Privacy & Information Security Law Blog

On January 16, 2017, the Article 29 Working Party (“Working Party”) published further information about its Action Plan for 2017, which sets forth the Working Party’s priorities and objectives in the context of implementation of the EU General Data Protection Regulation (“GDPR”) for the year ahead. The Action Plan closely follows earlier GDPR guidance relating to Data Portability, the appointment of Data Protection Officers and the concept of the Lead Supervisory Authority, which were published together by the Working Party on December 13, 2016.

On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.

On January 10, 2017, the National Institute of Standards and Technology (“NIST”) released proposed updates to the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”). The proposed updates, which are found in Version 1.1 of the Cybersecurity Framework, are derived from feedback received by NIST regarding the first version, including from responses to a December 2015 request for information and discussions at a workshop held in April 2016.

Last month, the Standing Committee of the National People’s Congress of China published a full draft of the E-commerce Law (the “Draft”) and is giving the general public an opportunity to comment on the draft through January 26, 2017.

Last month, the Federal Energy Regulatory Commission (“FERC”) published its final Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information (the “CEII Regulations”). The CEII Regulations, which differ little from the notice of proposed rulemaking that FERC issued in June 2016, were approved unanimously on November 17, 2016, by FERC’s three sitting Commissioners (recent retirements have left the two other FERC seats vacant).

On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.

On January 10, 2017, the European Commission published a communication addressed to the European Parliament and European Council on Exchanging and Protecting Personal Data in a Globalized World (the “Communication”). The Communication aims to facilitate commercial data flows and foster law enforcement cooperation. In the Communication, the European Commission states that it will:

On January 11, 2017, the Swiss Federal Data Protection and Information Commissioner announced that it has reached an agreement with the U.S. Department of Commerce on a new Swiss-U.S. Privacy Shield framework (the “Swiss Privacy Shield”), which will allow companies to legally transfer Swiss personal data to the U.S. The Swiss Privacy Shield will replace the U.S.-Swiss Safe Harbor framework, and according to the Swiss government’s announcement, will “apply the same conditions as the European Union, which set up a comparable system with the U.S. last summer,” referring ...

On January 10, 2017, the European Commission announced the final elements of its long-awaited “digital single market” strategy for Europe. The announcement includes two new proposed EU regulations as well as a European Commission Communication, as described below.

On January 3, 2017, Bloomberg Law: Privacy and Data Security reported that Chilean legislators are soon expected to consider a new data protection law (the “Bill”) which would impose new privacy compliance standards and certain enforcement provisions on companies doing business in Chile.