Privacy & Information Security Law Blog

On January 24, 2017, the UK Supreme Court handed down its judgment in the case of R (on the application of Miller and another) (Respondents) v. Secretary of State for Exiting the European Union (Appellant) [2017] UKSC 5. The case concerned the process to be followed to effect the UK’s withdrawal from the European Union and, in particular, whether the UK government may commence the UK’s withdrawal using executive powers, or whether Parliamentary approval is required. The Supreme Court held, by majority, that the UK government cannot commence the UK’s withdrawal from the EU without the approval of Parliament.

On January 18, 2017, the Department of Homeland Security (“DHS”) issued an updated National Cyber Incident Response Plan (the “Plan”) as directed by Obama’s Presidential Policy Directive 41, issued this past summer, and the National Cybersecurity Protection Act of 2014.

On January 16, 2017, the Article 29 Working Party (“Working Party”) published further information about its Action Plan for 2017, which sets forth the Working Party’s priorities and objectives in the context of implementation of the EU General Data Protection Regulation (“GDPR”) for the year ahead. The Action Plan closely follows earlier GDPR guidance relating to Data Portability, the appointment of Data Protection Officers and the concept of the Lead Supervisory Authority, which were published together by the Working Party on December 13, 2016.

On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.

On January 10, 2017, the National Institute of Standards and Technology (“NIST”) released proposed updates to the Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”). The proposed updates, which are found in Version 1.1 of the Cybersecurity Framework, are derived from feedback received by NIST regarding the first version, including from responses to a December 2015 request for information and discussions at a workshop held in April 2016.

Last month, the Standing Committee of the National People’s Congress of China published a full draft of the E-commerce Law (the “Draft”) and is giving the general public an opportunity to comment on the draft through January 26, 2017.

Last month, the Federal Energy Regulatory Commission (“FERC”) published its final Regulations Implementing FAST Act Section 61003-Critical Electric Infrastructure Security and Amending Critical Energy Infrastructure Information (the “CEII Regulations”). The CEII Regulations, which differ little from the notice of proposed rulemaking that FERC issued in June 2016, were approved unanimously on November 17, 2016, by FERC’s three sitting Commissioners (recent retirements have left the two other FERC seats vacant).

On January 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Presence Health stemming from the entity’s failure to notify affected individuals, the media and OCR within 60 days of discovering a breach. This marks the first OCR settlement of 2017 and the first enforcement action relating to untimely breach reporting by a HIPAA covered entity.

On January 10, 2017, the European Commission published a communication addressed to the European Parliament and European Council on Exchanging and Protecting Personal Data in a Globalized World (the “Communication”). The Communication aims to facilitate commercial data flows and foster law enforcement cooperation. In the Communication, the European Commission states that it will:

On January 11, 2017, the Swiss Federal Data Protection and Information Commissioner announced that it has reached an agreement with the U.S. Department of Commerce on a new Swiss-U.S. Privacy Shield framework (the “Swiss Privacy Shield”), which will allow companies to legally transfer Swiss personal data to the U.S. The Swiss Privacy Shield will replace the U.S.-Swiss Safe Harbor framework, and according to the Swiss government’s announcement, will “apply the same conditions as the European Union, which set up a comparable system with the U.S. last summer,” referring ...