Inside Privacy Audiocast: Episode 11 – Latest Developments on the EU’s ePrivacy Regulation

The EU’s ePrivacy Regulation, like the EU GDPR, has been highly anticipated since it was first proposed in 2017. What are the current developments and next steps in the process to enactment? What are some of the complicating factors of the proposed Regulation? Are there major differences between the initial proposal and where the text is now? Who will be impacted when the Regulation will be enacted, and what about the implications of Brexit?

These, and other questions, are answered by Dan Cooper and Kristof Van Quathem in Episode 11 of Covington’s Inside Privacy Audiocast.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.

SAFE TECH Act Would Limit Scope and Redesign Framework of Section 230 Immunity

A number of legislative proposals to amend Section 230 of the 1996 Communications Decency Act (“Section 230”) have already been introduced in the new Congress.  Section 230 provides immunity to an owner or user of an “interactive computer service” — generally understood to encompass internet platforms and websites — from liability for content posted by a third party.

On February 8, 2021, Senator Mark Warner (D-VA) introduced the Safeguarding Against Fraud, Exploitation, Threats, Extremism, and Consumer Harms Act (“SAFE TECH Act”), cosponsored by Senators Amy Klobuchar (D-MN) and Mazie Hirono (D-HI).  The bill would narrow the scope of immunity that has been applied to online platforms.  Specifically, the SAFE TECH Act would amend Section 230 in the following ways: Continue Reading

German Supervisory Authorities Plan to Circulate Questionnaires on Personal Data Transfers in Wake of Schrems II Decision

On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German).  The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”).  Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.

Continue Reading

Abu Dhabi Global Market Issues New Data Protection Regulations

On February 14, 2021, the Abu Dhabi Global Market (“ADGM”), one of two significant financial services free zones in the United Arab Emirates, enacted its new Data Protection Regulations 2021 (the “Regulations”).  The Regulations will come into force and replace the current Data Protection Regulations 2015 following a transition period of 12 months for current establishments (i.e., those established in ADGM prior to February 14, 2021) and 6 months for new establishments (i.e., those established in ADGM on or following February 14, 2021).

Similar to recently introduced data protection laws in other jurisdictions, such as Brazil and the Dubai International Financial Centre, the Regulations are modeled after the European Union’s General Data Protection Regulation, which ADGM deemed to be “the leading international standard and best practice for robust Data Protection legislation” following its international benchmark of standards and best practices.

The Regulations also introduce an independent Office of Data Protection serving functions similar to the European Data Protection Board.  The Office will be headed by a Commissioner of Data Protection appointed by ADGM, and its responsibilities will include promoting data protection within ADGM, maintaining a register of data controllers, enforcing obligations upon data controllers, and upholding the rights of individuals.

We will continue to monitor the implementation of the Regulations.  Feel free to reach out to a member of our team if you have any questions.

European Data Protection Board Answers Commission’s Questions on Health Research

On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research.  The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.

Continue Reading

European Commission Launches Consultation on Initiative to Fight Child Sexual Abuse

On February 11, 2021, the European Commission launched a public consultation on its initiative to fight child sexual abuse online (the “Initiative”), which aims to impose obligations on online service providers to detect child sexual abuse online and to report it to public authorities. The consultation is part of the data collection activities announced in the Initiative’s inception impact assessment issued in December last year. The consultation runs until April 15, 2021, and the Commission intends to propose the necessary legislation by the end of the second quarter of 2021.

Continue Reading

Employee Confidentiality and Data Theft: Recent UK Developments

In this blog post, we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for confidential information and data theft.

Clear contractual terms and policies, supplemented by training, remain critical tools for employers seeking to deter employees from misappropriating corporate information.  Employers may wish to make use of these examples to underscore the importance of compliance.

Continue Reading

Belgian Supervisory Authority Publishes Guidance on the Secure Destruction of Personal Data

In January 2021, the Belgian Supervisory Authority issued detailed guidance (available in Dutch and French) on how to securely destroy personal data in accordance with the General Data Protection Regulation (“GDPR”).  Among other things, the guidance aims to help controllers and processors comply with their obligations under Article 32 of the GDPR.

Continue Reading

Court Dismisses CCPA Claim Against Google

Last week, a federal district court in San Francisco dismissed a claim under the California Consumer Privacy Act (“CCPA”).  The plaintiff alleged that Google had collected personal information without complying with the CCPA’s notice and consent requirements.  The court held that the CCPA’s private right of action does not extend to these provisions of the law.  It appears that this is the first time a court expressly reached this conclusion.  The case is McCoy v. Alphabet, No. 20‑cv‑05427 (N.D. Cal. Feb. 2, 2021).

For context, the plaintiff alleged that Google used an internal program called “Android Lockbox” on its Android operating system to monitor and collect data from Android users as they used non-Google apps on their phones.  The alleged data collection included when and how often these third-party apps were used and the amount of time users spent on the third-party apps.  Based on these allegations, the plaintiff asserted eleven different claims.  Among these was a claim that Google violated the CCPA by failing to comply with the law’s requirements related to notice and consent. Continue Reading

FTC Reaches Settlement with Digital Health App, Requires First Notice of Privacy Action

In a new post on the Covington Digital Health blog, our colleagues discuss a recent settlement between the Federal Trade Commission (“FTC”) and Flo Health, Inc. (“Flo”), the developer of a popular menstrual cycle and fertility-tracking application.  The settlement resolves allegations that Flo shared app users’ health information with outside third parties after promising that such information would be kept private.  The proposed settlement requires Flo, among other things, to obtain review by an “independent third-party professional” of its privacy practices, obtain users’ consent before sharing their health information, alert users whose data was disclosed, and require third parties that previously received that data to destroy it.  This settlement marks the first instance in which the FTC has required a company to provide users with a notice of the privacy action brought by the FTC.  Specifically, in its proposed settlement, the FTC requires Flo to “clearly and conspicuously” share with users a pre-written notice that explains what information Flo disclosed to third parties and describes the settlement with the FTC.  According to the FTC’s announcement, the agency is “looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”

LexBlog