NHS’ Plans to Share Patient Records with Third Parties
NHS Digital (the national custodian for health and care data in England) in May 2021, announced a new data sharing initiative called the General Practice Data for Planning and Research (GPDPR) service. The launch of the GPDPR could result in the historical medical records of up to 55 million patients in England being shared with third parties.
Although the GP data collection was set to take place as of July 1, 2021, on June 8, 2021 it was announced that the launch will be postponed to September 1, 2021.
European Commission Adopts New Standard Contractual Clauses
The European Commission (EC) on June 4, 2021 adopted a new set of Standard Contractual Clauses for international data transfers (New SCCs). The New SCCs take into account the Court of Justice of the European Union’s (CJEU) decision in Schrems II, requirements under the EU General Data Protection Regulation (GDPR), and according to the EC “address the realities faced by modern business”. In particular, as it relates to companies ongoing Schrems II assessments the New SCCs provide details around the steps an importer should take when subject to a request for disclosure from a public authority, and helpfully confirm that in carrying out the assessment of a third country legal framework the factors which can be taken into consideration.
TSA Issues Directive to Enhance Pipeline Cybersecurity
The U.S. Department of Homeland Security’s Transportation Security Administration (“TSA”) issued a Security Directive, “Enhancing Pipeline Cybersecurity” on May 28, laying out new cybersecurity requirements for operators of liquids and natural gas pipelines and LNG facilities designated as critical infrastructure.
UK Moves to Reconcile Antitrust and Data Protection Enforcement in Digital Sectors
Last year, to address the increasing overlaps between data protection and antitrust enforcement, the UK launched the Digital Regulatory Cooperation Forum (DRCF). The DRCF brings together the four UK regulators most involved in digital matters (i.e., the Competition and Markets Authority (CMA), the Information Commissioner’s Office (ICO), the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA)). Its main objective is to enable coherent and informed regulation of the UK digital economy.
SCCs, Adequacy, and Guidance: Latest Updates on International Data Transfers
The next few weeks will likely be very busy for companies on the GDPR international data transfer front as there have been a number of key European developments over the last few days including: (more…)
Transferring EU Data To US After New Contractual Safeguards – A Proposal to Notify Intelligence Agencies of “US Person” Prohibition on Targeting SCC Transfers
This article was first published by Law360 on May 17, 2021.
In light of new standard contractual clauses, or SCCs, to be issued shortly by the European Commission, as well as imminent new guidance from the European Data Protection Board, companies transferring personal data to the U.S. should consider taking steps to help ensure their data transfers are recognized as U.S. person communications.
This article sets forth possible text that companies could adopt as a supplemental measure to inform U.S. intelligence agencies that data transfers under SCCs are prohibited from being targeted.
Major Executive Order on Cybersecurity Aims to Fortify Defenses and Coordinate U.S. Response to Growing Epidemic of Cyberattacks
The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.
Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response, and logging and operate under the principle of a “zero-trust” environment. A clear purpose of the Order is to improve the security of commercial software, including by establishing baseline security requirements based on industry best practices. As the White House press briefer stated, the Order will impose “the power of federal procurement to say, ‘If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.’”
EU Commission Invites Stakeholders Feedback on Draft AI Regulation
On April 26, 2021, the European Commission announced that its draft proposal for the new EU Artificial Intelligence Regulation (“Draft AI Regulation”) is currently indicated to be open for feedback until July 15, 2021.* The Draft AI Regulation was published on April 21. Please refer to our blog post here that provides an overview of the Draft AI Regulation and its potential impact.
EU Commission Issues Draft AI Regulation
On April 21, 2021, the European Commission (EC) issued its eagerly awaited draft proposal on the EU Artificial Intelligence Regulation (Draft AI Regulation) – the first formal legislative proposal regulating Artificial Intelligence (AI) on a standalone basis. The Draft AI Regulation is accompanied by a revision of the EU’s rules on machinery products, which lay down safety requirements for machinery products before being placed on the EU market. The new draft Machinery Products Regulation – proposed by the EU Commission on the same day – intends to tackle safety issues that arise in emerging technologies. The Draft AI Regulation (which appears to have borrowed a number of principles from existing EU legislation, including the EU General Data Protection Regulation 2016/679 (GDPR)) has an intentionally broad scope, and regulates the use of AI in accordance with the level of risk the AI system presents to fundamental human rights and other key values the EU adheres to. AI systems that are considered to present an “unacceptable” level of risk are banned from the EU, and “high-risk” systems are subject to strict requirements. AI systems which are considered to present a lower risk level are subject to transparency requirements or are not regulated at all. Companies engaged in the development, manufacturing, importation, distribution, servicing, and use of AI – irrespective of industry – should assess to what extent their products are implicated and how they will address any regulatory requirements they are subject to. The Draft AI Regulation foresees maximum administrative fines of up to €30m or 6% of total worldwide annual turnover in the event of non-compliance – meaning fines are higher than the ones under the GDPR.
DOL Puts Plan Sponsors and Other Fiduciaries on Notice: ERISA Requires Appropriate Precautions to Mitigate Cybersecurity Threats
There just may be a new cybersecurity regulator in town.
In an effort it describes as “an important step” toward safeguarding more than $9.3 trillion in retirement assets, the U.S. Department of Labor (DOL) published its first cybersecurity guidance last week (Cybersecurity Guidance). The Cybersecurity Guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) as well as plan participants and beneficiaries. Significantly, the Cybersecurity Guidance formally states the DOL’s position that cybersecurity is a matter of fiduciary responsibility under ERISA, stating that ERISA requires plan fiduciaries to take appropriate precautions to mitigate cybersecurity risks.