An Illinois state appellate court recently issued a ruling that could reduce defendants’ litigation exposure on certain types of Biometric Information Privacy Act (“BIPA”) claims.  On September 17, the panel clarified in Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (1st Dist. Sept. 17, 2021), that the statutes of limitation applicable to BIPA claims vary depending on the nature of the claim.  Claims for failing to provide a written retention policy, give notice, or obtain consent prior to collecting an individual’s biometric information may be brought within five years.  But claims for violating BIPA’s selling, disclosing, or disseminating information provisions must be brought within one year.

Continue Reading Illinois Court Splits Time on BIPA Statute of Limitations

As COVID-19 vaccination becomes required in more personal and professional contexts, several different frameworks have emerged that propose both guiding principles and technical requirements for vaccine verification systems, including those developed by the World Health Organization (WHO) and the Good Health Pass Collaborative (GHPC). Continue Reading COVID-19 Vaccine Verification Frameworks: Emerging Standards Seek to Balance Privacy Concerns With Public Health Benefits

On September 15, the Federal Trade Commission (“FTC”) adopted, on a 3-2 party-line vote, a policy statement that takes a broad view of which health apps and connected devices are subject to the FTC’s Health Breach Notification Rule (the “Rule”) and what triggers the Rule’s notification requirement.

The Rule was promulgated in 2009 under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act.  Under the Rule, vendors of personal health records that are not otherwise regulated under the Health Insurance Portability and Accountability Act (“HIPAA”) are required to notify individuals, the FTC, and, in some cases, the media following a breach involving unsecured identifiable health information.  Third-party service providers also are required to notify covered vendors of any breach. Continue Reading FTC Adopts Policy Statement on Privacy Breaches by Health Apps and Connected Devices

On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018.  It finds against WhatsApp, imposing a fine of €225 million.

Continue Reading Irish DPC Finds Against WhatsApp

The California Privacy Protection Agency (CPPA), which is responsible for issuing regulations implementing the California Privacy Rights Act (CPRA), has posted its approved discussion draft for seeking public comments in preparation for its CPRA rulemaking activities.  The CPPA indicated that it is particularly interested in receiving comments on the following eight topics: Continue Reading California Privacy Protection Agency Seeks Comments on Preliminary CPRA Issues

There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog. Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law

On 2 September 2021, the transition year for the Children’s code (or Age Appropriate Design Code) published by the UK Information Commissioner (“ICO”) ended. The ICO’s Children’s code was first published in September 2020, with a 12-month transition period. In an accompanying blog, the ICO has stated that it will be “proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell [the ICO] how their services are designed in line with the code.”

Over the summer, the ICO has also approved two certification schemes under the UK GDPR. The certification schemes provide organizations with a mechanism to demonstrate their high level of commitment to data protection compliance.

Continue Reading UK ICO’s Children’s Code Transition Year Ends and ICO Approves Related Certification Schemes

On 26 August 2021, the UK Government unveiled a package of announcements which effectively set out its post-Brexit data strategy.

This blog looks at the politics around the costs and benefits of a Brexit divergence dividend in this sector, which the UK Government views as a key area of competitive advantage. Continue Reading Data Divergence: A Brexit Dividend?

On August 27, 2021, the Swiss Federal Data Protection Authority announced that it recognizes the EU recently approved standard contractual clauses as a transfer mechanism to transfer Swiss personal data to non-adequate countries (see here and here).  However, the standard contractual clauses will need to be adjusted to meet the requirements of the Swiss Ordinance to the Federal Act on Data Protection (“FADP”).

Continue Reading Swiss Federal Data Protection Authority Recognizes the New EU Standard Contractual Clauses as a Lawful Mechanism to Transfer Personal Data Outside of Switzerland