HHS Office for Civil Rights Issues Updated HIPAA and Research Guidance in Response to 21st Century Cures Act Mandate

Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”).  Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location.  The first document focuses on research authorizations and revocations: Continue Reading

A Week Later, Early Predictions about Meltdown and Spectre Largely Hold True

The two attacks affect nearly 90 percent of the world’s computers.

Recent reports suggest that computers – personal, business, and cellular alike – are susceptible to two newly discovered major security flaws. These flaws, colloquially known as “Meltdown” and “Spectre,” could open the door for hackers to access the contents of almost any computer.

Meltdown could provide hackers the ability to become squatters on cloud-based services, but more importantly provide them access to other consumers’ information, including passwords. In cloud-based services where consumers generally share servers, there are protocols in place to protect each customer’s information from being accessible to the others.  Meltdown provides a way for hackers to circumvent those protocols, read sensitive data or gain access to other applications running on a shared server. Continue Reading

How to Find Official Guidance on the EU General Data Protection Regulation (GDPR)

Happy New Year!  With 2018 off to a rapid start, companies now have fewer than five months to become GDPR-compliant.

Although the basic principles and obligations enshrined in the GDPR are not new, the GDPR contains a complex, interlinked series of requirements whose practical application to real world situations is often very unclear.  The Article 29 Working Party, a body consisting of EU national data protection authorities, has issued several important opinions and guidelines intended to help data controllers and processors interpret the new rules. These guidelines, while not legally binding, are influential and are likely to be given considerable weight by reviewing courts. Continue Reading

France’s Law to Accompany the GDPR and EU Directive Published

On December 13, 2017 the French Ministry of Justice published a draft law to accompany the implementation within France of the General Data Protection Regulation 2016/679 (GDPR) and the Directive 2016/680, governing the handling of data in law enforcement situations.

The following are some of the noticeable change brought by the draft law with respect to GDPR.

(Temporarily) Unclear and Not User-friendly

It is presented as an amendment to the existing French Data Protection Act (DPA, known as Loi Informatique & Libertés) and the press release indicates that “the government has made the choice to keep the existing structure.” Continue Reading

Blockchain and GDPR – Many Open Questions to be Addressed and Solved!

Blockchain involves various computers that are located in different states around the world so that the jurisdictions and applicable laws are questionable and assumingly not known to the parties using the blockchain technology.

In principle a blockchain is a distributed ledger, that can be defined as a replicated, shared, and synchronized digital data structure maintained by consensus algorithm and spread across multiple locations, countries, and/or institutions. In the blockchain digitally recorded data are stored in packages called blocks which are linked together in chronological order. It is technically very difficult to change the order such blocks, without changing the order of all subsequent blocks. Each block on the network contains a complete copy of the entire ledger, from the first block created to the most recent block and each block contains a hash pointer as a link to a previous block, a timestamp and transaction data. Continue Reading

WP29 Publishes Draft Guidelines on Consent

On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on consent under the GDPR. The guidelines build on WP29’s ‘Opinion on the definition of consent’, adopted in July 2011. As with the draft guidance on transparency, published the same day, WP29 invites comments to be submitted by 23 January 2018.

The guidelines state that generally, in order to use consent as an appropriate lawful basis the data subject should be offered control and genuine choice when it comes to accepting or declining the terms of processing. The guidelines are broken down into various sections. These sections analyse the different parts of the wording of Article 4(11) of the GDPR, which defines consent, and look into whether controllers need to amend their consent forms in order to comply with the GDPR. Continue Reading