On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.
On February 3, 2014, the U.S. Department of Health and Human Services (HHS) released a long-awaited final rule that amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations to permit patients and their personal representatives to access laboratory test reports. By requiring expanded access, HHS rejects what some have characterized as “paternalistic” arguments that such reports are complicated and should be provided only through treating physicians. HHS justifies the rule as necessary to empower patients to take an active role in managing their health and healthcare. As anyone who has tried to interpret a laboratory test report can attest, whether the stated objectives of the new rule will be achieved has yet to be seen.
A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).
Data Protection Law & Policy
“Data is the new oil” – This statement by Neelie Kroes in 2011 has since been on everyone’s mind and with the constant development of new technologies, the importance of data has grown dramatically over the past few years and in recognition of this it seems that we have now entered into a new era: the era of Big Data. William Long and Geraldine Scali, Partner and Associate respectively at Sidley Austin LLP explore the potential data protection issues that may arise.
The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers:
The European Commission has released a comprehensive package of communications, reports and papers that set out actions which the Commission believes can restore trust in transatlantic data flows between the European Union and the United States following recent concerns over access to data by intelligence agencies.
The European Parliament’s Civil Liberties Committee (the “LIBE Committee”) has after several delays finally voted on the European Commission’s proposed EU Data Protection Regulation and adopted all amendments. The LIBE Committee also approved a mandate to start negotiations with the Council of Ministers (which represents EU Member States) and the Commission – the so called trilogue process. The Regulation was published by the European Commission in January 2012 and has been described as the most lobbied piece of European legislation in history receiving over 4,000 amendments in opinions from other Committees in the European Parliament as well as from numerous industries.
In November 2012, the UK Information Commissioner’s Office (ICO) published a Code of Practice on managing data protection risks related to anonymization. This Code provides a framework for organisations considering using anonymization and explains what it expects from organisations using such processors.
One of the benefits of anonymization is that the onerous data protection obligations under EU data protection laws, including the UK’s Data Protection Act 1998, will not apply to data rendered anonymous such that individuals are no longer identifiable.