[Update to previous post from August 17, 2018]

On January 23, 2019, the European Commission and Japan mutually recognized each other’s data protection laws as providing an adequate level of protection of personal data (see European Commission press release here). As a result, nearly all personal data can now flow freely between the EU

Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”).  Since the entry

The California legislature recently passed three bills meant to address rapidly-developing technologies including the Internet of Things, artificial intelligence (AI), and chatbots.

Internet of Things. At the end of August, California became the first state to promulgate regulations requiring security features for Internet-connected devices. Senate Bill 327 requires that a manufacturer of a connected device equip the device with “reasonable security features” that are (1) appropriate to the nature and function of the device; (2) appropriate to the information it may collect, contain, or transmit; and (3) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
Continue Reading IoT and AI Update: California Legislature Passes Bills on Internet of Things, Artificial Intelligence, and Chatbots

On September 26th, the Senate Committee on Commerce, Science, and Transportation held a hearing on data privacy, focusing in part on the potential for federal privacy regulation. The discussion centered on two issues: (1) the potential for Congress to pass a federal privacy law, including the scope and model for any such law, and (2)

By Lauren Moxley

Today, the Supreme Court released its decision in Byrd v. United States.  The Court held that under the Fourth Amendment, a driver of a rental vehicle can challenge a search of the vehicle even if he is not listed as an authorized driver on the rental agreement.

The case began in

This month, China’s National Information Security Standardization Technical Committee (“NISSTC”) organized a meeting to launch a working group tasked with drafting a Personal Information Security Standard (“PIS Standard”). NISSTC is a government committee jointly supervised by the Standardization Administration of China and the Cyberspace Administration of China. In addition to the government agencies, several Chinese research institutions and Internet companies (including Tencent and Alibaba) will also participate in the working group.
Continue Reading China Formulating Standards for Personal Information Security and Data Protection

A new post on the Covington eHealth blog discusses the new web-based interactive tool released by the FTC, in conjunction with HHS and the FDA, to assist mobile health app developers in navigating applicable federal laws and regulations in the areas of advertising and marketing, medical devices, and data security and privacy.  As part of

On Tuesday, February 9, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a proposed rule to update regulations at 42 C.F.R. Part 2 that protect the confidentiality of alcohol and drug abuse patient records.  The regulations were originally promulgated in 1975 and last substantively updated in 1987.  SAMHSA intends for these updates to better align the regulations with advances in the U.S. health care delivery system, such as health information technology.

Background

The regulations at 42 C.F.R. Part 2 (“Part 2 regulations”) protect the confidentiality of patient records that are maintained in connection with the performance of any federally assisted program or activity relating to substance abuse education, prevention, training, treatment, rehabilitation, or research.

The goal of the regulations is to ensure that individuals are not deterred from seeking treatment for substance abuse disorders out of concern about the potential disclosures of these records.  SAMHSA notes that unauthorized disclosure has the potential for significant negative consequences for patients, such as: loss of employment, loss of housing, loss of child custody, discrimination by medical professionals and insurers, arrest, prosecution, and incarceration.

To safeguard substance abuse treatment records, Part 2 regulations require that a patient consent to the disclosure of individually identifiable information related to diagnoses, treatment, or referrals by federally assisted substance abuse programs, except in certain limited circumstances, such as a bona fide medical emergency, for research purposes, for audit and evaluation activities, and pursuant to a court order.

SAMHSA proposes the following changes to the regulations:
Continue Reading SAMHSA Proposes Changes to Confidentiality Rules

The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we previously reported, the Judicial

On January 12, 2016, the European Court of Human Rights (ECtHR) ruled that an employer who had monitored an employee’s private communications during working hours had not breached the employee’s right to privacy (under Article 8 of the European Convention on Human Rights).

This judgment will influence how other European national courts and regulators view similar cases involving employer monitoring of employee private communications. However, the full scope of the judgement remains somewhat unclear; in particular, it remains unclear whether the ECtHR would apply similar logic if the monitored communications had been carried out through a personal account, rather than a professional one.  Employers should also take note that the judgment emphasizes the need for employer monitoring policies to be reasonable and proportionate.  The judgment is available in full here.
Continue Reading European Court of Human Rights Rules That Employers Can Monitor Employee Private Communications