Privacy Shield, Data Breach Laws, New Regs Old Cases

TLP White

We take one more trip to Europe – this time to look at Privacy Shield – as well as revisiting data breach laws, new regs, and old court cases. Welcome back to NH-ISAC’s Hacking Healthcare:


Hot Links –

  1. Privacy Shield: Following our review of the European GDPR, let’s shift our focus to the EU-US Privacy Shield framework. Privacy Shield came into effect in 2016[1] to enable transatlantic commerce that is compliant with laws in respective jurisdictions. Privacy Shield came into effect to replace the previous Safe Harbor agreement, which the European Court of Justice invalidated in 2015.


Privacy Shield creates a standard set of principles that govern the transfer of protected data of EU citizens to the United States (e.g., for purposes of storing or processing). A company can self-certify compliance with the Privacy Shield framework by registering with the U.S. Department of Commerce.[2]

The framework[3] is built around the same concepts of privacy and data protection that underpin GDPR and previous European data regulations. There are requirements for disclosure of data collection and use to relevant individuals, the limited use of data for appropriate purposes, the use of necessary security controls, and oversight regarding any use of the data by third parties. The framework requires companies who self-certify to provide recourse for any citizens to register complaints.

The EU has indicated that the Privacy Shield framework will be subject to an annual review, so as the GDPR is implemented over the coming years we will need to keep an eye on corresponding modifications to Privacy Shield.


  1. Data Breach: There is a good piece in Lawfare[4] this week that is relevant to our recent discussion of data breach laws in Europe, Australia, and the U.S. Susan Landau looks at how the theft of personal information – including personal health information – can pose a national security risk. She goes on to suggest that Congress should address this shortcoming with a national data breach requirement.


  1. Update to ‘Common Rule’: “With the exception of certain burden-reducing provisions of the 2018 Requirements,” the interim final rule updating ‘Common Rule’ requirements will now come into effect in July. This update includes new exemptions to research activities, which is what has prompted the delay in order for detailed implementation guidance to be developed. Find the register notice here:


  1. The Court takes a Pass: The Supreme Court ruled against CareFirst this past week in a case we have been watching for quite some time. If you remember, CareFirst’s complaint to the Supreme Court was over the interpretation of “harm” in the context of the data breach victims. The case will now be heard in the DC court of appeals, which took a broader view over whether the victims had suffered any “harm” when they agreed to hear the case.[5]


In other court news, U.S. v. Microsoft will be heard today.[6]








As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.

Read full blog below: