Last week, the Ninth Circuit ruled in Lemmon v. Snap, Inc., No. 20-55295 (May 4 2021), that 47 U.S.C. § 230 (“Section 230”) did not bar a claim of negligent product design against Snap, Inc., reversing and remanding a lower court ruling.
Continue Reading Ninth Circuit Denies Section 230 Defense in Products Liability Case

In Part 1 of this blog series (see here), we discussed recent data protection developments in China’s e-commerce sector.  In this post, we discuss recently issued rules aimed at improving data governance in China’s financial sector that could also have data protection implications.  These rules can be categorized as falling into two groups: the first group focuses on general data governance requirements applicable to all financial institutions, and the second group regulates specific types of financial services.

These new rules were published by the China Banking and Insurance Regulatory Commission (“CBIRC”) and People’s Bank of China (“PBOC”) during the first quarter of 2021, and include:

  • Guidelines for Data Capacity-Building in the Financial Industry (“Guidelines”) (official Chinese version available here);
  • Financial Data Security – Data Life Cycle Security Standard (“Standard”) (official Chinese version available here); and
  • Draft Credit Reporting Management Measures (“Draft Measures”) (official Chinese version available here).

Both the Guidelines and Standard provide detailed criteria for financial institutions on the proper collection, use and protection of “financial data,” while the Draft Measures introduce data-related requirements for licensed credit reporting agencies.  All of these new rules include data security requirements for both personal and non-personal data.


Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 2: Data Protection in the Financial Sector

When China’s legislature, the National People’s Congress (“NPC”), enacted the Cybersecurity Law (“CSL”) in 2017, it set into motion a new era of data governance in China.  Three years later, in 2020, the NPC followed up this landmark act with two other legislative milestones in this space: the draft Data Security Law (“DSL”) (see our blogpost here) and draft Personal Information Protection Law (“PIPL”) (see our client alert here).  Both the PIPL and DSL will be finalized this year.  Taken as a whole, these three laws form an over-arching framework that will govern data protection and cybersecurity in China for years to come.

While the DSL and PIPL have remained in draft form over the past year, the Chinese government has not stood idly by – instead, various Chinese regulators have continued to introduce data- and cyber-related rules in  key sectors.  Many of these sectoral rules do not appear to be primarily focused on data protection or cybersecurity, yet they may indirectly impact the collection, use and processing of personal information in specific sectors.  The rollout of these new rules has not been fully coordinated, and the approaches taken in some cases deviate from the over-arching framework mentioned above.  We expect this divergence to remain, even after the finalization of the PIPL and DSL.  Consequently, China’s data and cyber regime will likely present a complex web of regulatory rules for organizations to navigate – both now and in the years ahead.

In this blog series, we examine several recently-introduced data and cyber rules in the areas of e-commerce, finance, healthcare, and artificial intelligence – all of which are rapidly expanding sectors in China where the collection and use of massive amounts of personal information have given rise to a variety of regulatory concerns.  We will also explain, in the last blogpost of this series, China’s recent push to regulate how mobile applications can collect and process user data.

In our first blogpost of this series, we focus on recent developments in China’s e-commerce sector.


Continue Reading Privacy Updates from China: Proliferation of Sector-Specific Rules As Key Legislation Remains Pending – Part 1: Data Protection in the E-Commerce Sector

Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low.  This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages.  Two recent cases decided by regional courts illustrate and confirm this prevailing stance.  However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.

Continue Reading A New Day for GDPR Damages Claims in Germany?

On January 18, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 01/2021 on Examples regarding Data Breach Notification (“Guidelines”) (available here).  The Guidelines aim to assist data controllers in responding to and assessing the risk of personal data breaches, providing “practice-oriented, case-based guidance” which draws from the experiences of European supervisory authorities since the EU General Data Protection Regulation (“GDPR” or “Regulation”) went into effect in 2018.

The Guidelines are currently open for public consultation until March 2, 2021.  In this blog post, we summarize a few key takeaways from the Guidelines.


Continue Reading EDPB Publishes Draft Guidelines on Data Breach Notification Examples

On this special tenth episode of our Inside Privacy Audiocast, we celebrate Data Privacy Day 2021. Join Dan Cooper and Kurt Wimmer as they discuss the key global data privacy developments in 2020 and trends to look out for in 2021.

Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe

On the ninth episode of our Inside Privacy Audiocast, we peer through the looking glass at China’s approach to data protection and the latest developments in its emerging data protection and cybersecurity regime. Dan Cooper, Yan Luo and Zhijing Yu discuss the variety of legal instruments in China’s quickly-evolving data protection and cybersecurity regulatory

Washington State Hearing on Latest Privacy Bill Highlights Competing Interests For Best Practices and Data Minimization 

On January 14, 2020, Washington’s State Senate Committee on Environment, Energy & Technology received public testimony about Senate Bill 5062, the “Washington Privacy Act.”  Representatives from trade associations, the Attorney General’s Office, and civil rights groups offered recommendations to eliminate perceived loopholes and clarify bill provisions.

This post highlights recurring issues from the public hearing.
Continue Reading Washington State Hearing on Latest Privacy Bill Highlights Competing Interests For Best Practices and Data Minimization

On December 16, 2020, the German Federal Government passed a draft law that substantially amends some of Germany’s information technology laws (“IT laws”). These amendments aim to adapt the current legal framework to the increasing digitalization of products and services, the proliferation of IoT products, and the appearance of new cybersecurity threats. The draft law is expected to be enacted in the German Parliament in the first quarter of 2021.

Continue Reading German Federal Government Passes Draft Law Amending Germany’s Information Technology Laws

Last year, Californians passed proposition 24, also known as the California Privacy Rights Act (“CPRA”). That law makes several changes to the California Consumer Privacy Act (“CCPA”), including some that relate to an organization’s cybersecurity practices.
Continue Reading Four Key Cyber Takeaways from The CPRA