The Federal Communications Commission (“FCC”) recently issued a proposed set of privacy regulations that, if passed, will have broad implications for broadband providers, as well as for the companies that collect or receive information from them. We recently authored an article in Law360 that outlines the key elements of the FCC’s Notice of Proposed Rulemaking (“NPRM”), includes some of the questions that the FCC is seeking comment on regarding the proposed regulations, and identifies how the regulations may impact business models and practices for companies that are not Internet Service Providers.
On December 27, 2015, the Standing Committee of the National People’s Congress, China’s national legislative body, passed the Counter-Terrorism Law of China, which entered into force on January 1, 2016. Although the law’s precise breadth and scope are yet to be determined, the law has important implications for companies deploying encryption technology as part of their cybersecurity programs.
As an initial matter, the Counter-Terrorism Law applies to telecommunications operators and internet service providers in China, but may very well be construed much more broadly. Specifically, the concept of an internet service provider is not clearly defined under Chinese law, and could refer to any business that provides services via the internet in China. This would sweep in the majority of global, including U.S.-based, technology companies with equipment, offices, employees and/or customers present in the Chinese marketplace.
On December 7, 2015, more than two and a half years after the first draft, the European Union Council finally reached an important, informal agreement with the Parliament on important network and information security rules (“NIS-Directive”) affecting companies across the EU. The culmination of the European Commission’s Cybersecurity strategy effort that began in February 2013 with the European Commission’s proposed draft directive on measures to ensure a common level of network and information security. Final adoption of the NIS-Directive will have several important consequences, including increased focus by Boards of Directors of cybersecurity risk, the need for companies to increase their investment in information security, to prepare and implement cybersecurity incident response plans, to conduct internal comprehensive investigations into the circumstances of a cybersecurity event in order to comply with forthcoming reporting obligations.