Enter to open, tab to navigate, enter to select
Privacy and Data Security: 2015 Highlights
Practical Law Legal Update w-001-4976 (Approx. 5 pages)
Privacy and Data Security: 2015 Highlights
by Practical Law Intellectual Property & Technology
| Published on 08 Mar 2016 • USA (National/Federal) |
A Legal Update discussing key privacy and data security developments in 2015. This Update includes a discussion of regulatory developments from the FTC and other federal agencies, state and federal legislative activities, and actions by international authorities.
Privacy and data security remained central issues in 2015 and show no signs of slowing down. Key developments affecting virtually every industry occurred at federal, state, and international levels. Notorious data breaches involving healthcare insurers, government agencies, and others overshadowed the large-scale retail events that commanded 2014 headlines.
Federal Regulatory Highlights
The FTC remained the principal federal privacy and data security regulator. Two challenges to the FTC's data security authority came to a head in 2015 with mixed results (see Legal Updates, FTC and Wyndham Hotels Reach Agreement to Settle Data Breach Charges and ALJ Dismisses FTC Complaint Against LabMD).
The FTC also issued a notable report on privacy and security in the emerging realm of internet-connected devices (see Legal Update, FTC Releases Internet of Things Report).
Other federal regulatory highlights included updated guidance and enforcement actions by:
- The Department of Health and Human Services (HHS).
- The Federal Communications Commission (FCC).
- The Securities and Exchange Commission (SEC).
Last Minute Congressional Action
As in years past, Congress considered many privacy and data security bills in 2015. However, Congress passed only the Cybersecurity Act of 2015 in December's omnibus spending bill (H.R. 2029, Div. N). The Act encourages cyber threat information sharing to help minimize risk.
State Highlights
Without comprehensive Congressional action, states continued to take the lead on privacy and data security regulation. Highlights included:
- State attorneys general took various actions against app developers, telecommunications providers, e-commerce retailers, and others for misleading consumers and failing to protect personal information.
- At least ten states amended their data breach notification laws.
- State legislatures passed a flurry of new student privacy laws.
- California, Delaware, and New Jersey each enacted new privacy measures.
- The National Association of Insurance Commissioners released principles to guide cybersecurity regulations in the insurance sector.
International Developments
Regulators outside the US continue to shape the privacy practices of online companies with international reach. Key 2015 developments included:
- The European Court of Justice invalidated the US-EU Safe Harbor Framework used by thousands of US companies to support cross-border data transfers (see Legal Update, So Long, Safe Harbor (For Now, Anyway)). Recently, US and EU officials announced the new EU-US Privacy Shield (see Legal Update, European Commission publishes draft "adequacy decision" and texts for EU-US Privacy Shield and Communication on restoring trust in EU-US data transfers).
- Several high-profile multinational US companies faced regulatory inquiries in Europe and Australia.
- Canada amended its Personal Information Protection and Electronic Documents Act. Authorities also took their first enforcement actions under Canada's Anti-Spam Legislation (see Article, CASL One Year Later: What US Companies Need to Know about Enforcement under Canada's Anti-Spam Law).
For a complete discussion of these and other key 2015 developments, and the privacy and data security issues that are likely to receive more attention in 2016, see Article, Trends in Privacy and Data Security: 2015.