FCC Rules on TCPA Consent Requirements and Emergency Purpose Exception

Mobile phones - Data protection blog

On August 4, 2016, the Federal Communications Commission (FCC) released a declaratory ruling clarifying the scope of the Telephone Consumer Protection Act’s (TCPA) consent requirements to send robocalls and automated text messages to wireless phone numbers.  The ruling was in response to Blackboard, Inc.’s request that the FCC declare “all automated informational messages sent by an educational organization” as within the scope of the TCPA’s “emergency purpose” exception.  While the FCC granted Blackboard’s request in part, it also expanded its ruling to address automated messages provided by utilities.

Continue reading

Damages for Emotional Distress for Privacy Claims to Stay in the UK

Norton Rose Fulbright - Data Protection

On June 30, 2016, Google withdrew its appeal from the UK Supreme Court in the landmark case of Google v. Vidal-Hall after the parties reached a settlement. In the ruling on appeal, the Court of Appeal had ruled that damages for emotional distress, without any pecuniary loss, may be awarded under the Data Protection Act 1998 (the “Act”). With the appeal withdrawn, this ruling will remain valid. Therefore, companies that operate in the UK may wish to consider this ruling when conducting risk analyses and responding to litigation.

Continue reading

Article 29 Working Party Releases Opinion on the Revision of the ePrivacy Directive

Norton Rose Fulbright - Global Technology

The Article 29 Working Party (WP29) has issued an opinion on the evaluation and review of Directive 2002/58/EC (the ePrivacy Directive). In its opinion, WP29 notes the need for a thorough revision of the rules in the ePrivacy Directive to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (the GDPR).

Introduction

Since 2002, the ePrivacy Directive has provided a set of security and privacy measures to be applied specifically in the context of electronic communications in the EU. These measures were laid down to “particularise and complement” the Data Protection Directive 95/46/EC.

In its opinion dated July 19, 2016, WP29 notes the need for the ePrivacy Directive to be reviewed and for a new legal instrument that is consistent across the EU, which supplements and complements the obligations of the GDPR, and which is broad enough to cover the wide range of electronic communications services that exist today.

Continue reading

U.S. Government Announces Framework for Responding to Critical Infrastructure Cyber Incidents

Cybersecurity

On July 26, 2016, the White House issued the United States Cyber Incident Coordination Directive (Presidential Policy Directive PPD-41, including an Annex).  The Directive sets forth the principles governing the Federal Government’s response to cyber incidents, including incidents affecting private entities that are part of U.S. critical infrastructure.  The Directive is designed to improve coordination between government agencies and to clarify inter-departmental involvement in response to a cyber incident.

Continue reading

NIS Directive Published: EU Member States Have Just Under Two Years to Implement

Norton Rose Fulbright - eDiscovery

The Directive on Security of Network and Information Systems (known as the NIS Directive) was published in the Official Journal of the European Union on July 19, 2016. Member States will have until May 9, 2018 to implement this Directive into national laws and a further six months to identify “operators of essential services.”

Summary of the NIS Directive

The NIS Directive is the first comprehensive piece of EU legislation relating to the 2013 EU Cybersecurity Strategy. Its objective is to achieve a high common level of security of network and information systems across the EU through improved cybersecurity capabilities at a national level and increased EU-level cooperation. It also requires “operators of essential services” and “digital service providers” to take appropriate steps to manage security risk and to report security incidents to the national competent authorities. Below, we highlight key provisions of the NIS Directive.

Continue reading

The Intersection of Trademark Law and Cybersecurity

Mobile phones - Data protection blog

Earlier this week, our colleague Sue Ross wrote on the intersection of trademark law and cybersecurity on Norton Rose Fulbright’s Brand Protection Blog. The post explains that by protecting its brand, a company can help to improve cybersecurity. For example, by seeking to recover “squatted” domain names and complaining to social networks about trademark infringement, a company can help to ensure that consumers are interacting with the intended party. As “squatted” domains and accounts are sometimes used to spread malware and collect sensitive information from emails sent to mistyped domain names, a company can help to improve cybersecurity and protect its sensitive information by vigilantly protecting its trademarks.

Read the full post, titled “Making us safer, through Brand Protection,” on the Brand Protection Blog.

Your Money or Your PHI: New Guidance on Ransomware

Cybersecurity

On June 12, 2016, the HHS Office of Civil Rights (OCR) released guidance, entitled “FACT SHEET: Ransomware and HIPAA,” in response to the rising number of ransomware attacks perpetrated against healthcare entities. The guidance addresses Health Insurance Portability and Accountability Act (HIPAA) issues that may arise when medical records containing Protected Health Information (PHI) are compromised or stolen during a ransomware attack. OCR’s view is that compliance with HIPAA’s information security requirements assists healthcare entities in preventing and recovering from ransomware attacks.

Continue reading

Privacy Shield Update: EU Member States Approve Amended Framework

Europe Data protection and privacy blog

On July 8, 2016, European Member States approved the proposed EU-US Privacy Shield framework, with four Member States – Austria, Bulgaria, Croatia, and Slovenia – reportedly abstaining. Before the framework can be implemented, formal approval by the European Commission is required. Although the European Commission has yet to formally release a copy of the revised text, an alleged leaked copy is circulating online.

As we have covered, Privacy Shield is the successor agreement to the US-EU Safe Harbor Framework, which the European Court of Justice invalidated in October 2015. The Privacy Shield is intended to provide companies with a legal basis permitting the transfer of personal data from the EU to the US as an alternative to other mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules.

Our Take

Approval by the EU Member States is a significant step toward formal adoption of the Privacy Shield and brings another functional cross-border data transfer mechanism closer to reality. Having a viable mechanism in place is of great importance, as other transfer mechanisms have been challenged.

We will update the Data Protection Report with further Privacy Shield developments.

Anna Rudawski, an Associate in the New York office, contributed to this post.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.


Brexit: The Continued Application of the GDPR

Europe Data protection and privacy blog

On Friday, June 24, the UK electorate voted through a referendum to leave the European Union by a 52% majority. The mechanics of leaving the European Union will be complex, given that the referendum question did not spell out what relationship the UK would have with the EU once it has left, and there is widespread disagreement within the UK government around how and when the United Kingdom’s separation from the European Union should be implemented. One question is what effect Brexit will have on the continued application of the EU General Data Protection Regulation (GDPR) in the UK.

Continue reading

Privacy Shield Framework Sees Changes, EU Vote Expected in July 2016

Europe Data protection and privacy blog

The United States and the European Union reportedly have agreed on changes to the EU-US Privacy Shield. A revised agreement has been sent to EU Member States, and a vote is expected to be held early next month, in early July 2016. If approved by the EU Member States, companies will be able to subscribe to the Privacy Shield shortly thereafter.

Although the revised agreement is not yet available publicly, the Wall Street Journal reports that the European Commission has addressed the Article 29 Working Party’s concerns regarding the first draft. Fortune reports that the revised agreement clarifies US “mass surveillance powers, the role of the ‘ombudsperson’ who will adjudicate complaints from EU citizens about their data being abused, and the transfer of EU citizens’ data to other companies.”

Our Take

The agreement is a positive step in bringing the Privacy Shield closer to reality. There is a need for a functional, workable cross-border data transfer mechanism that will have broad support on both sides of the Atlantic. This need is even greater now that the Irish data protection authority has referred a question on the validity of Standard Contractual Clauses to the Court of Justice of the European Union

We will update the Data Protection Report when the revised draft is published.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

LexBlog