European Council Adopts the Network and Information Security Directive

Written by
On May 17, 2016, the European Council formally adopted its position at first reading of the Network and Information Security Directive (“NIS Directive”). The objective of the NIS Directive is to increase cooperation between EU Member States on issues of network and information security. Companies subject to the NIS Directive are required to adopt “appropriate and proportionate technical and organisational measures.” Specifically, the NIS Directive sets forth new cybersecurity obligations for providers of essential services (including entities within the energy, transport, banking, health, [...] Read more

Illinois Makes Extensive Changes to Data Breach Notification Law

Written by
  On May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state’s Personal Information Protection Act. The changes take effect on January 1, 2017. When the new law becomes effective, Illinois’ data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals. Starting in 2017, the definition of personal information in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number [...] Read more

Supreme Court Holds Congress Cannot Confer Automatic Standing By Statute

Written by
The Supreme Court has issued its much anticipated opinion in Spokeo Inc. v. Robins, No. 13-1339, 578 U.S. ___ (2016) (click here for a prior post detailing the procedural history and case background).  The Supreme Court granted certiarori in Spokeo to determine whether a bare violation of a statute – the Fair Credit Reporting Act (“FCRA”) – is sufficient to confer Article III standing, which requires that an injury be both (a) concrete and particularized and (b) actual or imminent.  Below the Ninth Circuit held that Robins’ allegation of an FCRA violation were sufficient, but the Supreme [...] Read more

GDPR Published Today, Commencing Two-Year Countdown to Application

Written by and
One of the most important EU legislative initiatives in recent years, and a landmark in privacy regulation worldwide, the GDPR is set to replace the Data Protection Directive (95/46/EC) of 1995.  After the Council of Ministers accelerated the voting timetable for GDPR passage and the Parliament approved the GDPR in an up-or-down vote, all eyes were on the GDPR’s publication to begin setting compliance timetables. Today, the final and as-approved version of the GDPR was published in the EU’s Official Journal.  The Official Journal version of the GDPR can be downloaded here. With that, [...] Read more

Nebraska Makes Changes to Data Breach Statute

Written by
Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016. With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice. In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided [...] Read more

Turkey’s New Data Protection Law

Written by and
Turkey’s new “Law on the Protection of Personal Data” has entered into effect following passage by the Turkish Parliament in late March and official publication last week.  The Data Protection Law adopts a broadly European model for data protection and helps clarify key aspects of the regulation of personal data under Turkish law. This blog post examines the law and highlights certain important provisions. Scope The Data Protection Law applies to the “personal data” of natural persons where that personal data is processed “wholly or partly by automatic means,” and to non-automatic [...] Read more

GDPR Approved by Parliament, Set to Become EU Law

Written by
Last week, we reported that the Council of Ministers accelerated the timetable for passage of the General Data Protection Regulation (GDPR).  The European Parliament followed suit and approved the GDPR this morning. As a result, the GDPR is now officially adopted and will become the law of the land in the EU.  The GDPR will be published either this month or next in the Official Journal of the European Union.  Twenty days after its publication, it will enter into force – i.e. either in May or June 2016.  As soon as the GDPR enters into force, its two-year clock for bringing business operations [...] Read more

Art. 29 Working Party Issues Formal Opinion Opposing Privacy Shield

Written by
Several hours after holding a closely-watched press conference we reported on yesterday, the Article 29 Working Party (“Art. 29 WP”) released its highly anticipated formal opinion on the adequacy of Privacy Shield. Background The European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU.  If adopted, this adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles.  The [...] Read more

Art. 29 Working Party Announces it Will Not Support Privacy Shield at Press Conference

Written by
Early this afternoon, the Article 29 Working Party (“Art. 29 WP”) held a press conference at which it presented its forthcoming opinion on the adequacy of the US-EU Privacy Shield. As background, the European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU.  Such an adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles.  However, an important part of the approval [...] Read more

EU Council Issues New Consolidated GDPR and Accelerates GDPR’s Legislative Timetable

Written by
Yesterday evening, the Council of Ministers issued a new consolidated version of the General Data Protection Regulation (GDPR).  This is the first “clean” version of the GDPR that (a) incorporates all revisions agreed upon from the time of the Commission’s original 2012 proposal to the December 2015 trilogue compromise text; and (b) numbers individual provisions as can be anticipated in the final adopted version of the GDPR.  The new consolidated text can be accessed here. The new GDPR text follows closely on the heels of the Council accelerating the timetable for the GDPR’s passage.  [...] Read more