Search general data protection

Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider:
Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

The Cyprus Presidency of the Council of the European Union has made clear its objective to achieve a general partial approach on certain articles of the new legislative package on data protection by December 2012, with a view to having the whole legislative package adopted in 2013 or early in

Continue Reading Cyprus Presidency Seeking to Achieve Partial General Approach on Certain Elements of Data Protection Reform Package by December 2012

On February 6, 2025, Advocate General Spielmann released his opinion in the EDPS vs. SRB case (Case C‑413/23 P).  In this case, the European Data Protection Supervisor appealed a decision from the General Court (see our blog post here).

In essence, the case turns on the question of whether

Continue Reading CJEU Advocate General Supports Pragmatic Definition of Personal Data

On January 9, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision on the GDPR’s lawfulness and data minimization principles.

The case arose after a French association (“Mousse”) complained to the French Supervisory Authority (“CNIL”) about the fact that France’s main train company SNCF requires customers to indicate their title and gender identity by ticking either “Sir” or “Madam” when purchasing a train ticket online.  Mousse considered that such a mandatory requirement could not be justified under the “contractual performance” or “legitimate interests” legal bases set out in Article 6 GDPR, and infringed the GDPR’s principles of lawfulness, data minimization and transparency. 

The CNIL dismissed the complaint, and Mousse appealed the CNIL’s decision before the French Administrative Supreme Court (“Conseil d’Etat”), which stayed the proceedings to refer some questions to the CJEU.Continue Reading CJEU Finds Customers’ Title Is Not Necessary Data For The Purchase Of A Train Ticket

Attorneys General in Oregon and Connecticut issued guidance over the holiday interpreting their authority under their state comprehensive privacy statutes and related authorities.  Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance focuses on opt-out preference signals that go into effect on January 1, 2025 in the state.Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial Intelligence

On August 23, 2024, the Brazilian Data Protection Authority (“ANPD”) published Resolution 19/2024, approving the Regulation on international data transfers and the content of standard contractual clauses (the “Regulation”).  The Regulation implements the international data transfer framework under the Brazilian General Data Protection Law (“LGPD”).Continue Reading Brazil Issues New Regulation on International Data Transfers

On 1 July 2024, Germany has enacted stricter requirements for the processing of health data when using cloud-computing services. The new Section 393 SGB V aims to establish a uniform standard for the use of cloud-computing services in the statutory healthcare system which covers around 90% of the German population. In this blog

Continue Reading Germany enacts stricter requirements for the processing of Health Data using Cloud-Computing – with potential side effects for Medical Research with Pharmaceuticals and Medical Devices

On August 1, 2024, the Office of the New York State Attorney General (OAG) released two Advanced Notices of Proposed Rulemaking (ANPRM) for the SAFE for Kids Act and the NY Child Data Protection Act. These ANPRMs solicit input that will help the OAG promulgate regulations in three areas: (1) identifying “commercially reasonable and technically feasible methods” to determine if a user is a minor; (2) identifying methods of obtaining verifiable parental consent; and (3) promulgating any needed language access regulations.

The two laws forming the basis for the rulemaking were enacted on June 20, 2024. The Stop Addictive Feeds Exploitation (SAFE) For Kids Act and the New York Child Data Protection Act contain broad requirements applicable to some companies offering services to children, as explained further below.Continue Reading New York Begins Rulemaking for Two Children’s Data Privacy Laws

On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers.  The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly

Continue Reading Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data

On May 16, 2024, the CNIL launched a public consultation on all of its health data standards.  Interested stakeholders are encouraged to participate by completing a questionnaire (available in French here) by July 12, 2024.

French law has specific requirements for the processing of health data.  In particular, it

Continue Reading CNIL Opens Public Consultation on Its Standards for Processing Health Data