April 2015

The U.S. National Labor Relations Board (NLRB) recently filed complaints against the United States Postal Service (USPS), alleging that the USPS violated the National Labor Relations Act (NLRA) by failing to collectively bargain with its employees’ union regarding the postal service’s response to a 2014 data breach that reportedly affected over 800,000 current and former postal employees. Specifically, in one of its complaints, the NLRB alleged that the postal service’s unilateral decision to provide credit monitoring and fraud insurance to affected employees without engaging in collective bargaining with the union on these issues violated Sections 8(a)(1) and (5) of the NLRA. These provisions of the NLRA mandate collective bargaining for any issue that relates to the “wages, hours, and other terms and conditions of employment.”

The National Association of Insurance Commissioners (“NAIC”), a standards-setting organization comprised of insurance regulators from across all U.S. jurisdictions, has recently adopted twelve Principles for Effective Cybersecurity Insurance Regulatory Guidance (the “Principles”).  The Principles arrive in in the wake of the prominent Anthem data breach, highlighting the importance of protecting sensitive personal data in the insurance sector. Addressing this challenge, the NAIC established the Principles to provide state insurance regulators and industry participants guidance regarding the protection of sensitive personal, financial, and healthcare data. The Principles broadly lay out the practices, guidelines, and measures that both regulators and the industry should take to protect personal information.

This is Part 5 — the final part — of a five-part series on the “One Stop Shop” mechanism in the proposed new European data protection regulation. In Part 1 we examined why there is a need for a One Stop Shop, and what it is. In Part 2 we examined the concept of main establishment and the position of entities without an EU establishment. In Part 3 we considered the competency of supervisory authorities (SAs), the cooperation obligations in relation to SAs and the functions of the European Data Protection Board (EDPB). In Part 4 we discussed the consistency mechanism applicable to supervisory authorities. In this Part we look at the application of sanctions by the lead SA across the EU, disagreements between SAs, complaints and litigation for affected data subjects, the application of foreign laws by the lead SA, and matters of language and culture.

Application of sanctions by lead SA across the EU

A Council debate note of 26 May 2014 flagged that at least one EU Member State had raised constitutional problems regarding the legal effect of applying measures decided by the lead SA in other EU Member States.

The Italian Presidency of the Council has addressed these concerns by clarifying that the lead SA would be competent in applying its supervisory powers, deciding on the case and directing the decision, on its own territory, to the main establishment of the controller or processor. It would then be for the data controller or data processor to implement the decision as regards all its establishments in the EU.

It appears that Congress and the Administration are finally prepared to collaborate on addressing cybersecurity threats facing the nation. The Administration is moving forward on its cyber threat initiative, and a recent New York Times article suggested that Congress is