Archives: Data Privacy

Subscribe to Data Privacy RSS Feed

Council of the EU Released a (New) Draft of the ePrivacy Regulation

On January 5, 2021, the Council of the European Union released a new, draft version of the ePrivacy Regulation, which is meant to replace the ePrivacy Directive.  The European Commission approved a first draft of the ePrivacy Regulation in January 2017.  The draft regulation has since then been under discussion in the Council. On January … Continue Reading

Twitter Fine: a View into the Consistency Mechanism, and “Constructive Awareness” of Breaches

On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The … Continue Reading

HHS Announces Proposed Changes to HIPAA’s Privacy Rule

In a new post of the Covington Digital Health blog, our colleagues discuss the proposed rule issued by the Office for Civil Rights of the U.S. Department of Health and Human Services to modify the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for … Continue Reading

California Attorney General Releases Fourth Set of Proposed Modifications to California Consumer Privacy Act Regulations

Yesterday, the California Attorney General (“AG”) proposed a fourth set of modifications to the California Consumer Privacy Act regulations. These modifications build on the third set of proposed regulations released by the AG in October, which we discussed here. Interested parties have until December 28 to submit comments in response.… Continue Reading

The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two … Continue Reading

EDPB adopts recommendations on international data transfers following Schrems II decision

On 11 November 2020, the European Data Protection Board (“EDPB”) issued two draft recommendations relating to the rules on how organizations may lawfully transfer personal data from the EU to countries outside the EU (“third countries”).  These draft recommendations, which are non-final and open for public consultation until 30 November 2020, follow the EU Court … Continue Reading

Californians Approve Ballot Initiative Modifying the California Consumer Privacy Act

Voters in California approved Proposition 24, which updates the California Consumer Privacy Act (“CCPA”) just a few months after the landmark regulations implementing the privacy law went into effect.  As we have previously explained, the California Privacy Rights Act (“CPRA”) will change the existing CCPA requirements in a number of ways, including limiting the sharing … Continue Reading

French Court of Cassation Decides That an Employer Can Use a Facebook Post to Dismiss an Employee

On September 30, 2020, the French Court of Cassation (“Court”) ruled in favor of an employer that dismissed an employee because of the contents of a Facebook post (the decision is available here, in French).  In particular, the employee in this case posted a photograph of a new clothing collection of the employer on a … Continue Reading

French Supervisory Authority Releases Strict Guidance on the Use of Facial Recognition Technology at Airports

On October 9, 2020, the French Supervisory Authority (“CNIL”) issued guidance on the use of facial recognition technology for identity checks at airports (available here, in French).  The CNIL indicates that it has issued this guidance in response to a request from several operators and service providers of airports in France who are planning to … Continue Reading

California Attorney General Releases New Proposed Modifications to California Consumer Privacy Act Regulations

On Monday, the California Attorney General (“AG”) proposed a third set of modifications to the recently enacted California Consumer Privacy Act (“CCPA”) regulations.  Interested parties have until October 28 to file comments in response. These proposed modifications are the latest effort in an extensive rulemaking process that has lasted more than a year.  Most recently, … Continue Reading

New Guidelines for Companies from German Supervisory Authority (DPA-BW) following Schrems II

On September 7, 2020, the German data protection supervisory authority for Baden-Wuerttemberg (“DPA-BW”) released new guidelines following the Schrems II judgment on how companies should transfer data to third countries. For a more in-depth summary of the CJEU’s Schrems II decision, please see our previous blog post here and our audiocast episode here.… Continue Reading

FCC Reevaluating Certain TCPA Compliance Exemptions

Last week, the Federal Communications Commission (FCC) issued a notice of proposed rulemaking (NPRM) seeking comment on a proposal to review and potentially revise a number of existing exemptions that the FCC has adopted with respect to certain Telephone Consumer Protection Act (TCPA) requirements.  The FCC’s review could end up narrowing or eliminating some of … Continue Reading

French Supervisory Authority Publishes Final Version of Cookie Guidelines, Says It Will Start Enforcing Them in April 2021

