2018 report “FDA Should Further Integrate Its Review of Cybersecurity Into the Premarket Review Process for Medical Devices,” FDA’s recent flurry of activity focuses on providing additional clarity about when to interact with FDA, what information would be useful in submissions, and what level of documentation is expected. Cybersecurity clearly is a high priority issue for FDA and the agency is working hard to bring together stakeholders and provide the best information it can so that all entities that are involved in managing the multifaceted and evolving area of cybersecurity have the best and most current information to manage the risks of a cybersecurity intrusion.

This alert explains the following:

  • what is changing with the premarket cybersecurity guidance
  • the significance of the new HDO playbook
  • what the new ISAOs and partnership between the FDA and the DHS mean for you

Continue Reading

Posted in Consumer Privacy

The Internet of Things Webinar Series: Overcoming IoT Litigation Challenges

On October 2, 2018, Hogan Lovells hosted the most recent installment in its Internet of Things Webinar (IoT) Series. Two of our experienced litigation partners, Christine Gateau in Paris and Michelle Kisloff in Washington DC, discussed current regulatory actions and cutting-edge IoT litigation debates in the U.S. and Europe, as well as litigation risks to keep in mind when designing IoT products. To hear more on this topic, please access the full webinar recording using this link.

Posted in Consumer Privacy

California Passes First-Of-Its-Kind Law Focused on Internet of Things Cybersecurity

Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”

The new law regulates manufacturers of “connected device(s),” defined as devices that can directly or indirectly connect to the Internet and are assigned an Internet Protocol (IP) or Bluetooth address. The law likely applies primarily to manufacturers of consumer-facing connected devices, given the legislative history and text, although the language is quite broad. Continue Reading