As we previously reported, in September 2016 the New York Department of Financial Services (the “DFS”) proposed a regulation that would require banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections (the “Proposal”). The comment period for the Proposal closed in mid-November.

In late December, a DFS spokesman said that a revised Proposal will be filed with the state register on December 28, 2016 (followed by a new thirty-day comment period) and that the revised Proposal will come into effect on March 1, 2017 (two months later than the Proposal’s previous effective date of January 1, 2017).

On Friday, the Article 29 Working Party issued official guidance relating to the General Data Protection Regulation, or GDPR (which we’ve covered in previous posts here and here). The Article 29 Working Party is comprised of representatives of the various EU Member States’ data protection authorities (DPAs), so this marks the first time that the DPAs have revealed their thoughts on how they plan to interpret and enforce specific GDPR provisions.  This is welcome news for companies that, until this point, have been left to figure out compliance strategies without any indication as to how some of the newer concepts the GDPR introduces will operate in practice when the Regulation begins to apply in 2018.

DataGuidance spoke with Cécile Martin, Special International Counsel at Proskauer Rose LLP, at the International Association of Privacy Professionals’ Conference in Brussels in November 2016. Cécile discussed the passing of the Digital Republic Bill and its implications for organizations, as well as the latest developments regarding employee monitoring in France and the upcoming changes with the GDPR.

On December 2, 2016, the Federal Communications Commission (“FCC”) published its Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Order”) as a final rule in the Federal Register, adopting rules applicable to Internet service providers (“ISPs”) intended to protect the privacy of broadband consumers. Despite the publication of the rules in the Federal Register, uncertainty remains regarding when ISPs must be in compliance with some of these newly established privacy obligations. Although the rules are effective January 3, 2017, the FCC has made exceptions to the January 3, 2017 effective date for provisions which have not yet been approved by the Office of Management and Budget (“OMB”).[1] This includes many of the operative provisions of the new rules regarding ISPs’ data collection and use. Once such provisions are approved by the OMB, notice will be published in the Federal Register announcing their approval and corresponding effective dates.

Despite the uncertainty regarding the effective dates of many sections, the publication of the Order puts ISPs on notice of the new rules, and ISPs should begin revising their practices so that they are able to meet the earliest possible effective dates. Here is what ISPs need to know regarding compliance with the new rules:

On October 19, the Court of Justice of the European Union (CJEU) ruled that dynamic IP addresses may qualify as “personal data” under EU privacy law. As we covered here on the blog a few months ago, this decision is significant because it clarifies that companies that collect, store, process, and/or transfer dynamic IP addresses belonging to EU users may have to treat them in accordance with the stringent restrictions that EU law imposes on the handling of personal data. As a refresher, an IP (short for “Internet protocol”) address is a series of numbers allocated to a specific device that identifies a device and allows it to access an electronic communications network, such as the Internet.  IP addresses can be either “dynamic” or “static”; dynamic IP addresses, which are more common, change every time the device connects to the Internet, while static IP addresses remain constant and do not change every time the device re-connects.