October 2015

A new post on Covington’s Inside Medical Devices blog discusses a new portal recently launched by HHS seeking questions from mobile health application developers.  The platform allows for individuals to both submit and review questions on the HIPAA implications of these mobile health applications.  To read the post, click here
Continue Reading HHS Launches Portal Seeking Questions from Mobile Health Application Developers

On October 12, 2015, the European Parliament’s Civil Liberties, Justice and Home Affairs (“LIBE”) Committee held a debate to discuss the aftermath of the ruling of the Court of Justice of the European Union (“CJEU”) ruling in Case C-362/14 Maximillian Schrems v Data Protection Commissioner (see summary of the ruling here and summary of the Advocate-General’s Opinion here).  The debate was chaired by the LIBE Committee Chair, Claude Moraes, and started with a presentation from the European Parliament’s Legal Service.  The Legal Service provided a summary of the CJEU’s decision, and set out the following points:

  • The ruling confirms the importance of the EU Charter of Fundamental Rights in protecting EU citizens, and the fact that all EU laws must comply with the Charter.  In this case, the Charter rights invoked included the right of all EU citizens to privacy and the right to an effective judicial remedy.  It can be concluded from the CJEU’s ruling that the Data Protection Directive 95/46/EC does comply with the Charter.
  • Both the Charter of Fundamental Rights and the Data Protection Directive 95/46/EC provide a high level of protection to EU citizens’ personal data, whether the data are situated inside or outside the EU.  This means that a third country can only be considered to provide “adequate” protection to EU citizens’ personal data when that country itself has strong data protection laws.  The protection provided in a third country need not be identical, but must provide an “essentially equivalent” protection to that guaranteed under EU law.
  • Legislation, whether in the EU or the U.S., cannot legitimately authorize mass or generalized surveillance of EU citizens’ data.
  • The power of local data protection authorities (“DPAs”) to investigate data protection breaches cannot be restricted by the Commission.

Continue Reading Debate in the European Parliament’s LIBE Committee on the Schrems ruling

As businesses increasingly work with various types of third parties that process sensitive information and, in some cases, access a company’s networks, there is an inherent risk:  these third parties create new avenues of attack against a company’s data, systems, and networks.   Covington attorneys David Fagan, Nigel Howard, Kurt Wimmer,
Continue Reading Covington Attorneys Author Chapter on the Challenges of Managing Third-Party Outsourcing Risks

By Brandon Johnson

On October 6, 2015, California Governor Jerry Brown signed into law a trio of bills that is intended to clarify key elements of the state’s data-breach notification statute and provide guidance to persons, businesses, and state and local agencies that deal with electronically stored personal information.  The
Continue Reading Three-Bill Package Makes Revisions to California’s Data-Breach Notification Statute

By Brandon Johnson

On October 6, 2015, California Governor Jerry Brown signed into law Assembly Bill 1116 (A.B. 1116), which regulates the manner in which smart TVs must notify users of voice-recognition technology and may use recorded voice commands.  The bill, which was passed unanimously by both houses of the
Continue Reading New California Law Regulates Voice Recognition Technology in Smart TVs

Today, the Court of Justice of the European Union (the “CJEU”) invalidated the European Commission’s Decision on the EU-U.S. Safe Harbor arrangement (Commission Decision 2000/520 – see here). The Court responded to pre-judicial questions put forward by the Irish High Court in the so-called Schrems case. More specifically, the High Court had enquired, in particular, about the powers of European data protection authorities (“DPAs”) to suspend transfers of personal data that take place under the existing Safe Harbor arrangement. The CJEU ruled both on the DPAs’ powers and the validity of the Safe Harbor, finding that national data protection authorities do have the power to investigate in these circumstances, and further, that the Commission decision finding Safe Harbor adequate is invalid.

This judgment affects all companies that rely on Safe Harbor. They now need to consider alternative data transfer mechanisms.
Continue Reading EU’s Highest Court Invalidates Safe Harbor with Immediate Effect

By Ethan Forrest

For the first time, California Attorney General Kamala Harris has announced a privacy breach settlement that requires the defendant company to create a “chief privacy officer” position to oversee compliance with privacy laws.

The company in question is Houzz Inc., a popular online platform for home design
Continue Reading Company Agrees to Establish Chief Privacy Officer to Settle Cal. AG’s Call-Recording Allegations

The UK Information Commissioner’s Officer (“ICO”) has issued its largest fine to date in connection with using an automated calling system to make direct marketing calls.  The ICO found that Home Energy & Lifestyle Management Ltd (“HELM”), a green energy company that made millions of automated marketing calls in relation to “free” solar panels, recklessly contravened UK regulations, and fined the company £200,000.
Continue Reading UK ICO Issues Largest Ever Fine In Connection With Automated Marketing Calls

A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.
Continue Reading EU Parliament Policy Report Takes Dim View of EU Commission’s “Pro-Market” Policies on Big Data and Smart Devices

On October 1st, 2015, the Court of Justice of the EU rendered its judgment in the Weltimmo case (C-230/14).  The case addressed two important aspects of EU data protection law, namely applicable law and the scope of the territorial powers of data protection authorities.

The case arose out of a dispute between Weltimmo, a company registered in Slovakia, which operates property dealing websites concerning Hungarian properties, and the Hungarian data protection authority.  Several advertisers lodged a complaint with the data protection authority, which imposed a fine on Weltimmo for a violation of the Hungarian Law on Information.Continue Reading EU’s Highest Court Rules on Applicable Law and Territorial Powers of the National Data Protection Authorities