Follow: Email

In a new post on the Covington Digital Health blog, our colleagues discuss the Department of Health and Human Services (“HHS”) announcement of enforcement discretion to “permit compliance flexibilities” for the implementation of the interoperability final rules issued on March 9th, 2020.  The final rules are intended to improve patient access to electronic health information

The Brazil Senate unanimously approved a bill today that would delay implementation of the Brazil General Law for Data Protection, or LGPD, until January 1, 2021 and enforcement of fines and penalties until August 1, 2021.  The LGPD is currently scheduled to take effect on August 15, 2020.

The draft bill — one of four pending in the Senate that propose to delay implementation of the LGPD — is broad in scope, encompassing not only the LGPD, but also statutes of limitations and sanctions for certain anti-competitive conduct.  Senator Antonio Anastasia, the sponsor of the bill, explained that the bill is intended to give businesses an opportunity to focus on other urgent matters arising from the COVID-19 pandemic.
Continue Reading Brazil Senate Approves Bill Delaying LGPD Enforcement

In a new post on the Covington Digital Health blog, our colleagues discuss two recent final rules aimed at improving patient access to electronic health information (EHI) and standardizing modes of exchange for EHI.  Among other things, the rules are intended to prevent so-called “information blocking” and to provide patients with greater control over their

Last Friday, the Department of Defense announced the release of Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”), which sets forth the cybersecurity requirements that contractors and suppliers must meet to participate in the Department’s supply chain.  A new post on Covington’s Inside Government Contracts blog discusses the release of Version 1.0 of the

Heading into the new year, California Consumer Privacy Act (“CCPA”) readiness remains top of mind for many businesses, especially as continued developments, such as the California Attorney General’s forthcoming implementing regulations, may implicate compliance efforts.  State legislation will likely move forward in 2020.  At the same time, however, companies should not lose sight of legislative proposals at the federal level, which have the potential to reshape the privacy landscape in the United States and even preempt state laws such as the CCPA.  The question of whether a federal privacy bill can pass in 2020 remains an open one.  But regardless of whether a bill will actually pass, the legislative proposals that are emerging this year likely will shape the contours of federal legislation that could move toward becoming law.

Although the issues of preemption and a private right of action dominated the federal privacy conversation last year, four legislative trends emerged in 2019 that also may become key components of a federal privacy framework:
Continue Reading Four Federal Privacy Trends to Watch in 2020

As the effective date of the California Consumer Privacy Act looms closer, companies are grappling with the significance of the law and its definitions. One defined term in particular, “sale,” has sparked heated debate between industry and consumer advocates, and even within the legal profession. While much has been said about this term, more needs

On October 22, 2019, the Federal Trade Commission reached a proposed settlement with the developer of three so-called “stalking” apps that enabled purchasers of the app to secretly monitor the mobile devices on which they were installed.  Developer Retina-X Studios, LLC and its owner James N. Johns marketed the three apps—MobileSpy, PhoneSheriff, and TeenShield—as a means to monitor children and employees by sharing detailed information about these individuals’ smart phone activities, including their text messages and GPS locations.  The FTC complaint alleges that the developer failed to ensure that the apps would be used for legitimate and lawful purposes, did not secure personal information collected from children and other users, and misrepresented the extent to which that information would be kept confidential.

While the FTC settlement represents its first case against developers of tracking apps, the complaint’s allegations rely on provisions of the FTC Act that are broadly applicable to companies that collect, store, and/or monitor users’ personal information, as well as the Children’s Online Privacy Protection Act (“COPPA”): 
Continue Reading FTC Reaches Settlement with Developer of Tracking Apps

On October 17, Senator Ron Wyden introduced in the Senate a privacy bill that would expand the FTC’s authority to regulate data collection and use, allow consumers to opt out of data sharing, and create civil and criminal penalties for certain violations of the Act.

The Mind Your Own Business Act of 2019 is the latest iteration of Wyden’s discussion draft that he released last November. (We provided an overview of the draft bill here.) Although the two Wyden measures are largely similar, the new bill provides for additional enforcement mechanisms and levies taxes on companies whose executives violate reporting requirements.


Continue Reading Wyden Introduces Mind Your Own Business Act of 2019

The U.S. Department of Commerce’s National Institute of Standards and Technology (“NIST”) now has released the preliminary draft of the “NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.”  NIST is seeking comments on the preliminary draft of the Privacy Framework and plans to use these comments to develop version 1.0 of the Privacy Framework.  Comments are due by 5:00 p.m. ET on October 24, 2019.

Continue Reading NIST Releases Preliminary Draft of Privacy Framework

R (on the application of Edward Bridges) v The Chief Constable of South Wales [2019] EWHC 2341 (Admin)

Case Note

Introduction

In Bridges, an application for judicial review, the UK High Court (Lord Justice Haddon-Cave and Mr. Justice Swift) considered the lawfulness of policing operations conducted by the South Wales Police force (“SWP”) which utilised Automated Facial Recognition (“AFR”) technology.  The Court rejected Mr Bridges’ allegations that the SWP’s conduct was unlawful as contrary to the European Convention on Human Rights (“ECHR”), Article 8, the Data Protection Acts 1998 and 2018 (“DPA 98 and 18”), and the Equality Act 2010.  In this blog post we consider several key aspects of the case.


Continue Reading UK Court upholds police use of automated facial recognition technology