On September 4, 2020, the European Data Protection Board (EDPB) announced that it had created two task forces following the Schrems II decision. The first task force will prepare recommendations to support controllers and processors regarding their duties in “identifying and implementing” appropriate measures to meet the required standard when transferring data to third countries. The EDPB noted that there will be no quick-fix solution, and that each organization will be required to evaluate its own data processing operations and transfers. Continue Reading EDPB Establishes and Appoints Task Forces to Prepare Recommendations and Review Complaints Following the Schrems II Decision
On September 7, 2020, the European Data Protection Board (EDPB) issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the General Data Protection Regulation (GDPR). These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010. The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the Court of Justice of the European Union’s (CJEU) decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the European Economic Area (EEA). The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways: Continue Reading EDPB Issues Draft of GDPR Controller-Processor Guidelines
U.S. Department of Commerce and European Commission Release Joint Press Statement
On August 10, 2020, the U.S. Secretary of Commerce, Wilbur Ross, and the European Commissioner for Justice, Didier Reynders, released a Joint Press Statement (“Press Statement”) regarding the status of Privacy Shield discussions in light of the Schrems II decision. The Schrems II decision declared that the EU-U.S. Privacy Shield Framework was not a valid mechanism to transfer personal data from the European Economic Area (EEA) to the U.S., which we address in greater detail in a recent Client Alert.
The U.S. Department of Commerce and the European Commission announced that they have initiated discussions to determine the potential for “an enhanced EU-U.S. Privacy Shield” that would comply with the Schrems II decision. Both parties recognize the “vital importance of data protection and the significance of cross-border data transfer to our citizens and economies,” and reiterate a commitment to privacy and the rule of law, as well as the longstanding collaboration between the EU and the U.S. Continue Reading The Department of Commerce Continues Efforts to Address Cross-Border Data Transfers Under the GDPR After the Invalidation of the Privacy Shield
The General Data Protection Regulation (GDPR), Europe’s restrictive data protection law, permits the transfer of personal data from the European Economic Area1 (EEA) to other countries only under limited circumstances. On July 16, 2020, the Court of Justice of the European Union (CJEU or Court) issued a highly anticipated decision in a case brought by Maximillian Schrems, an Austrian privacy advocate, who challenged Facebook Ireland’s reliance on standard contractual clauses (SCCs) as a legal basis for transferring his personal data to Facebook, Inc. in the United States (U.S.). The Court’s decision has two significant results: Continue Reading European High Court Invalidates Privacy Shield, but Upholds Standard Contractual Clauses for International Data Transfers Under the GDPR
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act, imposed direct liability on business associates for certain violations of the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the “HIPAA Rules”). The resulting 2013 HHS Office for Civil Rights (OCR) final rule modified the HIPAA Rules accordingly. In May of this year, OCR posted guidance on the HHS website reiterating the parameters of business associate liability, as follows: Continue Reading OCR Guidance May Signal Increase in Enforcement Activity Against Business Associates
As regulators attempt to keep pace with the ever-changing technological landscape, legislation and agency guidance continue to evolve. Two recent developments worth noting:
- The clarification and modification of the California Consumer Privacy Act (CCPA)
- The release of the U.S. Department of Health and Human Service’s (HHS) voluntary cybersecurity practices for health care organizations
For insights into what these developments may mean for the future of consumer privacy and cybersecurity, please see our latest Client Alert.
All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice. Continue Reading Encryption Considerations under Data Breach Notification Laws
One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations.
If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services, numerous unknown parties with varying degrees of security controls can have access to sensitive information without the companies’ knowledge. Companies can contractually address this exposure by requiring pre-approval of fourth parties, imposing security requirements that must be met by fourth parties and/or requiring security reviews of such fourth parties. Vendor and fourth-party risk can also be managed by cyber insurance policies. Continue Reading Cyber Risk: Addressing the Elephant in the Room
The New York State Department of Financial Services (“DFS”) Cybersecurity Regulation (“Regulation”) took effect on March 1, 2017, and applies to those entities operating or required to operate under New York banking, insurance and finance laws (“Covered Entities”). Covered Entities should have been in compliance with portions of the Regulation as of August 28, 2017, for which they certified compliance on February 15, 2018. Continue Reading Be Prepared for the September 3, 2018 Deadline for New York State Department of Financial Services Cybersecurity Regulation Requirements
The SEC’s recent enforcement action and settlement with Altaba (formerly known as Yahoo) over the company’s major data breach provides a suggested roadmap for how companies may want to proactively approach data breach issues. Some major takeaways are: (1) companies should have effective controls in place to assess disclosure obligations; (2) known cyberattacks should, when appropriate, be included in disclosures in public filings; and
(3) if known cyberattacks have a material impact on the business, it requires disclosure. Continue Reading SEC’s Yahoo Enforcement Action and Settlement Provides Further Direction for Companies Following the SEC’s 2018 Cybersecurity Guidance