In January 2021, the French Supervisory Authority (“CNIL”) published a summary report of contributions it received in response to a public consultation and survey on the digital rights of minors launched in April 2020 (see the press release here and a summary report here, both in French). Stakeholders who responded to the consultation included companies, professionals dedicated to the legal and educational issues related to children, parents and minors.
In February 2021, the European Commission (“Commission”) released a report on European Union (“EU”) Member States’ laws governing the processing of health data. The report discusses three general types of health data uses:
- primary use for health care services;
- secondary use for public health purposes; and
- secondary use for scientific research purposes.
For each of these general purposes, the report assesses real-world use cases. For example, for health care services, the report considers e-health applications, among others. For public health purposes, the report considers pharmacovigilance and product approvals. The section on scientific research purposes, meanwhile, considers issues such as research by public bodies, sharing of data with third-party researchers, and the use of genetic data.
Several states have proposed new privacy bills since their sessions began. Some of the proposed bills carry over or re-introduce bills drafted in previous legislative sessions, while others are introducing first-in-time omnibus privacy bills. In the high-level chart below, we compare five of the key state privacy frameworks: the CPRA, VCDPA (which we blogged about here), the NYPA, the general privacy provisions of the Washington Privacy Act, and the newly introduced Washington People’s Privacy Act (HB 1433).
Until now, damages claims awarded by German courts pursuant to Article 82 of the General Data Protection Regulation (“GDPR”) – in particular, claims for non-material damages – have been relatively low. This restrained approach thus far has been predicated primarily on the position that German law requires a serious violation of personality rights to justify higher claims for non-material damages. Two recent cases decided by regional courts illustrate and confirm this prevailing stance. However, a more recent decision issued by the Federal Constitutional Court indicates that views in Germany may be evolving on this topic, and courts may soon be willing to entertain higher damages claims.
The EU’s ePrivacy Regulation, like the EU GDPR, has been highly anticipated since it was first proposed in 2017. What are the current developments and next steps in the process to enactment? What are some of the complicating factors of the proposed Regulation? Are there major differences between the initial proposal and where the text is now? Who will be impacted when the Regulation will be enacted, and what about the implications of Brexit?
Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.
A number of legislative proposals to amend Section 230 of the 1996 Communications Decency Act (“Section 230”) have already been introduced in the new Congress. Section 230 provides immunity to an owner or user of an “interactive computer service” — generally understood to encompass internet platforms and websites — from liability for content posted by a third party.
On February 8, 2021, Senator Mark Warner (D-VA) introduced the Safeguarding Against Fraud, Exploitation, Threats, Extremism, and Consumer Harms Act (“SAFE TECH Act”), cosponsored by Senators Amy Klobuchar (D-MN) and Mazie Hirono (D-HI). The bill would narrow the scope of immunity that has been applied to online platforms. Specifically, the SAFE TECH Act would amend Section 230 in the following ways: Continue Reading
On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German). The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”). Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.
On February 14, 2021, the Abu Dhabi Global Market (“ADGM”), one of two significant financial services free zones in the United Arab Emirates, enacted its new Data Protection Regulations 2021 (the “Regulations”). The Regulations will come into force and replace the current Data Protection Regulations 2015 following a transition period of 12 months for current establishments (i.e., those established in ADGM prior to February 14, 2021) and 6 months for new establishments (i.e., those established in ADGM on or following February 14, 2021).
Similar to recently introduced data protection laws in other jurisdictions, such as Brazil and the Dubai International Financial Centre, the Regulations are modeled after the European Union’s General Data Protection Regulation, which ADGM deemed to be “the leading international standard and best practice for robust Data Protection legislation” following its international benchmark of standards and best practices.
The Regulations also introduce an independent Office of Data Protection serving functions similar to the European Data Protection Board. The Office will be headed by a Commissioner of Data Protection appointed by ADGM, and its responsibilities will include promoting data protection within ADGM, maintaining a register of data controllers, enforcing obligations upon data controllers, and upholding the rights of individuals.
We will continue to monitor the implementation of the Regulations. Feel free to reach out to a member of our team if you have any questions.
On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research. The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.
On February 11, 2021, the European Commission launched a public consultation on its initiative to fight child sexual abuse online (the “Initiative”), which aims to impose obligations on online service providers to detect child sexual abuse online and to report it to public authorities. The consultation is part of the data collection activities announced in the Initiative’s inception impact assessment issued in December last year. The consultation runs until April 15, 2021, and the Commission intends to propose the necessary legislation by the end of the second quarter of 2021.