The EU-US Privacy Shield review joint statement is now public

The European Commission has published the new “Joint Press Statement from US Secretary of Commerce Ross and Commissioner Jourová on the EU-US Privacy Shield Review”.  The document is the result of the first annual review of the EU-US Privacy Shield Framework and represents a landmark for future cooperation on data protection between the US and the EU.  The Framework aims to ensure that companies and national public authorities guarantee an adequate level of protection to EU citizens.  During the review, administration and enforcement components of the Privacy Shield have been analysed, both from the commercial and national-security points of view, fully considering US legal developments.  The parties have discussed the future implementation of the Privacy Shield with particular attention to the importance of regular communication between the respective authorities.  The number of participating organisations has now grown to over 2,400 companies.

The EU Commission Statement is available here

Delaware amends its Data Breach Notification’s Law

Delaware has amended its Data Breach Notification Law establishing a term of 60 days for notifying a breach and obliging firms to notify the Attorney General if the breach affects more than 500 Delaware residents. Notifications are binding unless an investigation shows that the breach has not caused harm to the affected individuals.

Find the text of the amended law here

U.K. ICO Elizabeth Denham comments on the GDPR

Through a series of blog posts, the U.K. Information Commissioner Elizabeth Denham has made comments on some aspects of the EU data protection regulation (GDPR). On data subjects’ consent, the ICO clarifies that it is just one of the many different ways for a Company to process data lawfully. “The rules around consent only apply if you are relying on consent as your basis to process personal data” Denham said, explaining that there are five other ways to lawfully process data which, in some cases, could offer better solutions than consent.

ICO Elizabeth Denham’s comments are available here

US NIST revises its Special Publication 800-53

The National Institute of Standards and Technology (NIST) published the fifth revision of the SP 800-53. The document has been drafted by a task force of representatives from the civil, defense and intelligence communities to create a common information security framework for the federal government. This last draft goes beyond previous versions of the same document, addressing all kinds of organizations that can store security and privacy related materials in their systems

The NIST draft is available here

Uber implements a privacy program to settle a FTC complaint

Uber Technologies has agreed to implement a privacy program and to permit regular and independent audits, to settle the Federal Trade Commission (FTC) charges for not having protected its consumers personal data.  The FTC alleged Uber had rarely monitored internal access to personal information of users and drivers, gave false assurances on the safety of its database, and did not take reasonable and low-cost measures to prevent possible data breaches.  For these reasons, the FTC settlement agreement further prohibits Uber from “misrepresenting how it monitors internal access to consumers personal information and misrepresenting how it protects and secures that data”.

The related press release is available on the FTC website here