After nearly four years of negotiation and wrangling, European Officials announced yesterday that they had finally reached agreement on the language for the EU’s new General Data Protection Regulation (“Regulation), which will replace the aging 1995 Data Protection Directive (“Directive”).

In many ways, the announcement is welcome news as it

On November 19, 2015, Lahey Hospital and Medical Center (“Lahey”) entered into an $850,000 settlement with the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 or “HIPAA”. As part of the settlement, Lahey must adopt a robust corrective action plan, which became operational on November 19, 2015, and will last for two years.

The settlement reinforces the importance of conducting HIPAA risk assessments with respect to the individually identifiable information in electronic form that is protected by HIPAA, referred to as “electronic protected health information” or “ePHI.”  The settlement also underscores that covered entities must timely identify and respond to security incidents, and promptly mitigate any harmful effects. In addition, the settlement highlights the critical nature of physical workstation security, in particular where health care delivery involves the use of portable devices that store ePHI, and the value of employing technical solutions that encrypt data at rest that is stored on portable devices.

Poland’s data protection authority, the Generalny Inspektor Ochrony Danych Osobowych (GIODO), recently issued its opinion on the continued validity of personal data transfers to the US.  The opinion comes at a time when nearly every means of legitimizing data transfers from the EU to the US has come under fire: on October 6, the European Court of Justice (CJEU) issued a decision invalidating the US-EU Safe Harbor framework, and soon after Germany’s Conference of Data Protection Commissioners indicated that the German DPAs would not grant any new approvals for data transfers to the US on the basis of binding corporate rules (BCRs) or standard contractual clauses.  Meanwhile, the Article 29 Working Party issued an opinion stating that standard contractual clauses and BCRs remained valid tools for transferring personal data from the EU to the US.  Furthermore, it recognized that American and European authorities were negotiating to develop a Safe Harbor replacement, and that EU DPAs therefore would not bring enforcement actions unless the negotiating authorities fail to reach a solution by end of January 2016.

On January 1, 2016, the Delaware Online Privacy and Protection Act (“DOPPA”) will go into force, a law that provides strong online privacy protection for its residents.  The new law targets three areas of compliance: (1) advertising to children; (2) conspicuous posting of a compliant privacy policy; and (3) enhancing the privacy protections of users of digital books (“e-books”).  The law grants the state’s Consumer Protection Unit of the Department of Justice the authority to investigate and prosecute violations of the law. This new Delaware law is substantially similar to three existing California laws that regulate the same practices. Given the similarities in language, DOPPA was clearly drafted with the California laws in mind.

The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in an entire lifetime. However, even as the amount of media we create and store has increased, the laws governing its search and seizure have failed to keep up. Under federal law and the laws of most states, the same information may be subject to different levels of protection from government authorities depending on whether that information is in the form of an e-mail stored in the cloud or a letter stored in a desk drawer.

California is attempting to change that equation. On October 8, 2015, Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA, SB 178), a sweeping bill

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months.  This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016.

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.

News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve.