On February 3, 2021, the Conference of the Supervisory Authorities (“SAs”) of Germany (known as the Datenschutzkonferenz or “DSK”) published minutes from its meetings held in November 2020 (available here, in German). The minutes include discussions about how the German SAs plan to enforce the recent Schrems II ruling of the Court of Justice of the European Union (“CJEU”). Notably, the Berlin SA (coordinator of the DSK’s Schrems II task force) sought consensus to ensure a joint enforcement approach.
On February 14, 2021, the Abu Dhabi Global Market (“ADGM”), one of two significant financial services free zones in the United Arab Emirates, enacted its new Data Protection Regulations 2021 (the “Regulations”). The Regulations will come into force and replace the current Data Protection Regulations 2015 following a transition period of 12 months for current establishments (i.e., those established in ADGM prior to February 14, 2021) and 6 months for new establishments (i.e., those established in ADGM on or following February 14, 2021).
Similar to recently introduced data protection laws in other jurisdictions, such as Brazil and the Dubai International Financial Centre, the Regulations are modeled after the European Union’s General Data Protection Regulation, which ADGM deemed to be “the leading international standard and best practice for robust Data Protection legislation” following its international benchmark of standards and best practices.
The Regulations also introduce an independent Office of Data Protection serving functions similar to the European Data Protection Board. The Office will be headed by a Commissioner of Data Protection appointed by ADGM, and its responsibilities will include promoting data protection within ADGM, maintaining a register of data controllers, enforcing obligations upon data controllers, and upholding the rights of individuals.
We will continue to monitor the implementation of the Regulations. Feel free to reach out to a member of our team if you have any questions.
On February 2, 2021, the European Data Protection Board (“Board”) responded to questions submitted by the European Commission (“Commission”) on the application of the General Data Protection Regulation (“GDPR”) to health research. The Board also announced that it is currently working on guidelines on the processing of personal data for scientific research purposes, which it aims to publish in the course of 2021.
On February 11, 2021, the European Commission launched a public consultation on its initiative to fight child sexual abuse online (the “Initiative”), which aims to impose obligations on online service providers to detect child sexual abuse online and to report it to public authorities. The consultation is part of the data collection activities announced in the Initiative’s inception impact assessment issued in December last year. The consultation runs until April 15, 2021, and the Commission intends to propose the necessary legislation by the end of the second quarter of 2021.
In this blog post, we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for confidential information and data theft.
Clear contractual terms and policies, supplemented by training, remain critical tools for employers seeking to deter employees from misappropriating corporate information. Employers may wish to make use of these examples to underscore the importance of compliance.
In January 2021, the Belgian Supervisory Authority issued detailed guidance (available in Dutch and French) on how to securely destroy personal data in accordance with the General Data Protection Regulation (“GDPR”). Among other things, the guidance aims to help controllers and processors comply with their obligations under Article 32 of the GDPR.
Last week, a federal district court in San Francisco dismissed a claim under the California Consumer Privacy Act (“CCPA”). The plaintiff alleged that Google had collected personal information without complying with the CCPA’s notice and consent requirements. The court held that the CCPA’s private right of action does not extend to these provisions of the law. It appears that this is the first time a court expressly reached this conclusion. The case is McCoy v. Alphabet, No. 20‑cv‑05427 (N.D. Cal. Feb. 2, 2021).
For context, the plaintiff alleged that Google used an internal program called “Android Lockbox” on its Android operating system to monitor and collect data from Android users as they used non-Google apps on their phones. The alleged data collection included when and how often these third-party apps were used and the amount of time users spent on the third-party apps. Based on these allegations, the plaintiff asserted eleven different claims. Among these was a claim that Google violated the CCPA by failing to comply with the law’s requirements related to notice and consent. Continue Reading
In a new post on the Covington Digital Health blog, our colleagues discuss a recent settlement between the Federal Trade Commission (“FTC”) and Flo Health, Inc. (“Flo”), the developer of a popular menstrual cycle and fertility-tracking application. The settlement resolves allegations that Flo shared app users’ health information with outside third parties after promising that such information would be kept private. The proposed settlement requires Flo, among other things, to obtain review by an “independent third-party professional” of its privacy practices, obtain users’ consent before sharing their health information, alert users whose data was disclosed, and require third parties that previously received that data to destroy it. This settlement marks the first instance in which the FTC has required a company to provide users with a notice of the privacy action brought by the FTC. Specifically, in its proposed settlement, the FTC requires Flo to “clearly and conspicuously” share with users a pre-written notice that explains what information Flo disclosed to third parties and describes the settlement with the FTC. According to the FTC’s announcement, the agency is “looking closely at whether developers of health apps are keeping their promises and handling sensitive health information responsibly.”
The Virginia Consumer Data Protection Act (HB 2307 / SB 1392), introduced in the House of Delegates on January 20, passed both houses of Virginia’s state legislature on February 5 with large bipartisan majorities. This comprehensive privacy bill, which would take effect on January 1, 2023, follows a similar framework as the current version of the Washington Privacy Act (“WPA”), though it differs from the WPA in important respects. We have included a high level summary of some of the bill’s provisions below.
The passage of nearly identical legislation by both chambers of the Virginia legislature positions the Virginia Consumer Data Protection Act to become the nation’s next comprehensive state privacy law. Lawmakers must reconcile the two bills before the end of the session on February 27, and, assuming a reconciled bill passes in both houses, it will be sent to Gov. Ralph Northam to sign into law or veto. If Gov. Northam takes no action, the reconciled bill would become law within seven days or, if there are fewer than seven days remaining in the General Assembly session, or if the General Assembly has adjourned, within thirty days. Continue Reading
On February 4, 2021, the House Energy and Commerce’s Subcommittee on Consumer Protection and Commerce held a hearing entitled, “Safeguarding American Consumers: Fighting Scams and Fraud During the Pandemic.” The hearing focused on the FTC’s ability to obtain equitable monetary relief under Section 13(b) of the FTC Act – an issue that is currently being considered by the Supreme Court in AMG Capital Management LLC v. Federal Trade Commission.
To gain a better understanding of the deceptive marketing campaigns seeking to exploit the ongoing public health crisis and the challenges the FTC faces in fighting fraud, the Subcommittee invited Bonnie Patten, Executive Director of TruthInAdvertising.org; Jessica Rich, former Bureau of Consumer Protection Director and Distinguished Fellow of the Institute for Technology Law & Policy at Georgetown Law School; William E. Kovacic, former FTC Chairman and Global Competition Professor of Law at George Washington University Law School; and Traci Ponto, Spokane COPS Crime Victim Advocate at Spokane Community Oriented Policy Services. Continue Reading