Inside Privacy Audiocast: Episode 7 – Brexit and the Future of UK Data Privacy Law

Over the past 9 months, the UK has been hammering out the shape of its future trading relationship with the EU, as well as many others, and there apparently are signs of progress in the past few days as a result of intensified talks between the two sides. Some are reporting a deal will be reached soon, which would be significant, as the Brexit transition period will end on December 31, 2020, deal or no deal. Today’s episode features Dan Cooper and Joe Jones, Head of International Data Transfer Regime, Data Policy Directorate at the UK’s Department for Digital, Culture, Media & Sport.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

French Court of Cassation Decides That an Employer Can Use a Facebook Post to Dismiss an Employee

On September 30, 2020, the French Court of Cassation (“Court”) ruled in favor of an employer that dismissed an employee because of the contents of a Facebook post (the decision is available here, in French).  In particular, the employee in this case posted a photograph of a new clothing collection of the employer on a personal Facebook account.  This post could be seen by the employee’s “friends”, including those who worked for competing firms.  As a result, a co-worker who was a “friend” of that employee sent the post to the employer.  Posting the photograph was in breach of the employee’s confidentiality obligations under the employment contract.  Thus, the employer asked a bailiff to access the employee’s Facebook account in order to obtain proof of the employee’s actions.  The employer subsequently dismissed the employee for gross misconduct.

According to the Court, the way in which the employer obtained a copy of the post was “not disloyal”, because a co-worker had sent it to the employer on a spontaneous basis.  However, by presenting the Court with a copy of the post and information about the employee’s “friends” without the employee’s consent, the Court found that the employer had invaded the employee’s privacy.

The Court nevertheless decided that an employer may use evidence collected in violation of an employee’s right to privacy to dismiss an employee because that evidence is “essential for the exercise of the right to evidence and is proportionate to the aim pursued – namely, the defense of the employer’s legitimate interest in the confidentiality of its business”.  Thus, an employer’s right to collect evidence for a “fair trial” (Article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms (“ECHR”)) may trump an employee’s right to privacy (Article 8 of the ECHR), provided the collection is – as the Court deemed in this case – necessary and proportionate.

French Supervisory Authority Releases Strict Guidance on the Use of Facial Recognition Technology at Airports

On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French).  The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to deploy this technology on an experimental basis.  In this blog post, we summarize the main principles that the CNIL says airports should observe when deploying biometric technology.

Continue Reading

Inside Privacy Audiocast: Episode 6 – View from Johannesburg Part II: Top Data Policy Trends to Look Out For in Africa

Recently, there has been a significant level of attention given to data protection and privacy matters on the Continent, and in the just the past year, we have seen new laws proposed or enacted in places like Nigeria, Egypt, Kenya, and of course South Africa, although prior to that, places like Morocco, Ghana and Mali sought fit to regulate in this space, passing their own data protection laws. In 2014, the African Union adopted its convention on cybersecurity and data protection, which 14 countries have signed, and a number have ratified. As things currently stand, nearly half the countries making up the region have enacted comprehensive data privacy laws. The data protection landscape in Africa is a fascinating place, reflecting some interesting trends.

Today’s episode is Part II of our “View from Johannesburg” series and features Dan Cooper and Robert Kayihura. Click here to view Part I of our series and download our Key Takeaways from the episode.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

California AG Settlement Suggests Privacy and Security Practices of Digital Health Apps May Provide Fertile Ground for Enforcement Activity

In a new post on the Covington Digital Health blog, our colleagues discuss California Attorney General Xavier Becerra’s recent settlement against Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information.” The post explains the allegations and settlement terms, as well as takeaways for providers of digital health apps. For instance, the settlement highlights the sensitivity of health data, even if that data is not protected under the federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

California Attorney General Releases New Proposed Modifications to California Consumer Privacy Act Regulations

On Monday, the California Attorney General (“AG”) proposed a third set of modifications to the recently enacted California Consumer Privacy Act (“CCPA”) regulations.  Interested parties have until October 28 to file comments in response.

These proposed modifications are the latest effort in an extensive rulemaking process that has lasted more than a year.  Most recently, on August 14, the California Office of Administrative Law (“OAL”) formally approved the AG’s initial set of CCPA regulations, which went into effect immediately.  In approving the regulations, the OAL deleted five provisions that had been included in the version the AG submitted in June, but indicated that the AG could revise and resubmit those subsections for approval in the future.  The latest modifications are largely focused on reviving several of these last-minute removals. Continue Reading

FCC Announces Section 230 Rulemaking

FCC Chairman Pai announced today that the FCC will move forward with a rulemaking to clarify the meaning of Section 230 of the Communications Decency Act (CDA).  To date, Section 230 generally has been interpreted to mean that social media companies, ISPs, and other “online intermediaries” have not been subject to liability for their users’ actions. Continue Reading

CISA and MS-ISAC Release Joint Guide on Ransomware

On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) released a joint guide synthesizing best practices to prevent and respond to ransomware.  This guide was published the day before OFAC and FinCEN released their coordinated guidance on ransomware attacks that we previously summarized here.

Ransomware is malware that encrypts data on a victim’s device, thus rendering the data inaccessible, until a ransom is paid in exchange for decryption.  Both the nature and scope of ransomware incidents have become “more destructive and impactful” in recent years.  In particular, tactics of malicious actors include threatening to release stolen data or publicly naming victims as part of the extortion.  Accordingly, the guide encourages organizations to take proactive efforts to manage risks posed by ransomware and recommends a coordinated response to mitigate its impact. Continue Reading

DOJ Proposes Legislation to Limit Section 230 Immunity

The Department of Justice has released a draft bill to amend Section 230 of the Communications Decency Act of 1996, joining the chorus of voices seeking to limit the statute’s liability protections (covered here, here, here, and here).  The DOJ’s draft bill incorporates recommendations from its June 2020 report analyzing Section 230, as well as President Trump’s Executive Order on Preventing Online Censorship.  According to Attorney General William Barr, DOJ’s proposal “recalibrates Section 230 immunity,” aiming to “incentivize online platforms to better address criminal content on their services and to be more transparent and accountable when removing lawful speech.” Continue Reading

Inside Privacy Audiocast: Episode 5 – View From Johannesburg Part I: GDPR vs. POPIA – What Should Businesses Be Considering?

On June 22, 2020, the South African President announced that certain provisions of POPIA would take effect on July 1, provisions which most regard as essential to the statute, such as those imposing conditions on the lawful processing of personal information, procedures for handling complaints, and general enforcement provisions. Only days later, the South African Information Regulator issued his own statement welcoming the coming into force of these crucial provisions, including those giving the regulator the power to impose administrative fines of up to 10 million ZAR (or over 500,000 Euros). Although there will be a 12-month grace period, organizations subject to the law are acting now.

Today’s episode is Part I of our “View from Johannesburg” series, and features Dan Cooper, Shivani Naidoo and Ahmed Mokdad.

View our Key Takeaways from the episode.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

 

LexBlog