NIS Directive Published: EU Member States Have Just Under Two Years to Implement

Norton Rose Fulbright - eDiscovery

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”

Summary of the NIS Directive

The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at a national level and increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities. Below, we highlight key provisions of the NIS Directive.

Continue reading

The Intersection of Trademark Law and Cybersecurity

Mobile phones - Data protection blog

Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company can help to ensure that consumers are interacting with the intended party. As “squatted” domains and accounts are sometimes used to spread malware and collect sensitive information from emails sent to mistyped domain names, a company can help to improve cybersecurity and protect its sensitive information by vigilantly protecting its trademarks.

Read the full post, titled “Making us safer, through Brand Protection,” on the Brand Protection Blog.

Your Money or Your PHI: New Guidance on Ransomware


On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.

Continue reading

Privacy Shield Update: EU Member States Approve Amended Framework

Europe Data protection and privacy blog

On July 8, 2016, European Member States approved the proposed EU-US Privacy Shield framework, with four Member States – Austria, Bulgaria, Croatia, and Slovenia – reportedly abstaining. Before the framework can be implemented, formal approval by the European Commission is required. Although the European Commission has yet to formally release a copy of the revised text, an alleged leaked copy is circulating online.

As we have covered, Privacy Shield is the successor agreement to the US-EU Safe Harbor Framework, which the European Court of Justice invalidated in October 2015. The Privacy Shield is intended to provide companies with a legal basis permitting the transfer of personal data from the EU to the US as an alternative to other mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules.

Our Take

Approval by the EU Member States is a significant step toward formal adoption of the Privacy Shield and brings another functional cross-border data transfer mechanism closer to reality. Having a viable mechanism in place is of great importance, as other transfer mechanisms have been challenged.

We will update the Data Protection Report with further Privacy Shield developments.

Anna Rudawski, an Associate in the New York office, contributed to this post.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

Brexit: The Continued Application of the GDPR

Europe Data protection and privacy blog

On Friday, June 24, the UK electorate voted through a referendum to leave the European Union by a 52% majority. The mechanics of leaving the European Union will be complex, given that the referendum question did not spell out what relationship the UK would have with the EU once it has left, and there is widespread disagreement within the UK government around how and when the United Kingdom’s separation from the European Union should be implemented. One question is what effect Brexit will have on the continued application of the EU General Data Protection Regulation (GDPR) in the UK.

Continue reading

Privacy Shield Framework Sees Changes, EU Vote Expected in July 2016

Europe Data protection and privacy blog

The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early July 2016. If approved by the EU Member States, companies will be able to subscribe to the Privacy Shield shortly thereafter.

Although the revised agreement is not yet available publicly, the Wall Street Journal reports that the European Commission has addressed the Article 29 Working Party’s concerns regarding the first draft. Fortune reports that the revised agreement clarifies US “mass surveillance powers, the role of the ‘ombudsperson’ who will adjudicate complaints from EU citizens about their data being abused, and the transfer of EU citizens’ data to other companies.”

Our Take

The agreement is a positive step in bringing the Privacy Shield closer to reality. There is a need for a functional, workable cross-border data transfer mechanism that will have broad support on both sides of the Atlantic. This need is even greater now that the Irish data protection authority has referred a question on the validity of Standard Contractual Clauses to the Court of Justice of the European Union

We will update the Data Protection Report when the revised draft is published.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

Final CISA Guidance for Cybersecurity Information Sharing Published

Norton Rose Fulbright - eDiscovery

On June 15, 2016, the U.S. Department of Homeland Security (“DHS”) and Department of Justice issued Final Procedures Related to the Receipt of Cyber Threat Indicators and Defensive Measures by the Federal Government (“Final Procedures”) that provide information on how DHS will implement the Cybersecurity Information Sharing Act of 2015 (“CISA”). The Final Procedures were accompanied by Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities Under the Cybersecurity Information Sharing Act of 2015 (“Guidance”).  These documents represent finalized versions of interim guidance and procedures which, as we have previously reported, were issued in February.

Continue reading

UAE Employees Jailed for Privacy Breach Before Ultimately Being Acquitted

Norton Rose Fulbright - Data Protection

A recently-reported court case in the United Arab Emirates has highlighted the importance of establishing and implementing good privacy practices, even in the absence of specific data protection legislation.

In late 2014, the UAE public prosecutor charged three officials from a federal authority – the general director, a branch manager and an IT manager – with violating privacy laws and breaching public security by placing CCTV cameras in a female customer service centre. The men argued that they had installed the cameras for security purposes and that the female employees were aware of the cameras. The men were initially held in custody, but an Appeals Court judge ordered that they be released after the men spent more than two months in prison prior to the first court hearing.

In March 2015, the Misdemeanour Court of First Instance cleared the defendants of the public security violation but found them guilty of breaching the privacy of their female colleagues. The three men were each sentenced to six-month suspended jail sentences, and one of the defendants was sentenced to be deported.

The defendants appealed and were subsequently found not guilty by the Appeals Court.

