On April 17, the Nebraska governor signed the Nebraska Data Privacy Act (the “NDPA”) into law. Nebraska is the latest state to enact comprehensive privacy legislation, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Oregon, Texas, Florida, Delaware, New Jersey, New Hampshire, Kentucky, and Maryland. The NDPA will take effect on January 1, 2025. This blog post summarizes the statute’s key takeaways.Continue Reading Nebraska Enacts Nebraska Data Privacy Act
Search results for: general data protection
EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines
By Kristof Van Quathem on
On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal. In April 2024,we wrote several blog posts on EHDS based on a provisional compromise text. We have now updated those to reflect the final version and included references to the correct provisions.
This article focuses on the governance and enforcement of the EHDS; for an overview of the EHDS generally, see our first post in this series.Continue Reading EHDS Series – 5: European Health Data Space Governance, Enforcement and Timelines
EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective
By Kristof Van Quathem on
On March 5, 2025, the final text of the European Health Data Space (EHDS) was published in the EU Official Journal (see here). In early April 2024,we wrote several blog posts on EHDS based on a provisional compromise text. We have now updated those to reflect the final version and included references to the correct provisions.
This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.Continue Reading EHDS Series – 3: The European Health Data Space from the Health Data User’s Perspective
China Eases Restrictions on Cross-Border Data Flows
After nearly six months since the initial draft was issued for public comments on September 28, 2023 (see here for our previous alert on that development), on March 22, 2024, the Cyberspace Administration of China (“CAC”) issued the final version of the Provisions on Promoting and Standardizing Cross-Border Data Flows (促进和规范数据跨境流动规定) ( “Provisions”) (Chinese version available here). The Provisions take effect immediately.
The newly finalized Provisions introduce significant changes to China’s existing cross-border data transfer regime. These changes primarily involve exemptions from the previously mandated transfer mechanisms outlined in the Personal Information Protection Law (“PIPL”) and its implementing regulations. Such mechanisms included undergoing a government-led security assessment, entering into a standardized contract, or obtaining personal information protection certification. As a result, many companies that previously faced these requirements may now be exempt, easing their compliance burden for cross-border data transfers. Importantly, the Provisions take precedence over any conflicting provisions within PIPL’s implementing regulations, including the Measures on the Standard Contract for Cross-Border Transfer of Personal Information and the Measures for Security Assessment of Cross-Border Data Transfer.Continue Reading China Eases Restrictions on Cross-Border Data Flows
California Attorney General Announces Second CCPA Settlement
By Lindsey Tonsager, Jayne Ponder & Jessica Ke on
Posted in California Consumer Privacy Act (CCPA)
The California Attorney General recently announced a settlement with DoorDash to resolve allegations that DoorDash violated the California Consumer Privacy Act (CCPA) and the California Online Privacy Protection Act (CalOPPA). Continue Reading California Attorney General Announces Second CCPA Settlement
Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
By Libbie Canter, Anna D. Kraus, Elizabeth Brim & Natalie Maas on
Posted in Health Privacy
Senator Bill Cassidy (R-LA), the Ranking Member of the U.S. Senate Health, Education, Labor, and Pensions (“HELP”) Committee, published on February 21, 2024, a white paper with various proposals to update privacy protections for health data. In Part 1 of this blog series (see here), we discussed the first section of Senator Cassidy’s February 21, 2024, white paper. Specifically, we summarized Senator Cassidy’s proposals on how to update the existing framework of the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (collectively, “HIPAA”) without disrupting decades of case law and precedent. In this blog post, we discuss the other sections of the white paper, namely proposals to protect other sources of health data not currently covered by HIPAA.Continue Reading Senator Cassidy Issues White Paper with Proposals to Update Health Data Privacy Framework – Part 2: Safeguarding Health Data Not Covered by HIPAA
The FCC Expands Scope of Data Breach Notification Rules
By Yaron Dori, Conor Kane & John Webster Leslie on
Posted in Technology
In late December 2023, the Federal Communications Commission (“FCC”) published a Report and Order (“Order”) expanding the scope of the data breach notification rules (“Rules”) applicable to telecommunications carriers and interconnected VoIP (“iVoIP”) providers. The Order makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements. The Rules are expected to become effective sometime in 2024, after they are reviewed by the Office of Management and Budget and the FCC’s Wireline Competition Bureau (“Bureau”) announces the effective dates by subsequent public notice.Continue Reading The FCC Expands Scope of Data Breach Notification Rules
German Data Protection Authorities Publish Paper on Cloud-Based Digital Health Applications
Digital health apps are increasingly used in practice. They raise various questions under regulatory and data protection and data security laws. On November 6, 2023, the German Conference of the Independent Data Protection Supervisory Authorities (Datenschutzkonferenz, DSK), a national body which brings together Germany’s federal and regional data protection authorities, issued a paper about the GDPR’s application to cloud-based digital health applications (“health apps”) that are not subject to the German Digital Health Applications Ordinance (Digitale Gesundheitsanwendungen-Verordnung, the “DiGA Regulation”).Continue Reading German Data Protection Authorities Publish Paper on Cloud-Based Digital Health Applications
French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
By Kristof Van Quathem & Alix Bertrand on
On October 11, 2023, the French data protection authority (“CNIL”) issued a set of “how-to” sheets on artificial intelligence (“AI”) training databases. The sheets are open to consultation until December 15, 2023, and all AI stakeholders (including companies, researchers, NGOs) are encouraged to provide comments. Continue Reading French CNIL Opens Public Consultation On Guidance On The Creation Of AI Training Databases
EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold
By Kristof Van Quathem on
Posted in European Union
EU advocate general Collins has reiterated that individuals’ right to claim compensation for harm caused by GDPR breaches requires proof of “actual damage suffered” as a result of the breach, and “clear and precise evidence” of such damage – mere hypothetical harms or discomfort are insufficient. The advocate general also found that unauthorised access to data does not amount to “identity theft” as that term is used in the GDPR.Continue Reading EU Advocate General Defines “Identity Theft” And Reaffirms GDPR Compensation Threshold