The Panama Papers Leak – An overview on histories’ biggest data leak; Article 29 Working Party about to release opinion on EU-U.S. Privacy Shield; EU: GDPR and PCJ DPD about to be approved next week – final consolidated text published by Council; US: New HIPAA Audit Protocol Released as a Guidance Tool for phase two of Compliance Audits; U.S. Sneak News: Defend Trade Secrets Act, NPRM and Sony Settlement Approval. EU: GDPR, PCJ DPD and PNR Directive adoped by Parliament; U.S.: House Judiciary Committee approves E-Mail Privacy Act; Senate to require airlines to report cyberattacks; FTC issues online tool identifying applicable law for health apps; Global: Turkey releases first comprehensive Data Protection law; Connected cars found vulnerable for cyberattacks; Data Breaches May Waive Attorney-Client Privilege?; Encryption Continues to Dominate Privacy Headlines; Hospital Settles with HHS for $ 2.2 Million in HIPAA Action; Southern District of New York Adds Ransomware Conspirator to Hacking Case; European and Canadian Data Protection Authorities Investigate IoT Devices; Norway Requires Data Breach Notification for Individuals

The Panama Papers Leak – An overview on histories’ biggest data leak

On April 3, 2016, reports revealed that a set of 11.5 million confidential documents (“the Panama Papers”), providing detailed information about more than 200,000 offshore companies connected to Panamanian legal service provider Mossack Fonseca, had been made available to German Daily Newspaper Süddeutsche Zeitung by an anonymous source in 2015.

The documents, which form part of the biggest data leak in history, reveal aspects on (potential) exploitations of offshore tax regimes and other illegal purposes, such as fraud or drug trafficking. Among the people concerned are not only big companies, but also twelve national leaders among 143 politicians, celebrities, government officials or other law firms. The Süddeutsche Zeitung, given the scope of the leak, involved the International Consortium of Investigative Journalists (ICIJ) and about 400 other journalists in 76 different countries to investigate and analyze the documents. ICIJ has promised to publish a full list of companies involved in early May 2016.

Mossack Fonseca, the leaked firm, defended its commercial conduct, stating that itself would always comply with applicable laws and carry out thorough due diligence on its clients. However, the leak will have a huge impact on the offshore business, as the biggest selling point of this business, secrecy, has been massively cracked.

Article 29 Working Party about to release opinion on EU-U.S. Privacy Shield

The coming week (as from April 11, 2016) will be of particular importance for the future of the EU-U.S. Privacy Shield, the newly proposed data transfer pact for transfers of personal data from Europe to the U.S. which aims to replace the invalidated “U.S.-EU Safe Harbor Framework”.

The Article 29 Working Party, an EU advisory body comprising of data protection officials from all 28 EU Member States, is currently evaluating the draft adequacy decision of the European Commission with regard to the requirements set by the European Court of Justice for the legitimization of EU-U.S. data transfers and is likely to publish an opinion on its acceptability on April 12, 2016.

Although this opinion will generally be non-binding for the European Commission, it will nevertheless have a huge impact on whether the implementation of the new framework will go forward. The aim of the Article 29 Working Party would be to reduce “legal uncertainty,” Isabelle Falque-Pierrotin, president of the French Data Protection Authority (CNIL) and chair of the Article 29 Working Party has been quoted.  In case that the advisory body would come to the result that the U.S. might have to make additional compliments, this would certainly help reduce the uncertainty surrounding data transfers between the U.S. and the EU.

EU: GDPR and PCJ DPD approved and final consolidated text published by Council

On April 8, 2016, the European Council of Ministers  approved the final consolidated text of the new EU General Data Protection Regulation (GDPR), now available in 24 languages, which is about to replace the current EU Data Protection Directive (95/46/EC). The final text of new EU Policing and Criminal Justice Data Protection Directive (PCJ DPD) has also been published on April 6, 2016.

In its 3445th meeting on 12 February 2016,the Council reached consensus  on the GDPR as well as on the PCJ DPD. The vote of the Council of Ministers was therefore preponed from April 21 to April 8, 2016 (see Council documents here and here). The text will now be subject to another vote of the LIBE committee on April 12, 2016 before being submitted to the Parliament for final adoption during the next plenary sessions on April 11-14, 2016.

Once adopted, the GDPR will have direct effect throughout all Member States after a two-years-transition period (that means in 2018). The Directive will still need to be transposed into national law by the EU Member States.

Apart from that, the European Commission has started looking into a revision of the e-Privacy Directive later this year, which applies to telecommunications and digital services operators, and opened a public consultation.

U.S.: New HIPAA Audit Protocol Released as a Guidance Tool for phase two of Compliance Audits

The Office for Civil Rights (OCR) in the last week of March 2016 has published an updated protocol for Health Information Privacy Audits (HIPAA), which offers detailed guidance on about 180 HIPAA provisions important for the recently announced Phase 2 of the HIPAA Compliance Audits.

The 2016 Phase 2 HIPAA Audit Program will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Covered entities can expect to receive letters about desk audits in May, while business associates will receive such letter in June or July.

