The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.
On December 20, 2018, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to clarify the effect of the UK’s planned withdrawal from the EU on March 29, 2019. The FAQs provide information on the steps Privacy Shield participants must take to receive personal data from the UK in reliance on the Privacy Shield after Brexit.
On November 9, 2018, Serbia’s National Assembly enacted a new data protection law. The Personal Data Protection Law, which becomes effective on August 21, 2019, is modeled after the EU General Data Protection Regulation (“GDPR”).
On November 6, 2018, the French Data Protection Authority (the “CNIL”) published its own guidelines on data protection impact assessments (the “Guidelines”) and a list of processing operations that require a data protection impact assessment (“DPIA”). Read the guidelines and list of processing operations (in French). Continue Reading CNIL Publishes DPIA Guidelines and List of Processing Operations Subject to DPIA
On October 17, 2018, the French data protection authority (the “CNIL”) published a press release detailing the rules applicable to devices that compile aggregated and anonymous statistics from personal data—for example, mobile phone identifiers (i.e., media access control or “MAC” address) —for purposes such as measuring advertising audience in a given space and analyzing flow in shopping malls and other public areas. Read the press release (in French). Continue Reading CNIL Details Rules on Audience and Traffic Measuring in Publicly Accessible Areas
On October 29, 2018, the Office of the Privacy Commissioner of Canada (the “OPC”) released final guidance (“Final Guidance”) regarding how businesses may satisfy the reporting and record-keeping obligations under Canada’s new data breach reporting law. The law, effective November 1, 2018, requires organizations subject to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to (1) report to the OPC breaches of security safeguards involving personal information “that pose a real risk of significant harm” to individuals, (2) notify affected individuals of the breach and (3) keep records of every breach of security safeguards, regardless of whether or not there is a real risk of significant harm. Continue Reading Canadian Regulator Issues Final Guidance on New Data Breach Reporting Requirements
At its October monthly meeting, the Federal Energy Regulatory Commission (the “Commission”) adopted new reliability standards addressing cybersecurity risks associated with the global supply chain for Bulk Electric System (“BES”) Cyber Systems. The new standards expand the scope of the mandatory and enforceable cybersecurity standards applicable to the electric utility sector. They will require electric utilities and transmission grid operators to develop and implement plans that include security controls for supply chain management for industrial control systems, hardware, software and services. Continue Reading FERC Adopts Supply Chain Risk Management Reliability Standards
Recently, the French Data Protection Authority (the “CNIL”) published a statistical review of personal data breaches during the first four months of the EU General Data Protection Regulation’s (“GDPR”) entry into application. View the review (in French). Continue Reading CNIL Publishes Statistical Review of Data Breaches Since Entry into Application of GDPR
On October 23, 2018, the 40th International Conference of Data Protection and Privacy Commissioners (the “Conference”) released a Declaration on Ethics and Protection in Artificial Intelligence (“the Declaration”). In it, the Conference endorsed several guiding principles as “core values” to protect human rights as the development of artificial intelligence (“AI”) continues apace. Key principles include: Continue Reading Data Protection Authorities Endorse Guidelines on AI – Fairness, Transparency and Privacy Key Principles
On October 19, 2018, European Commissioner for Justice, Consumers and Gender Equality Věra Jourová and U.S. Secretary of Commerce Wilbur Ross issued a joint statement regarding the second annual review of the EU-U.S. Privacy Shield framework, taking place in Brussels beginning October 18. The statement highlights the following: Continue Reading EU and U.S. Regulators Issue Joint Statement on the Status of the Second Annual EU-U.S. Privacy Shield Review