On October 1, 2020, the French Supervisory Authority (“CNIL”) published the final version of its Guidelines on cookies and other tracking technologies (hereafter, “guidelines” – see announcement here, and guidelines here, in French), as well as an adjoining set of best practice recommendations (in French) with examples on how to implement the guidelines.  In this … Continue Reading

H&M Receives Record-Breaking Fine for Employee Surveillance in Violation of the GDPR

On October 1, 2020, the Hamburg Data Protection Authority (“Hamburg DPA”) fined H&M, the Swedish clothing company, over €35 million for illegally surveilling employees at its service center in Nuremberg.  This fine is the largest financial penalty issued by a German DPA to date for a violation of the European General Data Protection Regulation (“GDPR”), … Continue Reading

Five Key Themes from the FTC’s Data Portability Workshop

On September 22, 2020, the Federal Trade Commission (“FTC”) hosted “Data to Go,” a virtual workshop on data portability. The workshop convened experts from civil society, academia, and industry to discuss the potential risks as well as consumer and competition benefits of data portability, as well as issues and best practices related to its implementation … Continue Reading

EDPB Publishes Draft Guidelines on the Targeting of Social Media Users

On 7 September 2020, the European Data Protection Board (“EDPB”) adopted draft guidelines on the targeting of social media users (the “Guidelines”).  The Guidelines aim to clarify the roles and responsibilities of social media providers and “targeters” with regard to the processing of personal data for the purposes of targeting social media users.… Continue Reading

Inside Privacy Audiocast: Episode 4 – A Look into the ACLU of California’s Position on the CPRA

On our fourth episode of our Inside Privacy Audiocast, we are aiming our looking glass at the California Privacy Rights Act, and are joined by guest speaker Jacob Snow, Technology and Civil Liberties Attorney with the American Civil Liberties Union of Northern California. In September 2019, Alastair Mactaggart, Board Chair and Founder of Californians for … Continue Reading

European Commission Proposes Interim Regulation to Combat Child Sexual Abuse Online

On 10 September 2020, the European Commission proposed an interim regulation designed to enable online communications service providers to combat child sexual abuse online. Once in force, this regulation will provide a legal basis for providers to voluntarily scan communications or traffic data on their services for the limited purpose of detecting child sexual abuse … Continue Reading

Swiss Federal Data Protection Authority Removes the US from its List of Adequate Countries

On September 8, 2020, the Swiss Federal Supervisory Authority (“Swiss SA”) issued a position paper stating that Swiss companies can no longer rely on the Swiss-US Privacy Shield Framework to transfer data to the US. The Swiss SA did not revoke the Swiss-US Privacy Shield Framework because it does not have the power to do … Continue Reading

Life After Schrems II: Practical Recommendations In An Uncertain Time

On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case.  In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs … Continue Reading

California Legislature Extends CCPA’s Employment and Business-to-Business Exemptions

The California legislature has approved a contingency plan to ensure that certain California Consumer Privacy Act (“CCPA”) exemptions will be extended beyond December 2020.  Regardless of what happens with the November ballot initiative, businesses will have at least another year before they must comply with all of the CCPA’s provisions when collecting or using certain … Continue Reading

LGPD Effective Imminently

On August 26, 2020, the Brazilian Senate rejected an alteration made to Article 4 of Provisional Measure 959/20 — an alteration intended to postpone the effective date of the General Data Protection Law (“LGPD”) until December 31, 2020.  Following the removal of Article 4 — and many months of uncertainty — the LGPD’s effective date … Continue Reading

Inside Privacy Audiocast: Episode 3 – Emerging Data Privacy Issues in Brazil

On our third episode of our Inside Privacy Audiocast, we are aiming our looking glass at Brazil’s new data protection statute, Lei Geral de Proteção de Dados (or LGPD), and are joined by Ronaldo Lemos, a partner at Rennó Penteado. In our episode recorded earlier this week, Dan Cooper and Ronaldo discuss the LGPD, which … Continue Reading
LexBlog