On February 12, 2019, the European Data Protection Board (“EDPB”) published two information notes to highlight the impact of a so-called “No-deal Brexit” on data transfers under the EU General Data Protection Regulation (“GDPR”), as well as the impact on organizations that have selected the UK Information Commissioner (“ICO”) as their “lead supervisory authority” for … Continue Reading
On February 12, the Federal Trade Commission (“FTC”) announced that, after a review of the Controlling the Assault of Non-Solicited Pornography and Marketing Act (“CAN-SPAM”) Rule as part of its periodic review of its regulations, it has determined that the Rule does not need to be modified at this time.… Continue Reading
Today, President Trump signed an Executive Order (“EO”), “Maintaining American Leadership in Artificial Intelligence,” that launches a coordinated federal government strategy for Artificial Intelligence (the “AI Initiative”). Among other things, the AI Initiative aims to solidify American leadership in AI by empowering federal agencies to drive breakthroughs in AI research and development (“R&D”) (including by … Continue Reading
On January 25, 2019, the Illinois Supreme Court published its widely anticipated decision in Rosenbach v. Six Flags Entertainment Corporation et al., addressing the question of what it means to be an “aggrieved” person under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). Under BIPA, aggrieved persons are entitled to seek … Continue Reading
Last week, a California magistrate judge denied federal prosecutors’ application for a search warrant on the grounds that law enforcement cannot force people to unlock their phones using biometric features, such as fingerprints and facial recognition.… Continue Reading
On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google. In that case, the CNIL ordered Google to de-reference links to webpages containing personal data. According to the CNIL, the … Continue Reading
On December 29, 2018, the Northern District of Illinois dismissed a case brought against Google under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”) on standing grounds. Plaintiffs, Lindabeth Rivera and Joseph Weiss, alleged that Google violated BIPA by failing to obtain informed consent from users prior to collecting, storing, and … Continue Reading
Starting next week, the California Department of Justice will hold six public forums on how the state should implement its landmark privacy law, the California Consumer Privacy Act (“CCPA”). Although California enacted the CCPA in June 2018, the state is still in the process of implementing the new legislation, and the public forums “will provide … Continue Reading
On 30 November 2018, the Austrian Data Protection Authority (“DPA”) decided that the website of an online media publisher – which offers users the option to either consent to advertising cookies or pay for a subscription – gives users a free choice that is compatible with the requirements of consent under the GDPR. (The decision … Continue Reading
It has been a busy year for privacy and cybersecurity. Here is a look back at the highlights of 2018 and a preview of what 2019 may have in store in the United States, Europe, and China:… Continue Reading
On December 12, 2018, Senator Brian Schatz (D-HI) led a group of fifteen Democratic senators in introducing the “Data Care Act of 2018,” which would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data. The bill would also provide the FTC with rulemaking authority and … Continue Reading
On December 11, 2018, the Vermont Office of the Attorney General published new guidance on the state’s data broker law (Act 171 of 2018), which imposes new data breach notification requirements on “data brokers” and takes effect on January 1, 2019. The new guidance clarifies the definitions of key statutory terms and the scope of … Continue Reading
On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top … Continue Reading
Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force … Continue Reading
On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of … Continue Reading
A recent press release from November 16, 2018 revealed that Malta’s Justice Minister introduced the right to be forgotten through a ministerial decree. Since 2013, 86 out of 131 judgments have either been anonymized or removed from the courts’ public database. The information came as a surprise to Malta’s legal community, as there had been … Continue Reading
On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corporation et al., a case arising under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). BIPA provides a private right of action for persons “aggrieved by a violation of [the] Act.” The crux of … Continue Reading
Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform … Continue Reading
On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained. Vectaury is an advertising network that … Continue Reading
Senator Ron Wyden last week released a discussion draft of a federal privacy bill that would amend Section 5 of the Federal Trade Commission Act to expand the FTC’s authority, create significant civil fines, and enforce certain provisions through criminal penalties. The draft Consumer Data Protection Act is among a growing number of proposals for … Continue Reading
The Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced in early September intention to create a Privacy Framework. This Privacy Framework would provide voluntary guidelines that assist organizations in managing privacy risks. The NIST announcement recognized that the Privacy Framework is timely because disruptive technologies, such as artificial intelligence and the internet … Continue Reading
On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”). The decision has not been made public. Earlier this week, the hospital publicly announced that it will contest the fine. According to press reports, the CNPD … Continue Reading
On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”). The PSD2 intends to open the financial services market to a larger scale of innovative online services. To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers. … Continue Reading
On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here). ISO 27001 is an international information security standard. … Continue Reading
