Data Transfers/Safe Harbor/Privacy Shield
Subscribe to Data Transfers/Safe Harbor/Privacy Shield's Posts

California Voters Approve the California Privacy Rights Act

On November 3, 2020, California voters passed the California Privacy Rights Act (CPRA) ballot initiative with slightly under 60% of votes to approve the measure (as of publication). The ballot initiative, which was submitted by the architects of the California Consumer Privacy Act of 2018 (CCPA), had earlier garnered 900,000 signatures—far more than the roughly 625,000 necessary for certification on the 2020 ballot. The CPRA amends the CCPA, adds new consumer rights, clarifies definitions and creates comprehensive privacy and data security obligations for processing and protecting personal information. These material changes will require businesses to—again—reevaluate their privacy and data security programs to comply with the law. Effective date and timeline for enforcement The CPRA amendments become operative on January 1, 2023, and will apply to personal information collected by businesses on or after January 1, 2022 (except with respect to a consumer's...

Continue Reading

New Proposed CCPA Regulations Add Clarity to Process for Opting Out of Sale of Personal Information

On October 12, 2020, the California Department of Justice announced the release of a new, third set of proposed modifications to the California Consumer Privacy Act (CCPA) regulations. The proposed modifications amend a final set of regulations that were approved by the California Office of Administrative Law just two months earlier. The Third Set of Proposed Modifications to the CCPA Regulations released on October 12 do not make substantial changes to the previously final set of CCPA regulations. The majority of the proposed modifications serve to clarify existing requirements rather than add new requirements or materially alter existing ones. As a result, the new proposed modifications should help businesses better understand what is expected to maintain compliance with certain aspects of the CCPA. Process for Opting Out of Sale of Personal Information The Department of Justice proposed to amend Sections 999.306(b)(3) and 999.315(h) to provide more detail...

Continue Reading

Double Trouble for Data Transfers Post-Brexit and Post-Schrems II?

On 16 July 2020, Europe’s highest court, the CJEU, ruled in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems that individuals in Europe had insufficient redress against US bulk interception rules when their personal data was transferred to the United States under the US Department of Commerce “Privacy Shield” mechanism. This ruling followed a long running campaign by the activist, Max Schrems, who’s prior case to the CJEU invalidated the predecessor to the Privacy Shield, the Safe Harbor. It is a general tenet of European data protection law that, when personal data is exported from the European Union, any further processing must be to European standards unless the local data protection laws are considered “adequate” by the European Commission. Self-certification under the US Privacy Shield mechanism was a popular method for providing adequate data protection amongst US based service providers which had European customers and...

Continue Reading

Schrems II Special Report: What Does the CJEU’s Decision Mean for Transfers From the EEA to the US?

For our Schrems II Practical Guidance special report, members of McDermott’s internationally recognized Global Privacy & Cybersecurity group have outlined practical guidance and next steps to ensure your business is prepared for what’s next following the final ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems. As your organization navigates the post-Schrems II landscape following the CJEU’s recent decision, consider McDermott your first point of call. We have deep experience advising global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals. Practical Guidance for Businesses (US Edition) Practical Guidance for Businesses (Global – EEA/UK Edition)

Continue Reading

Preparing Your Data for a Post-COVID-19 World

The US healthcare system’s data infrastructure needs an overhaul to prepare for future health crises, streamline patient care, improve data sharing and accessibility among patients, providers and government entities, and move toward the delivery of coordinated care. With insights from leaders from Arcadia, Validic and McDermott, we recently discussed key analyses and updates on the interoperability and application programming interfaces (API) criteria from the 21st Century Cures Act, stakeholder benefits of healthcare data exchange and data submission facilitation for public health purposes. Click here to listen to the webinar recording, and read on for highlights from the program. To learn more about the “Around the Corner” webinar series and attend an upcoming program, click here. PROGRAM INSIGHTS COVID-19 is reshaping healthcare through technology. Hospitals, clinicians and payors need to use digital health tools to address the challenges of the...

