As the year comes to an end, consider whether your business is required to make an annual privacy policy update and share updated consumer metrics under the CCPA.
Continue Reading Reminders of Annual CCPA Updates
Privacy Notice
EU Regulators Provide Guidance on Notice and Consent under GDPR
By Mark Young on
The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent under the General Data Protection Regulation (“GDPR”). We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy. The draft guidance is open for consultation until 23 January 2018.
Continue Reading EU Regulators Provide Guidance on Notice and Consent under GDPR
ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law
By Joshua Gray on
Posted in Health Privacy, United Kingdom
The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.
On September 30, 2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system. On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’.
Continue Reading ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law
CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions
By Inside Privacy on
By Ani Gevorkian
On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars. The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually. The rule will be effective as soon as it is published in the Federal Register.
Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information. An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.
Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements. For instance, the institution may not share data in ways that trigger customers’ opt-out rights. They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice.
Continue Reading CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions
Proposed Bill Would Limit Annual Privacy Notice Requirement Under GLBA
By Libbie Canter on
Last week, Rep. Blaine Luetkemeyer (R-MO) introduced legislation (H.R. 5817) to limit the obligations of certain financial institutions to provide an annual privacy notice to consumers. Under the Gramm-Leach-Bliley Act (“GLBA”), financial institutions must provide customers an initial privacy notice and, for the duration of a customer relationship, an annual privacy notice that describes the company’s information-sharing practices. While anything is possible in Washington, particularly in a Presidential election year, the expectation is that this bill is unlikely to progress to enactment.
Under H.R. 5817, a financial institution would not be obligated to provide customers with an annual privacy notice so long as the company shares information only in certain limited respects (that are more narrow than those permitted under federal law) and provided that the company has not changed its privacy policies or practices from those disclosed in its most recent privacy notice. Specifically, the carve-out would only be available to those financial institutions that do not share information in either of the following respects:Continue Reading Proposed Bill Would Limit Annual Privacy Notice Requirement Under GLBA