Legislation

In a new post on the Covington Digital Health blog, our colleagues discuss a new European Cloud in Health Advisory Council whitepaper calling for a review of European healthcare data protection rules holding back greater adoption of cloud computing and AI; and for more discussion about the ethics and 
Continue Reading European Cloud in Health Advisory Council Calls For Review of eHealth Rules and Ethics of Medical Data Re-Use

Representative Marsha Blackburn (R-TN) has introduced a bill, the “Balancing the Rights of Web Surfers Equally and Responsibly Act of 2017” (“BROWSER Act,” H.R. 2520) that would  create new online privacy requirements.  The BROWSER Act would require both ISPs and edge providers (essentially any service provided over the Internet) to provide users with notice of their privacy policies, obtain opt-in consent for sensitive data, and opt-out consent for non-sensitive data.  In its current form, the BROWSER Act would define sensitive data more broadly than in existing FTC guidelines—mirroring the since-repealed privacy rules that the FCC adopted last year for ISPs, but applying those standards to ISPs and edge providers alike.

The BROWSER Act defines “sensitive user information” to include financial information, health information, children’s data, social security numbers, precise geo-location information, contents of communications, and, most notably, web browsing or app usage histories.  ISPs and edge providers must obtain “opt-in approval” from users prior to using, disclosing, or permitting access to such sensitive information.  For “non-sensitive user information,” the BROWSER Act requires opt-out consent.  And companies may not condition the provision of services, or otherwise refuse services, based on the waiver of privacy rights under the BROWSER Act.
Continue Reading New Republican Privacy Bill Would Expand Scope of “Sensitive” Data

Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach.  New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws.  Tennessee’s bill, S.B. 547, amended its Identity Theft Deterrence Act of 1999 to exempt certain encrypted data from triggering notification requirements.
Continue Reading New Mexico Becomes 48th State with Data Breach Notification Law; Tennessee Restores Exemption for Encrypted Data

On April 11, 2017, the Cyberspace Administration of China (“CAC”) released a draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (“the Draft Measures”) for public comment (official Chinese version available here).  The comment period ends on May 11, 2017.

The issuance of the long-anticipated Draft Measures is another critical step toward implementing China’s Cybersecurity Law (“the Law”), which is set to take effect on June 1, 2017 (see our alert on the Law here).  Importantly, the Draft Measures, if enacted in its current form, would mandate all “network operators” to self-assess the security of their cross-border data transfers and significantly broaden the scope of entities that potentially need to undergo security assessments for such transfers by the Chinese government.  Companies that fall into the scope of “network operators,” but may not qualify for “operators of Critical Information Infrastructure” (“CII”), could see their cross-border data transfers regulated under the Draft Measures.  
Continue Reading China Seeks Public Comments on Draft Regulation on Cross-Border Data Transfer

By Stephen Kiehl

Continuing their focus on drone privacy issues, Senator Edward J. Markey (D-Mass.) and Rep. Peter Welch (D-Vt.) introduced legislation in the House and Senate this month that would require drone operators to create policies covering data collection and retention and require warrants for law enforcement agencies to conduct surveillance by drone.

The Drone Aircraft Privacy and Transparency Act, available here, is similar to legislation Markey and Welch introduced last year, which did not become law.  The lawmakers said they are concerned about the potentially “sensitive and personally identifiable information” about Americans drones (“UAS”) collect as they are operated. 
Continue Reading Legislation Introduced in House and Senate to Establish Drone Privacy Rules

Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers.  The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber AIR”) Act were each introduced but not enacted in a previous session of Congress.  In a joint press release, the Senators noted that the legislation was designed to “implement and improve cybersecurity standards for cars and aircraft.”

The SPY Car Act

The SPY Car Act would require cars manufactured for sale in the U.S. to comply with “reasonable measures to protect against hacking attacks,” including measures to isolate critical software systems from non-critical systems, evaluate security vulnerabilities, and “immediately detect, report, and stop attempts to intercept driving data or control the vehicle.”  It would also require “driving data” collected by cars to be “reasonably secured to prevent unauthorized access,” including while such data is in transit to other locations or subsequently stored elsewhere.  Violations of these cybersecurity requirements are subject to civil penalties of up to $5,000 per violation.
Continue Reading Senators Reintroduce Cybersecurity Legislation for Cars and Planes

On March 2nd, Democratic members of the House Energy and Commerce Committee introduced three pieces of legislation that would expand the Federal Communications Commission’s (FCC) authority over the cybersecurity practices of communications network providers.

The first bill, the “Securing IoT Act of 2017” (introduced by Rep. Jerry McNerney
Continue Reading House Democrats Propose Three Bills that Would Bolster FCC Influence over Cybersecurity

Yesterday, the Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December.  The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents.  We summarize each of the guidance documents below.

The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA.  It summarizes the sharing authorized by CISA as follows: “Effectively, the only information that can be shared under the Act is information that is directly related to and necessary to identify or describe a cybersecurity threat.”  But it also notes that “otherwise conflicting laws, including privacy laws, do not restrict sharing or any other action undertaken pursuant to CISA,” consistent with the language of Section 104(c) of CISA, which permits such sharing “notwithstanding any other provision of law.”  
Continue Reading Federal Government Releases Final Guidance on CISA

Last week, Tennessee Governor Bill Haslam (R) signed S.B. 2005 into law, amending Tennessee’s breach notification law to broaden the scope of information covered and require quicker notifications of the state’s residents.  Most notably, when the amendments enter into force on July 1, 2016, Tennessee will become the only U.S. state that could require notification of affected individuals following breaches of encrypted information.  The amendments will also require businesses to notify Tennessee residents within 45 days after the business discovers the breach.
Continue Reading Tennessee Amends Breach Notification Law to Cover Breaches of Encrypted Information

Today, a German law to strengthen the private enforcement of certain data protection provisions that aim to protect consumers (the Law) entered in to force, following its publication in the Official Journal yesterday. We previously reported on the draft law here.

The Law empowers certain qualified associations to seek injunctive relief against companies or self-employed individuals for violations of the rules governing the collection, processing or use of consumers’ personal data in specific cases of commercial use, namely for the purposes of:

  • advertising;
  • market and opinion research;
  • the creation of personality or usage profiles;
  • address and data brokering; or
  • similar commercial purposes.

Continue Reading Germany Extends Right of Qualified Consumer Associations to Challenge Privacy Violations