The public prosecutor appealed their acquittal to the Court of Cassation on the basis that the verdict contradicted Article 21 of the UAE Cyber Crimes Law. The relevant article provides that any person who uses a computer network, electronic information system or any other IT means for the invasion of privacy of another person is guilty of a crime punishable by a fine and imprisonment unless the act is permitted by law. The Cyber Crimes Law also states that privacy can be invaded by the capture of audio visual recordings or photographs.

Upon further appeal, the Court of Cassation determined in November 2015 that there were “vague and contradictory elements” in the Appeal Court’s verdict and that it did not clarify the basis on which the defendants were acquitted. It referred the case back to the Appeals Court.

A second Court of Appeal decision again found the three defendants guilty of the privacy charge and upheld the first instance ruling. This verdict was also appealed.

A final ruling by the Court of Cassation cleared the men of all charges. The Court ruled that they were not guilty of breaching female employees’ privacy by setting the cameras at the federal authority’s women’s branch. It was sympathetic to the claims of the defendants, who had argued that the cameras had been introduced for lawful purposes and that the security reasons for installing the cameras overrode any privacy issues.

Our Take

While the case ultimately established the innocence of the defendants, it highlights the risk of employees in the UAE committing potentially criminal offences by engaging in certain data processing activities. The Cyber Crimes Law, Penal Code and other legislation in the UAE contains offences based on the violation of personal privacy. All businesses operating in the country should be aware of the serious consequences of breaching privacy rights and adopt suitable processes to mitigate the risk of criminal actions.

Hamburg DPA’s Safe Harbor Fines Spell Further Uncertainty and Risk for Global Companies

Norton Rose Fulbright - Global Technology

On June 6, 2016, Johannes Caspar – the Hamburg Commissioner for Data Protection – announced that the Hamburg Data Protection Authority (“DPA”) fined three companies for relying on the invalidated Safe Harbor framework to transfer data from the European Union to the companies’ operations in the United States. The DPA imposed the fines on Adobe, Punica and Unilever, in the amounts of 8,000, 9,000 and 11,000 Euro, respectively.

Since the invalidation of the Safe Harbor framework by the Court of Justice of the European Union (“CJEU”) in October 2015, German DPAs have taken an active role in questioning cross-border data transfer mechanisms, including the validity of the Standard Contractual Clauses and the Binding Corporate Rules, neither of which the CJEU addressed in the Safe Harbor Schrems decision. As part of this effort, the Hamburg DPA made inquiries of 38 global companies that had previously relied on the Safe Harbor framework and have operations in Hamburg to determine whether the companies had updated their cross-border data transfer practices to reflect the invalidation of Safe Harbor. This inquiry has, in turn, resulted in the enforcement action against the three companies.

Continue reading

Irish Data Protection Commissioner to Request Court Declaration as to Validity of Personal Data Transfers to the US Under EU Model Clauses

Europe Data protection and privacy blog

On May 25, 2016, Austrian law student Max Schrems issued a press release stating that he has been informed that the Irish Data Protection Commissioner (DPC) is planning to refer a question to the Court of Justice of the European Union (CJEU) as to whether the EU model clauses remain a valid data transfer mechanism to the US, given the issues raised by the CJEU in its Schrems v. Facebook ruling last October, on mass surveillance of communication by US intelligence agencies and the lack of legal redress where this is disproportionate for EU data subjects. Such a referral would require the DPC to seek a declaratory judgement in the Irish High Court, which would in turn request a ruling from the CJEU.

We do not know the exact terms of the question that is being referred at this stage.

Our Take

As unwelcome as this latest challenge is for organisations whose operations rely on personal data flows to the US, there is a certain inevitability about it following the Article 29 Working Party’s negative reaction to the  EU/US Privacy Shield, the proposed replacement to the US/EU Safe Harbor Agreement, which was invalidated by the Schrems ruling. The referral will put further pressure on the EU/US negotiators to find an acceptable political solution that meets the CJEU requirements in the first Schrems decision. The referral also could provide an opportunity for the CJEU to specify less demanding criteria that the US surveillance practices and redress mechanisms must meet.

The CJEU ruling, if and when it comes, could have many nuances and is by no means certain to conclude that EU model clauses are invalid for all types of data transfers. In the meantime, use of the EU model clauses (together with compliance with local prior authorisation and data subject notice requirements) will remain a valid export method to the US and other non-EEA countries which have not been deemed to have adequate data protection regimes. They also remain the least onerous export route if other derogations (e.g., the data subject has consented or the transfer is necessary for the performance of a contract) are not available.

We will be tracking this challenge and the results of the Article 31 Committee vote on whether the Commission will adopt the EU/US Privacy Shield as presented by the Commission or as amended as a result of the current EU/US discussions. This committee, made up of EU Member State representatives, must approve the EU/US Privacy Shield before the Commission can adopt it. It is scheduled to meet on June 6th and 20th and a vote could be taken at either of these meetings or not taken at all.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.