Last month, the Department of Health and Human Services Office for Civil Rights (“OCR”) issued two helpful new HIPAA guidance documents regarding research uses and disclosures of PHI, fulfilling a mandate in the 21st Century Cures Act (Public Law 114-255) (the “Act”). Although the documents merely reaffirm prior guidance in many places, the documents also contain helpful new information and serve to collect prior guidance spread in numerous places into a single location. The first document focuses on research authorizations and revocations: Continue Reading
In her second installment of “Cybersecurity Law” for CSO, Tara Swaminatha considers the most noteworthy cybersecurity and data privacy-related cases and pieces of legislation in the year ahead. Continue Reading
The two attacks affect nearly 90 percent of the world’s computers.
Recent reports suggest that computers – personal, business, and cellular alike – are susceptible to two newly discovered major security flaws. These flaws, colloquially known as “Meltdown” and “Spectre,” could open the door for hackers to access the contents of almost any computer.
Meltdown could provide hackers the ability to become squatters on cloud-based services, but more importantly provide them access to other consumers’ information, including passwords. In cloud-based services where consumers generally share servers, there are protocols in place to protect each customer’s information from being accessible to the others. Meltdown provides a way for hackers to circumvent those protocols, read sensitive data or gain access to other applications running on a shared server. Continue Reading
Happy New Year! With 2018 off to a rapid start, companies now have fewer than five months to become GDPR-compliant.
Although the basic principles and obligations enshrined in the GDPR are not new, the GDPR contains a complex, interlinked series of requirements whose practical application to real world situations is often very unclear. The Article 29 Working Party, a body consisting of EU national data protection authorities, has issued several important opinions and guidelines intended to help data controllers and processors interpret the new rules. These guidelines, while not legally binding, are influential and are likely to be given considerable weight by reviewing courts. Continue Reading
On 15 November 2017 the CNIL created a special page on its website with a view to highlighting its 2013 guidelines on processing of payment card data for online transactions (The 2013 guidelines were modified in July 2017). Continue Reading
On December 13, 2017 the French Ministry of Justice published a draft law to accompany the implementation within France of the General Data Protection Regulation 2016/679 (GDPR) and the Directive 2016/680, governing the handling of data in law enforcement situations.
The following are some of the noticeable change brought by the draft law with respect to GDPR.
(Temporarily) Unclear and Not User-friendly
It is presented as an amendment to the existing French Data Protection Act (DPA, known as Loi Informatique & Libertés) and the press release indicates that “the government has made the choice to keep the existing structure.” Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 11 December 2017.
Blockchain involves various computers that are located in different states around the world so that the jurisdictions and applicable laws are questionable and assumingly not known to the parties using the blockchain technology.
In principle a blockchain is a distributed ledger, that can be defined as a replicated, shared, and synchronized digital data structure maintained by consensus algorithm and spread across multiple locations, countries, and/or institutions. In the blockchain digitally recorded data are stored in packages called blocks which are linked together in chronological order. It is technically very difficult to change the order such blocks, without changing the order of all subsequent blocks. Each block on the network contains a complete copy of the entire ledger, from the first block created to the most recent block and each block contains a hash pointer as a link to a previous block, a timestamp and transaction data. Continue Reading
On 12 December 2017, Article 29 Working Party (WP29) published its draft guidelines on transparency under the GDPR. As with the draft guidance on consent, published on the same day, WP29 invites comments to be submitted by 23 January 2018. Continue Reading
On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on consent under the GDPR. The guidelines build on WP29’s ‘Opinion on the definition of consent’, adopted in July 2011. As with the draft guidance on transparency, published the same day, WP29 invites comments to be submitted by 23 January 2018.
The guidelines state that generally, in order to use consent as an appropriate lawful basis the data subject should be offered control and genuine choice when it comes to accepting or declining the terms of processing. The guidelines are broken down into various sections. These sections analyse the different parts of the wording of Article 4(11) of the GDPR, which defines consent, and look into whether controllers need to amend their consent forms in order to comply with the GDPR. Continue Reading