The French data protection authority (CNIL) has published its annual investigation program for 2018, which is the first since the GDPR came into force on May 25, 2018. The report indicates that the CNIL intends to conduct over 300 investigations (onsite, online or per request of documentation or formal hearing) and will focus on the areas noted below. Continue Reading
Recently, Anne Harrington, Jennifer Tharp and Elliot Golding contributed an article to our Triage Health Law blog. The article looks at the two new fact sheets released by the Substance Abuse and Mental Health Services Administration that provide guidance on the confidentiality of substance use disorder patient records (42 CFR Part 2). The first fact sheet helps providers understand how to properly disclose information if they qualify as a Part 2 Program, and the second sheet focuses on the electronic exchange of healthcare records with a Part 2 Program.
Regulators across Europe, have recorded a sharp increase in the number of data-related complaints and data breach notifications since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR has radically reshaped how businesses can collect, use and store personal information. As a result of the new and expanded rights for people to know how their data is being used, and to decide whether it is shared or deleted, regulators are being overwhelmed with complaints and businesses are increasingly finding themselves subject to data breaches. Continue Reading
Personal location information held by a third party now receives heightened protection from disclosure to law enforcement
Thanks to Timothy Ivory Carpenter, Cell Site Location Information (“CSLI”) is now part of our vernacular. More important, in light of the Supreme Court’s June 2018 ruling in Carpenter v. United States, a company’s collection and retention of a person’s historical whereabouts (location information) now receives heightened protection from search and seizure by law enforcement. Continue Reading
The European Parliament plenary adopted on 5 July 2018 the LIBE Committee’s Motion for Resolution on the EU-US Privacy Shield (‘Privacy Shield) indicating the general Parliament’s position towards its functioning. The non-binding resolution calls for the suspension of the Privacy Shield unless the US demonstrates compliance with its requirements by 1 September 2018. As per our previous post, the European Parliament considers that the personal data protection provided by the Privacy Shield is not adequate. Continue Reading
California’s newly enacted Consumer Privacy Act of 2018 is the strictest of the US’s patchwork of privacy related regulations. The Act will impact any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means of processing such information, and (iv) satisfies at least one of the following three conditions:
- Has an annual gross revenue of over $25 million
- Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices, or
- Derives 50% or more of its annual revenues from selling consumers’ personal information
The Office of Civil Rights is serious about the security of health information. How serious? A cancer center was recently fined $4.3 million for failing to adequately encrypt its devices. Our Partners, Tom Zeno and Elliot Golding review and discuss the decision in a post on our sister blog, Triage Health Law.
On 12 June 2018, the Civil Liberties, Justice and Home Affairs Committee (the ‘Committee’) of the European Parliament passed a Resolution, with a vote of 29 votes in favour, 25 opposed and 3 abstentions, calling on the European Commission to suspend the EU-US Privacy Shield arrangement (‘Privacy Shield’).
The Resolution calls for the international data transfer framework to be suspended unless the US demonstrates compliance by 1st September 2018, since it ‘fails to provide enough data protection for EU citizens. Continue Reading
In an article posted in Law360 Expert Analysis on May 22, 2018, Squire Patton Boggs partner Elliot Golding describes how the rise of health care smart devices and tracking apps has intensified the focus on data privacy and cybersecurity within the health care industry. Subsequently, new and proposed government and regulatory initiatives are underway.
Additional insights and analysis, including details on regulatory, government action, privacy/security and other related issues related to vendor management, planning and training may be found here.
One of the new obligations introduced by the General Data Protection Regulation (GDPR) is to prepare a data protection impact assessment (DPIA) for certain types of processing operations – i.e., those which are likely to result in a high risk. To put it simply, a DPIA is a process for building and demonstrating compliance with the GDPR, which complements the new focus on accountability, privacy by design and a far more risk-based approach. Continue Reading