Privacy & Information Security Law Blog

On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.

On July 5, 2016, the European Commission announced the launch of a new public-private partnership (the “Partnership”) on cybersecurity, as part of its Digital Single Market and EU Cybersecurity strategies. In this context, the European Commission released several documents, including a Commission Decision establishing a contractual arrangement of the new Partnership for cybersecurity industrial research, and a Staff Working Document on the preparation activities for the Partnership.

On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”). This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013. The HIPAA Omnibus Rule made business associates directly liable for their violations of the HIPAA rules. The settlement with CHCS is also notable because it involved a breach that affected fewer than 500 individuals.

On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).

According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers' knowledge or consent.

On June 28, 2016, the State Internet Information Office of the People’s Republic of China published the Administrative Provisions on Information Services for Mobile Internet Applications (the “App Administrative Provisions”). This is the first regulation that expressly regulates mobile apps in the People’s Republic of China. Before the App Administrative Provisions were published, the P.R.C. Ministry of Industry and Information Technology had published a draft of the Interim Provisions on the Preinstallation and Management of the Distribution of Mobile Intelligent Terminal Applications (“Interim Provisions”). The comment period for the Interim Provisions draft expired six months ago and i’s still uncertain when it will become effective. According to unofficial statistics, domestic app stores have more than 4 million apps in inventory presently, and the number is growing. Those apps will now become highly regulated products under the App Administrative Provisions.

On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament (“Joint Committee”) reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act.

On June 29, 2016, the Federal Trade Commission announced that, to account for inflation, it is increasing the civil penalty maximums for certain violations of the FTC Act effective August 1, 2016. The FTC’s authority for issuing these adjustments comes from the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015. The Federal Register Notice indicates which sections of the FTC Act the adjustments will apply to, and the corresponding increases. For example, the FTC has increased the maximum fine from $16,000 to $40,000 for certain violations of Section 5 of ...

On June 27, 2016, the Standing Committee of the National People’s Congress of the People's Republic of China held a second reading of the draft Cybersecurity Law (the “second draft”). The law is aimed at strengthening the protection and security of key information infrastructure and important data in China. As we previously reported, the first draft of the Cybersecurity Law was published for comment almost a year ago, but the National People’s Congress has not published the full second draft of the Cybersecurity Law to date.

On June 25, 2016, the Cyberspace Administration of China published its new Administrative Provisions on Internet Information Search Services (the “Provisions”). The Provisions will come into effect on August 1, 2016.

On June 29, 2016, Politico reported that it has obtained updated EU-U.S. Privacy Shield documents following the latest negotiations between U.S. and EU government authorities. Certain aspects of the prior Privacy Shield framework were criticized by the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor.