February 3, 2016 Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment

In response to the announcement of the EU-U.S. Privacy Shield, the Article 29 Working Party issued its own statement, the key elements of which are as follows:

The Working Party will not blindly accept the EU-US Privacy Shield. It welcomes the conclusion of the negotiations, but also is asking to see all documents pertaining to the new EU-US Privacy Shield by the end of February. The Article 29 Working Party will then evaluate whether the arrangement meets what it considers to be the four essential guarantees relating to the processing of data by intelligence agencies:

the processing should… More

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

What follows below is the EU’s press release regarding the agreement on a replacement for the EU-US Safe Harbor.  We are working to get details and will schedule a webinar on the new framework shortly.

***

The European Commission and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.

Today, the College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their… More

The Cybersecurity Act of 2015: Implications for Threat Sharing

On December 18, 2015, President Obama signed the Cybersecurity Act of 2015 (The “Act”), legislation designed to combat online threats to the federal government, state and local governments, and private entities. Within the Act are four titles, the most significant of which is Title I, the Cybersecurity Information Sharing Act (“CISA”) (which begins at p. 694).

CISA addresses the manner in which the federal government and non-federal entities may share information about cyber threats and the defensive measures they may take to combat those threats.

CISA: An Optional Opportunity

CISA does not require non-federal entities (private entities and state,… More

Massachusetts Health Information Management Association Winter Meeting: Compliance Beyond HIPAA

On January 22, 2016, I had the pleasure to present to the Massachusetts Health Information Management Association’s Winter Meeting, to discuss “Compliance Beyond HIPAA.”  The presentation slides from the program are available here, and reflect discussion of:

recent HHS OCR guidance on “Individuals’ Right under HIPAA to Access their Health Information 45 CFR §164.524” a new HHS OCR FAQ on EHR incentives and their interaction with HIPAA; amendment of the HIPAA Privacy Rule to address release of mental health information for firearm background checks; charges for copying of records (especially involving attorneys); a new HHS OIG… More

EU Safe Harbor Update: No Solution in January?

As we have noted previously, in the wake of the ECJ’s decision that undid the US-EU Safe Harbor, we were told that there would be no enforcement of the EU Directive until after January 31, to allow the US and EU to hammer out a new regime. However, Isabelle Falque-Perrotin, the chair of the EU’s Article 29 Working Party, has stated that the next meeting of the Working Party will take place on February 2.  There has been no indication of any extension in the EU’s moratorium on enforcement.  While we do expect the question of enforcement to be addressed… More

Amendment to the Annual Privacy Notice Delivery Obligations of Financial Institutions under the Gramm-Leach-Bliley Act contained in the FAST Act

On December 4, 2015, President Obama signed the Fixing America’s Surface Transportation Act (the ‘‘FAST Act’’) into law. Although the FAST Act’s main focus is on improving the country’s surface transportation infrastructure, the law also contains a provision that modified the annual privacy notice requirement under the Gramm-Leach-Bliley Act (“GLBA”).

Previously under the GLBA privacy regulations, financial institutions (which includes registered investment advisers, investment companies, broker-dealers and private funds) had to circulate to their customers an annual… More

HIPAA Privacy Regulations Amended to Allow Disclosures of Mental Health Information for Firearm Background Checks

On January 4, 2016, the Department of Health and Human Services (HHS) modified the HIPAA Privacy Rule to expressly permit certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons, already are prohibited by Federal law from having a firearm.  According to HHS, “This modification better enables the reporting of the identities of prohibited individuals to the background check system and is… More

Phishing for Christmas

CaptureAs the Wall Street Journal noted yesterday, banks are being deluged with phishing attacks.  These attacks are especially fierce around the holiday season, when more personnel are absent and normal procedures are ignored or bypassed.  The FBI and other law enforcement agencies are focused on these attacks, but it only takes one employee to “believe” a phishing email for the trouble to start.

This is the time of year when we think of giving to others, but those gifts… More

European Union Agrees On a New Data Protection Framework To Replace the 95/46/CE Directive: Meet the “General Data Protection Regulation”

On 15 December 2015, the three main European institutions, the Commission, the Parliament and the Council, agreed on the final text of the General Data Protection Regulation (GDPR) which has been on the table since January 2012. This is a major achievement, given the number of obstacles that still needed to be overcome a few weeks ago in order to meet the end of 2015 deadline for finalizing the GDPR.  The GDPR provides a brand new single set of rules for the protection of data within the whole Europe and these rules are very different from those enshrined… More

Wyndham and FTC Settle Data Breach Lawsuit: Implications

Today, Wyndham and the FTC settled the enforcement action brought by the FTC that had led to a significant decision by the Third Circuit in August of this year.  (Wyndham’s statement on the settlement can be found here; the FTC’s statement can be found here; my earlier analysis of the Third Circuit’s decision can be found here.)  While the details of the settlement are interesting in their own right – Wyndham will not be paying anything by way… More