On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices.  The new law amends the state’s civil rights law and takes effect on May 7, 2022. Continue Reading New York Requires Businesses To Notify Employees of Electronic Monitoring

On November 26, 2021, the Court of Justice of the EU (“CJEU”) held in Case C-102/20 that the display of advertising messages in an electronic inbox in a form similar to that of an actual email constitutes direct marketing, and therefore is subject to EU Member States’ rules on direct marketing (see press release here).  In this case, the advertisement in question was shown in the inbox list of a user’s private emails, resembling the appearance of an email, although it was labelled “advertisement”.

The CJEU emphasized in its decision that this form of advertisement is distinguishable from advertising banners or pop-up windows that appear at the outer edge of private messages or separately from them.  According to the CJEU, the advertisement here was subject to direct marketing rules because it resembled an electronic communication (i.e., an email).

Notably, the advertisement in this case was shown only to users who had opted for a “free” version of the email service – paying subscribers did not receive this same advertisement.  Unfortunately, the CJEU declined to clarify whether consent for direct marketing could be tied with the provision of an email service, a common practice in some industry sectors, such as online media and news websites (a position which was supported in a decision of the Austrian Data Protection Authority in 2018, as discussed in our prior blog post here).  The CJEU remanded the case to the German court that originally referred it to the CJEU, to decide whether the consent obtained in this scenario meets the standard of the GDPR.

On November 25, 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (“DSA”) (see here and here) and the Digital Markets Act (“DMA”) (see here) bringing them one step closer to adoption.  The European Parliament will discuss the drafts on December 9 and plans to announce its first reading position in early 2022, after which the Council and the Parliament will enter into negotiations with the goal of reaching an agreement on a final text for both acts.

The acts lay down rules for intermediary service providers (e.g., Internet access providers, cloud providers, search engines, social networks, and online marketplaces) covering areas such as:

  • liability of mere conduit, caching and hosting services;
  • content moderation;
  • transparency of services and electronic communications;
  • transparency of online advertising;
  • openness and interoperability of the services to businesses and consumers; and
  • fair competition between service providers.

If you like to receive an overview of the  draft DSA and DMA, as well as a short explanation of the sanctions regime in the event of a breach, please let us know.

Significantly, on November 18, the European Data Protection Board issued a related statement (see here).  In that statement, the Board identified three main lingering concerns with respect to the DSA: (1) lack of protection of individuals’ fundamental rights and freedoms; (2) fragmented supervision by competent regulatory authorities; and (3) the risk of inconsistencies between the DSA and EU data protection law.  The Council’s reactions to these recommendations have yet to be published.

We will continue to monitor and report on the legislative process of the DSA and DMA.

On November 18, 2021, the Advocate General of the Court of Justice of the European Union (“CJEU”) issued an opinion on several data retention cases before by the Court, following a long line of CJEU jurisprudence on this topic.

To give context to the issues considered in these cases, Europe’s experience of totalitarian regimes in the last century has shaped its approach to privacy rights.  This is evident in the GDPR and in the decisions of the CJEU to date.  But there remain tensions that are complex and difficult to deal with in this area — notably, the tension between individual rights to privacy and data protection on one hand, and the duty of the State to protect its population against security threats and crime on the other.  These tensions do not marry easily, as surveillance of personal electronic communications is increasingly demanded to detect and deal with crime and terrorism.

Continue Reading Advocate General Releases Opinion in CJEU Referrals on Data Retention

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here).  The draft guidelines are currently subject to a public consultation period that ends on January 31, 2022; interested stakeholders can submit their feedback here.

In this blog post, we provide a brief background on the issues addressed in the draft guidelines, and summarize the key takeaways.

Continue Reading EDPB Publishes Draft Guidelines on Interplay of Article 3 GDPR and the GDPR’s Cross-Border Transfer Rules

The Virginia Consumer Data Protection Act (“VCDPA”) Work Group has issued its 2021 Final Report. The final report, which is based on the six Work Group meetings between June and October 2021, summarizes information presented at the meetings on topics such as enforcement, definitions and rulemaking authority, as well as consumer rights and education.  We summarize some of the comments below. Continue Reading Virginia Consumer Data Protection Act Work Group Issues Final Report

On November 1, 2021, the Supreme Court denied a petition for a writ of certiorari in American Civil Liberties Union v. United States. In its petition, the American Civil Liberties Union (ACLU) sought the Supreme Court’s review of the Foreign Intelligence Surveillance Court (FISC) and the Foreign Intelligence Surveillance Court of Review’s (FISCR) decisions declining to release court records to the ACLU. Continue Reading The Supreme Court Denies Certiorari in American Civil Liberties Union v. United States

