German Federal Agencies Publish Privacy and IT Security Requirements for Digital Health Applications

On April 21, 2020, the Regulation on the Requirements and Reimbursement Process for Digital Health Applications (Digitale Gesundheitsanwendungen-Verordnung or „DiGAV“, available here) entered into force in Germany.  Among other provisions, the DiGAV includes specific IT security and privacy requirements.  Shortly after the law took effect, Germany’s Federal Medicines and Medical Devices Agency (“BfArM”) also released an extensive explanatory Guidance (Leitfaden, available here) to the DiGAV.

Independently, on April 15, 2020, the German Federal Office for IT Security (“BSI”) published a draft version of its guidance on “Security Requirements for Digital Health Applications” (BSI TR-03161) (available here).  The BSI is now seeking feedback from industry on this draft guidance before releasing a final version.

While the scope of application of the DiGAV and the BSI draft guidance may be limited, the documents can serve to provide useful insights and benchmarks for health applications generally.

Continue Reading

Eleventh Circuit Holds that TCPA Consent Revocation is Limited When Given as Part of a Bargained-For Contract

The Eleventh Circuit has issued a unanimous decision in Medley v. Dish Network, LLC, holding that the Telephone Consumer Protection Act (TCPA) does not permit consumers to unilaterally revoke their consent to receive automated calls or texts, if that consent is given in a bargained-for contract.  The decision could have important implications for businesses that rely on consent to send consumers automated calls and texts. Continue Reading

HHS Announces Enforcement Discretion Over the Implementation of Interoperability Final Rules Due to COVID-19 Public Health Emergency

In a new post on the Covington Digital Health blog, our colleagues discuss the Department of Health and Human Services (“HHS”) announcement of enforcement discretion to “permit compliance flexibilities” for the implementation of the interoperability final rules issued on March 9th, 2020.  The final rules are intended to improve patient access to electronic health information (“EHI”) and to standardize the modes of exchanging EHI.  Due to the COVID-19 public health emergency, HHS is now extending the implementation deadlines for certain requirements of the final rules.  To read the post, please click here.

Republicans Poised To Introduce COVID-19 Privacy Bill

Senate Commerce Committee Chairman Roger Wicker is working on draft legislation that would regulate the collection and use of health and location information in connection with efforts to track and limit the spread of COVID-19.   Some key highlights of the tentatively titled “COVID-19 Consumer Data Protection Act” include: Continue Reading

Dutch Supervisory Authority Fines Company for Processing Biometric Data of Employees

On April 28, 2020, the Dutch Supervisory Authority (“Dutch SA”) announced its decision to impose a fine of €725,000 on a company for unlawfully processing the biometric data of its employees.

In 2018, the company concerned installed an access and time management system that collected and processed biometric templates of employees’ fingerprints.  This initiative came about following indications of fraudulent use of the company’s existing badge-based time management system.  After installation, the company’s old system co-existed with the new system, and employees were free to choose the method by which to sign in to work.  One of the employees subsequently filed a complaint with the Dutch SA, which led to this investigation.

Continue Reading

AI Update: 10 Steps to Creating Trustworthy AI Applications

Trustworthy AI has garnered attention from policymakers and other stakeholders around the globe.  How can organizations operationalize trustworthy AI for Covid-19 and other AI applications, as the legal landscape continues to evolve? Lee Tiedrich and Lala R. Qadir share ten steps in this article with Law360.  For more information about AI, please see our “AI Toolkit.”

FCC Continues TRACED Act Implementation, Proposes to Expand Scope of Permissible Call Blocking

Yesterday, the Federal Communications Commission (FCC) took additional steps to implement the various mandates in the TRACED Act (discussed here and here), which was enacted late last year to help combat illegal robocalls.  Specifically, the FCC yesterday released a notice of proposed rulemaking (NPRM) that seeks comment on how best to eliminate “one-ring scams.”  Included in the NPRM is a proposed rule that would permit voice service providers to block callers suspected of transmitting such scam calls. Continue Reading

China Issues New Measures on Cybersecurity Review of Network Products and Services

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures will take effect on June 1, 2020.

Under Article 35 of China’s Cybersecurity Law (“CSL”), operators of Critical Information Infrastructure (“CII”) are required to undergo a security review if the procurement of “network products and services” implicates China’s national security.  To implement this requirement, CAC previously released the Measures on the Security Review of Network Products and Services (Trial) (“Trial Measures”) on May 2, 2017, which established a process for CAC to conduct a cybersecurity review in a range of key sectors.  On May 24, 2019, CAC released a draft version of the Measures (“Draft Measures”) for public comment (see our post on the Draft Measures here), aiming to update the review process established under the Trial Measures.  The final version of the Measures replaces the Trial Measures and largely tracks the framework proposed in the Draft Measures.

Highlights of the final version of the Measures appear below. Continue Reading

European Data Protection Board Issues Guidelines on Processing Personal Data for Scientific Research Related to COVID-19

On April 21, 2020, the European Data Protection Board (“Board”) issued guidelines on the processing of personal data for scientific research related to COVID-19.  The Board indicates that the GDPR takes into account the needs of scientific research and should not be a barrier to conduct such research, while at the same time, it helps ensure respect for the fundamental rights of patients.

Continue Reading

French Supervisory Authority Launches Public Consultation on the Digital Rights of Minors

On April 21, 2020, the French Supervisory Authority (“CNIL”) launched a public consultation on the rights of minors in the digital services. The consultation is open until June 1, 2020.  The CNIL will use the contributions it receives to prepare recommendations in this area.

Under the French Data Protection Law, minors over 15 years old can consent, without parental consent, to the processing of their personal data in digital services.  According to the CNIL, the privacy of minors on the Internet still raises questions that have not been fully addressed by the French Data Protection Law and the GDPR.

The consultation asks stakeholders to answer the following questions:

  • what online services are captured by the age limit of 15 years and the conditions under which a minor can perform certain acts on the Internet alone (e.g., register to social media or make online purchases);
  • what measures websites and apps should implement to safeguard the privacy of minors;
  • which online services should implement a age verification procedure and what age verification procedures are most appropriate; and
  • whether minors should be able to exercise their rights alone (as opposed to through their parents) and from what age they should be able to do this.

On January 21, 2020, the UK’s Information Commissioner’s Office published a Code of Practice to protect children’s privacy online. This code is the result of a public consultation that took place between April 12, 2019 and May 31, 2019.

LexBlog