Continue Reading

Future Forward: Data Arrangements During and After COVID-19

The need for speedy and more complete access to data is instrumental for healthcare providers, researchers, pharmaceutical, biotech and device companies and public health authorities as they work to quickly identify infection rates, disease trends, outcomes, including antibodies, and opportunities for treatments and vaccines for COVID-19. A variety of data sharing and collaborations have emerged in the wake of this crisis, such as: Requests and mandates by public health authorities, either directly or via providers’ business associates requesting real time information on infections and bed and equipment availability Data sharing collaborations among providers for planning, anticipating and tracking COVID-19 caseloads Data sharing among providers, professional societies and pharmaceutical, biotech and medical device companies in search of testing options, treatment and vaccine solutions, and evaluation of co-morbidities CLICK HERE TO VIEW THE FULL...

Continue Reading

Consumer Demand in Digital Health Data and Innovation

Digital health companies are producing increasingly innovative products at a rapidly accelerating pace, fueled in large part by the expansive healthcare data ecosystem and the data strategies for harnessing the power of that ecosystem. The essential role data strategies play make it imperative to address the data-related legal and regulatory considerations at the outset of the innovation initiative and throughout the development and deployment lifecycle so as to protect your investment in the short and long term. The Evolution of Digital Health Digital health today consists of four key components: electronic health records, data analytics, telehealth, and patient and consumer engagement tools. Electronic health records were most likely first, followed very closely by data analytics. Then telehealth deployment rapidly increased in response to both demand by patients and providers, the improved care delivery and access it offers, and more recently, the expanded...

Continue Reading

California Bill Proposes CCPA Exceptions for HIPAA De-identified Information, Other Health Data

On January 6, 2020, the California State Senate’s Health Committee unanimously approved California AB 713, a bill that would amend the California Consumer Privacy Act (CCPA) to except from CCPA requirements additional categories of health information, including data de-identified in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), medical research data, personal information used for public health and safety activities, and patient information that is maintained by HIPAA business associates in the same manner as HIPAA protected health information (PHI). If enacted, the bill would simplify CCPA compliance strategies for many HIPAA-regulated entities, life sciences companies, research institutions and health data aggregators. Exemption for HIPAA Business Associates Presently, the CCPA does not regulate PHI that is collected by either a HIPAA covered entity or business associate. The CCPA also exempts covered entities to...

Continue Reading

Health Care Data Compliance in China: 4 Key Questions and Compliance Steps for Multinationals

This post was guest authored by lawyers from MWE China Law Offices, McDermott Will & Emery's strategic alliance in Shanghai.  Data compliance in China’s health care industry is multifaceted and highly sensitive, and applies to numerous types of data generated across the continuum of care. Multiple pieces of legislation prescribe complex regulatory requirements governing different types of data, and various supervisory authorities frequently conduct inspections and investigations, paying special attention to health care multinationals with operations in China. This article explores four key questions on the regulatory requirements for health care data in China, along with key compliance steps for multinationals throughout the entire life cycle of health care data, including collection, storage, transfer and use. 1. What types of health care data are regulated in China? What are the key compliance points related to these types of health care data? Data...

Continue Reading

2018 Digital Health Data Developments – Navigating Change in 2019

Data privacy and security legislation and enforcement saw significant activity in 2018 and early 2019. McDermott's 2018 Digital Health Year in Review: Focus on Data report – the first in a four-part series – highlights notable developments and guidance that health care providers, digital health companies and other health care industry stakeholders should navigate in 2019. Here, we summarize four key issues that stakeholders should watch in the coming year. For more in-depth discussion of these and other notable issues, access the full report. EU General Data Protection Regulation (GDPR) enhances protections for certain personal data on an international scale. US-based digital health providers and vendors that either (a) offer health care or other services or monitor the behavior of individuals residing in the EU, or (b) process personal data on behalf of entities conducting such activities should be mindful of the GDPR's potential applicability to their...

Continue Reading

STAY CONNECTED

TOPICS

ARCHIVES