According to a leaked draft, on November 4, 2021, the Council of the European Union (“Council”) and the European Parliament (“Parliament”) agreed a number of amendments to the following three chapters of the draft ePrivacy Regulation, which will replace the ePrivacy Directive 2002/58/EC and has been pending since January 2017):

  • Chapter III (End-Users’ Rights to Control Electronic Communications) – this chapter is expected to regulate: (i) the presentation of calling and connected line identification (g., whether the device’s screen identifies the number of the incoming call); (ii) the blocking of unwanted malicious or nuisance calls; (iii) the inclusion of information, including personal data, in publicly available directories; and (iv) unsolicited direct marketing communications (e.g., spam email and SMS texts).
  • Chapter V (Remedies, Liability and Penalties) – this chapter is expected to regulate: (i) remedies; (ii) right to compensation and liability; (iii) general conditions for imposing administrative fines; and (iv) penalties.
  • Chapter VI (Final Provisions) – this chapter is expected to regulate the entry into force of the draft Regulation and the subsequent monitoring of its implementation by the European Commission.

However, the Council and Parliament still disagree on a number of significant issues.  For example, the Council and Parliament have not yet agreed on a definition of “unwanted calls”.  They also disagree on the scope of the prohibition for sending direct marketing communications without the recipient’s consent:  the Council intends to apply this prohibition only to communications sent to “natural persons”, while Parliamentarians want the prohibition to apply to sending communications to legal persons (e.g., companies) as well.  The Parliament also seeks to extend the traditional definition of direct marketing (which includes automated calling machines, telefaxes, and e-mails, including SMS messages) to various other types of advertisements, such as “pop-up windows or email-like advertisements” (e.g., push notifications), something not currently endorsed by the Council.

The Council and Parliament plan to hold a second trilogue on November 18, 2021 with the aim of closing the above three chapters, to the extent possible, and moving on to the other chapters of the draft ePrivacy Regulation.  We will continue to monitor and report on the developments in future blog posts on Inside Privacy.

On August 27, 2021, Illinois Governor J.B. Pritzker signed into law the Protecting Household Privacy Act (“PHPA”).  The law governs how, and under what conditions, Illinois law enforcement agencies may acquire and use data from household electronic devices, commonly referred to as “smart devices” or the “internet of things.”  The PHPA will go into effect on January 1, 2022.

The PHPA applies to “household electronic data,” which the statute defines as any information or input provided by a person to any device “primarily intended for use within a household that is capable of facilitating any electronic communication,” excluding personal computing devices (such as personal computers, cell phones, smartphones, or tablets) and digital gateway devices (such as modems, routers, wireless access points, or cable set-top boxes serviced by a cable provider).  Section 5.  The law imposes several limits on Illinois law enforcement’s acquisition and use of household electronic data:

  1. Warrant Requirement: The law generally prohibits law enforcement agencies from obtaining household electronic data “or direct[ing] the acquisition of household electronic data from a private third party.”  Section 10.  This prohibition is subject to a set of exceptions, permitting such acquisition if (i) “a law enforcement agency first obtains a warrant;” (ii) the data is needed to “respond to a call for emergency services concerning the user or possessor of a household electronic device;” (iii) there is “an emergency situation;” or (iv) the data is acquired “with [the] lawful consent of the owner of the household electronic device or person in actual or constructive possession of the household electronic device.”  Section 15.  Notably, the PHPA itself does not impose any obligations on providers, as it states that the Act “shall not be construed to require a person or entity to provide household electronic data to a law enforcement agency.”  Section 35.  At the same time, compliance would be compulsory to the extent the provider is served with a warrant in accordance with the statute.
  2. Confidentiality Requirement: The law also requires that any entity disclosing household electronic data “take reasonable measures to ensure the confidentiality, integrity, and security of any household electronic data during transmission to any law enforcement agency, and to limit any production of household electronic data to information responsive to the law enforcement agency request.”  Section 40.
  3. Limited Data Retention: Finally, the PHPA limits how long law enforcement can retain household electronic data without filing criminal charges if the data was obtained pursuant to a warrant or in an emergency situation.  Section 20.  The Act requires that such data be destroyed within 60 days unless (1) “there is reasonable suspicion that the information contains evidence of criminal activity;” or (2) “the information is relevant to an ongoing investigation.”

On Episode 16 of Covington’s Inside Privacy Audiocast, Dan CooperYan Luo and Zhijing Yu discuss the implications of China’s Personal Information Protection Law (PIPL) for companies with data or doing business in China. The law, which entered into force on November 1, is the first comprehensive personal information protection law in China and bears a resemblance to the EU’s GDPR.


Previous episodes discussing privacy developments in China:


Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.