The Department of Health and Human Services’ Office for Civil Rights, which made the protocol public on its website this week, noted that “The protocol has been updated to reflect the Omnibus Final Rule.” An OCR spokesman was quoted that the protocol is final and will be used in the second audit phase. Apparently, there is an email address to use for comment, but no comment period, and that it will not be published in the Federal Register.

OCR has also published a Pre-Screening Questionnaire and a Sample Template for Business Associate Listing.

U.S. Sneak News:

  • On April 4, 2016, the Senate – in a 87:0 vote – has passed the Defend Trade Secrets Act of 2015, a bill, which allows businesses to sue for trade secret theft and potentially seize property used to facilitate the theft.
  • On April 1, 2016, the Federal Communications Commission (FCC) has released the long-awaited Notice of Proposed Rulemaking (NPRM), relating to proposed rules to govern the privacy practices of broadband internet access service providers (“BIAS”). The proposed rules include obligations of the providers to include in their privacy policies information about what kind of customer data they collect for what purpose, with whom they share those data and to which extent customers can object the sharing of their personal data. Comments on the NPRM are due May 27, 2016 and reply comments can be submitted until June 27, 2016.
  • End of March 2016, a judge has approved the multimillion-dollar settlement in a class-action suit filed by 9 former employees of Sony Pictures Entertainment, whose personal data had been stolen in a hack related to the release of the film “The Interview”.

EU: GDPR adopted by European Parliament without opposition, further amendments or changes; PCJ DPD and PNR Directive to come as well.

On April 13, 2016, the European Parliament  formally adopted the new EU General Data Protection Regulation (GDPR) (available in 24 languages), which will help harmonize of EU Data Protection rules, but also significantly increase fines and impose stricter compliance requirements. .

The new law, which is about to replace the current EU Data Protection Directive (95/46/EC), was accepted by the European politicians without oppositions, further amendments or changes. It will now have to be published in the Official Journal of the European Union, which will likely happen in May 2016, before finally coming into force after a two-years-transition period (that means in about May 2018).

The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share”, said Jan Philipp Albrecht, who steered the legislation through Parliament.

The EU Parliament also adopted the EU Policing and Criminal Justice Data Protection Directive (PCJ DPD) for judicial cooperation, as well as a new Directive on the Retention of Passenger Name Record (PNR) data by airlines within the EU. As a result of the latter, the EU Member States will now have to establish laws, providing that airlines flying into or out of the EU will have to transfer PNR data to law enforcement bodies for security checks. PNR data will have a retention period of 5 years and will have to be anonymized after 6 months. The Directive, which was first proposed in 2011 but rejected in 2013 by the LIBE committee due to privacy concerns, was revived after the terrorist attacks of Paris in 2015 and now adopted by the Parliament.

US: House Judiciary Committee approves E-Mail Privacy Act

On April 13, 2016, the House Judiciary Committee has approved in a 28:0 vote the E-Mail Privacy Act (H.R. 699), amending and updating the 30-years-old Electronic Communications Privacy Act (ECPA).

Under the ECPA, law enforcement agencies were allowed to obtain the content of a users’ electronic communications by way of subpoena, provided that the communications had been stored for more than 180 days.  The E-Mail Privacy abolishes this possibility, so that now the agencies will always need a warrant in order to access electronic communications, regardless of their age and storage time.

According to the Judiciary Committee, the new law will also allow law enforcement agencies to access public information on websites without a warrant. Apart from that, it clarifies that the Congress has unlimited authority to subpoena information from third parties in furtherance of congressional oversight.

US: Senate to require Airlines to report Cyberattacks

On April 8, 2016, the U.S. Senate has introduced a new bill, which will require airlines to report cyberattacks to federal authorities, in order to address risks emerging from increased connectivity between airplanes and external communication networks.

The bill, called “Cybersecurity Standards for Aircraft to Improve Resilience Act” (in short: “Cyber AIR Act”), will enable the Federal Aviation Administration to notify other airlines, manufacturers and agencies in case of potential threats. “As technology rapidly advances to keep passengers and planes connected, [it] must [be ensured] that the airline industry is vigilant in protecting its aircraft and systems from cybersecurity breaches and attacks,” Senator Markey, a member of the Commerce, Science and Transportation Committee, said. We know that terrorists […]will try to exploit any loophole or technological advance in our transportation systems, so we must […] ensure the safety and security of passengers on board commercial aircraft.”

US: FTC Issues Online Tool, enabling Mobile Health App Developers to Identify Applicable Laws

On April 5, the U.S. Federal Trade Commission (FTC) has released a new interactive online-tool which should help Mobile Health App Developers to find out, which federal U.S. laws they have to follow, depending on the information collected, processed and shared.

The web-based tool, produced by the FTC in cooperation with the U.S. Department of Health & Human Services (HHS), the Officer of the National Coordinator for Health Information Technology (ONC), the Office for Civil Rights (OCR) and the Food and Drug Administration (FDA), provides a snapshot on a few important laws and regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Federal Food, Drug and Cosmetic Act (FD&C Act), the Federal Trade Commission Act (FTC Act) and the FTC’s Health Breach Notification Rule.

