It has been a busy year for privacy and cybersecurity. Here is a look back at the highlights of 2018 and a preview of what 2019 may have in store in the United States, Europe, and China:… Continue Reading
On December 12, 2018, Senator Brian Schatz (D-HI) led a group of fifteen Democratic senators in introducing the “Data Care Act of 2018,” which would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data. The bill would also provide the FTC with rulemaking authority and … Continue Reading
On December 11, 2018, the Vermont Office of the Attorney General published new guidance on the state’s data broker law (Act 171 of 2018), which imposes new data breach notification requirements on “data brokers” and takes effect on January 1, 2019. The new guidance clarifies the definitions of key statutory terms and the scope of … Continue Reading
On December 4, 2018, the Federal Trade Commission (“FTC”) announced that it is accepting public comments regarding its Identity Theft Detection Rules, 16 C.F.R. Part 681 (the “Rules”), as part of a systematic review of the Commission’s regulations and guidelines. The review of the Rules is particularly noteworthy because identity theft is among the top … Continue Reading
Under the Data Protection Directive (now superseded by the General Data Protection Regulation, “GDPR”), it was disputed whether a violation of the German Data Protection Law transposing the Directive could serve as a basis for anti-competition claims under the German Act Against Unfair Competition (“Gesetz gegen den unlauteren Wettbewerb”, “UWG”). Since the entry into force … Continue Reading
On November 23, 2018, the European Data Protection Board (“EDPB”) issued draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) (“Guidelines”). As per standard procedure, the EDPB has published this first version of the Guidelines to allow for public consultation about its contents over the next several months. At the conclusion of … Continue Reading
A recent press release from November 16, 2018 revealed that Malta’s Justice Minister introduced the right to be forgotten through a ministerial decree. Since 2013, 86 out of 131 judgments have either been anonymized or removed from the courts’ public database. The information came as a surprise to Malta’s legal community, as there had been … Continue Reading
On November 20, 2018, the Illinois Supreme Court heard oral arguments in Rosenbach v. Six Flags Entertainment Corporation et al., a case arising under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA”). BIPA provides a private right of action for persons “aggrieved by a violation of [the] Act.” The crux of … Continue Reading
Last week, the National Telecommunications and Information Administration (“NTIA”) released submissions it had received from the Federal Trade Commission (“FTC”) staff and many other parties on NTIA’s proposed framework for advancing consumer privacy while protecting innovation. Although NTIA did not request comments on a possible federal privacy bill, most submissions took the opportunity to inform … Continue Reading
On November 9, 2018, the French Supervisory Authority for Data Protection (known as the “CNIL”) announced that it issued a formal warning (available here) ordering the company Vectaury to change its consent experience for customers and purge all data collected on the basis of invalid consent previously obtained. Vectaury is an advertising network that … Continue Reading
Senator Ron Wyden last week released a discussion draft of a federal privacy bill that would amend Section 5 of the Federal Trade Commission Act to expand the FTC’s authority, create significant civil fines, and enforce certain provisions through criminal penalties. The draft Consumer Data Protection Act is among a growing number of proposals for … Continue Reading
The Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced in early September intention to create a Privacy Framework. This Privacy Framework would provide voluntary guidelines that assist organizations in managing privacy risks. The NIST announcement recognized that the Privacy Framework is timely because disruptive technologies, such as artificial intelligence and the internet … Continue Reading
On July 17, 2018, the Portuguese Supervisory Authority (“CNPD”) imposed a fine of 400.000 € on a hospital for infringement of the European Union General Data Protection Regulation (“GDPR”). The decision has not been made public. Earlier this week, the hospital publicly announced that it will contest the fine. According to press reports, the CNPD … Continue Reading
On October 18, 2018, the Dutch Supervisory Authority for data protection adopted guidance on the second Payment Service Directive (“PSD2”). The PSD2 intends to open the financial services market to a larger scale of innovative online services. To that effect, the PSD2 sets out rules for obtaining access to the financial information of bank customers. … Continue Reading
On September 5, 2018, a first instance Administrative Court in Italy decided that a public company cannot reject an application for the position of data protection officer (“DPO”) on the basis that the applicant is not a certified ISO 27001 Auditor / Lead Auditor (decision available here). ISO 27001 is an international information security standard. … Continue Reading
On September 30, 2018, China’s Ministry of Public Security (“MPS”) released the Regulation on the Internet Security Supervision and Inspection by Public Security Organs (the “Regulation”;《公安机关互联网安全监督检查规定》), which will take effect on November 1, 2018.… Continue Reading
On October 10, the Senate Committee on Commerce, Science, and Transportation held second hearing on data privacy that invited advocates and experts to discuss a federal privacy law. The panelists included Andrea Jelinek, director of the European Data Protection Board; Alastair Mactaggart, chair of Californians for Consumer Privacy; Laura Moy, executive director of the Georgetown … Continue Reading
On September 26, 2018, New Jersey federal district judge Madeline Cox Arleo dismissed an eight-count class action complaint in its entirety against three smart TV makers: Samsung, LG, and Sony. The plaintiffs alleged that defendants’ smart TVs continuously monitored and tracked their viewing habits, recorded their voices, and then transmitted that information to defendants’ servers, … Continue Reading
Last week, the National Telecommunications and Information Administration (NTIA) published a request for comments on how it should approach consumer privacy policy. NTIA noted that federal action is needed because a growing number of countries and U.S. states have adopted distinct policy approaches with respect to consumer privacy, which risks a fragmented regulatory regime that … Continue Reading
On 25 May 2018, the EU General Data Protection Regulation (GDPR) came into effect. The GDPR establishes some of the most robust privacy requirements globally and is likely to be a model followed by other jurisdictions. Airlines are uniquely affected by the GDPR with passenger data being at the heart of their business and international … Continue Reading
Key Provisions in India’s Draft Personal Data Bill This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or … Continue Reading
Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA. The … Continue Reading
Covington’s Alex Berengaut and Kate Goodloe today hosted a webinar on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act. The CLOUD Act was signed into law in March and creates a new framework for government access to data held by technology companies worldwide. The webinar, hosted with DataGuidance, is available here. The webinar expands … Continue Reading
On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation. The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial … Continue Reading
