September 2015

This morning (September 23, 2015), EU Advocate General (“AG”) Bot issued an Opinion in Case C-362/14 Maximilian Schrems v Data Protection Commissioner (see our earlier post on the hearing here).  The AG Opinion has gone further than expected, covering not just the power of national data protection authorities in relation to complaints under the

By Lindsey Tonsager and Megan Rodgers

The FTC held its “Start with Security” conference in San Francisco, California, last week, launching an initiative to provide companies with practical resources for implementing effective data security strategies.

The event was targeted at tech start-ups and small- and medium-sized businesses, but the panelists included representatives from companies with mature and well-resourced data security programs.

The panelists agreed that achieving greater data security is cheaper and easier to accomplish when it is considered early in the secure app development lifecycle. At the same time, panelists also acknowledged that companies face a myriad of potential security risks that must be balanced and prioritized, and that it may be more difficult for larger companies with complicated systems to adapt their practices to address evolving security risks.

Below are some practical tips the panelists provided for building a culture of “security by design”:
Continue Reading Start With Security: Key Takeaways from the FTC’s Data Security Conference

In one of the first decisions evaluating Telephone Consumer Protection Act (TCPA) claims under the FCC’s recent omnibus TCPA order, the Northern District of California dismissed a putative class action lawsuit alleging that AOL violated the TCPA when users of its Instant Messenger service (AIM) sent text messages to incorrect recipients.  After the court dismissed

The UK government has announced a new national service providing expert cybersecurity advice to entities within the National Health Service (NHS) and the UK’s broader healthcare system.  The project, called CareCERT (Care Computing Emergency Response Team), is aiming for a full go-live in January 2016. 
Continue Reading UK Government Launches Cybersecurity Service For Healthcare Organizations

On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct secondary research using collected data.
Continue Reading Proposed Rule Would Amend Federal “Common Rule” Requirements

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.
Continue Reading Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

Whilst the discussions on the proposed Network and Information Security (NIS) Directive at European level are still ongoing (see Update on the Cybersecurity Directive − over to Luxembourg?, InsidePrivacy, June 12, 2015), less has been said about Germany new national Act to Increase the Security of Information Technology Systems (the “IT Security Law”).  The IT Security Law was published in the Federal Official Gazette on July 24, 2015 (see here) and entered into force the following day.
Continue Reading What You Need to Know About Germany’s Cybersecurity Law

By Jean de Ruyt

According to the European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, the EU and the US have finalized the EU-US Umbrella Agreement (for the press release, see here; a reportedly near-final draft of the agreement can be read here). This is a remarkable breakthrough after the first calls for such an agreement back in March 2009, when the European Parliament called for an “EU – US agreement ensuring adequate protection of civil liberties and personal data protection”.


Continue Reading EU – US Umbrella Agreement about to be concluded: towards a transatlantic approach to data protection?

By Megan L. Rodgers

What information is being collected by mobile apps and websites directed at kids? With whom is that information shared? What notice is provided to parents? Regulators in the U.S. and abroad continue to focus on these issues.

The FTC recently released a follow-up report on privacy notices in mobile apps directed at kids. The report follows two FTC kids’ app surveys released in February 2012 and December 2012, and a campaign by the FTC to bring all apps in compliance with the revised COPPA Rule by July 1, 2013.

How did mobile apps directed at children fare? The results were mixed. The FTC looked at hundreds of mobile apps and noted that there has been “a step in the right direction” since their last survey, but the FTC was careful to point out that “there’s more work to be done.” In December 2012, only 20% of apps had a link to a privacy policy available to parents before downloading the app; today, the number of apps with direct links to a privacy policy is 45%. Although this is an improvement, the FTC said that for many kids’ apps, parents still do not have an easy way to learn about data collection and usage practices.
Continue Reading Regulators in the U.S. and U.K. Monitoring Mobile Apps and Websites Directed at Children