The tool can be helpful for mobile app developers working in health, wellness and medical areas, in order to get a first impression of the various federal laws that may be applicable to their programs and to so enable them to reach out for tailored legal advice depending on the particular case.

Turkish First Comprehensive Data Protection Law released

On April 7, 2016, Turkey’s first comprehensive law on Personal Data Protection, bill number 6698, was published in the Official Gazette and came into force. The law (Turkish draft available here) is based on the European Union’s Data Protection Directive (95/46/EC), but is reported to differ from the Directive in a number of aspects.

Most importantly, the Turkish law, which still needs to be implemented during a two-year transitional period, protects the private life and the fundamental rights and freedoms of natural persons with respect to their personal data based on similar rules as applicable in the EU.

Among others, it has been reported that under the new law, data controllers will generally have to register before starting data processing operations and transfers to third countries, which do not offer an adequate level of protection will be subject to approval of the to-be-created Turkish DPA. The DPA will be entitled to impose fines of up to TRY 1,000,000 (approx. $ 350,000) or up to 4 years of imprisonment.

Connected Cars a likely target for Cyberattacks – automotive industry urged to ensure adequate protection

Internet-connected and driverless cars might be an attractive target for hackers, in particular terrorist associations or rogue nation states. The automotive industry must therefore ensure that such vehicles inherit appropriate measures for cybersecurity, John Carlin, assistant attorney general for national security of the U.S. Department of Justice has stated at an automotive conference in Detroit on April 12, 2015.

Concerns about cybersecurity in the automotive industry had begun to raise some years ago and a group of automakers, suppliers and automotive associations had banded together to form a coalition to study cyber security issues in 2014. The issue became present only one year later, when Fiat Chrysler Automobiles NV had to recall almost 1.5 million vehicles due to a security leak in radios, potentially enabling third-parties to obtain control of the cars.

According to Carlin, “we’ve [already] seen rogue nation states try to assassinate those that do not share their beliefs – if they were able to do it remotely through a car, I don’t see why they consider that a safe zone.”

Data Breaches May Waive Attorney-Client Privilege?

On Monday, attorneys handling the multidistrict litigation following dating site Ashley Madison’s high-profile data breach argued that the company’s internal legal documents should retain privileged status even though they were disseminated throughout the public media as a result of the breach.  Plaintiffs’ attorneys argued that these documents are non-privileged and that the company’s lawyers were involved in an ongoing fraud to create artificial female users on the site.  The growing dispute illustrates that, in addition to the traditional risks associated with data breaches (follow-on litigation and public relations headaches, among others), data breaches caused by inadequate security measures may create risks regarding attorney-client privilege.

Hospital Settles with HHS for $ 2.2 Million in HIPAA Action

New York Presbyterian Hospital entered into a $2.2 million settlement with the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) to resolve alleged HIPAA violations resulting from the television program NY MED filming a dying patient and other scenes at the hospital.  This case is somewhat atypical: most of the recent OCR settlements have resulted from OCR initiating an investigation in response to a breach report — often times for something like a stolen laptop.  This is the fifth settlement in the past two months and could suggests that OCR is clearing out its backlog before beginning Round Two of audits next month.

Southern District of New York Adds Ransomware Conspirator to Hacking Case

Last Thursday, the Government added a defendant to its case in the Southern District of New York against many individuals involved in a multi-year criminal enterprise centering on hacks of publishing and financial firms.  According to the Government, the scheme generated hundreds of millions of dollars in “pump and dump” stock schemes.  The Government revised the indictment on Thursday to add a co-conspirator, who allegedly exchanged cash for bitcoins on behalf of “ransomware” victims.  The addition comes at a time when ransomware, which blocks access to computers until victims pay hackers monetary “ransoms” to regain access, has seen increased public attention.

European and Canadian Data Protection Authorities Investigate IoT Devices

The Canadian Data Protection Authority (DPA) has announced that the Global Privacy Enforcement Network (GPEN), a group of 29 DPAs that includes the FTC and FCC, will focus this year’s sweep on a coordinated investigation into “Internet of Things” (IoT) devices, with results to be published in September 2016.  The investigation will generally focus on company accountability, but certain DPAs are choosing to investigate particular IoT applications, including   home, health, and fitness devices, as well as smart metering systems and thermostats.  Although the primary goal of the GPEN sweep is to increase public awareness of privacy rights and responsibilities and to encourage compliance with privacy legislation,” any concerns identified during the process could lead to follow-up investigations and potentially law enforcement actions against individual companies.

Norway Requires Data Breach Notification for Individuals

The Data Protection Authority of Norway has announced that companies must now notify individuals when their personal data is disclosed without their consent.  Previously, the Norwegian Personal Data Act only required notifications to be made to the DPA.  In making the revision, the Norwegian DPA also expressly referred to an Opinion of the Article 29 Working Party of 2014 on Personal Data Breach Notifications, which could serve as useful guidance for notification duties in all EU Member States.