Photo of Karen Lee Lust

Colorado’s recently passed privacy act, the Colorado Privacy Act (CPA), is scheduled to take effect on July 1, 2023, if signed into law by Governor Jared Polis. While the CPA is a comprehensive privacy act which provides certain rights to consumers regarding their personal data, it does not include a private right of action. It

In a recent Q&A conducted by Divonne Smoyer and Karen Lee Lust with Connecticut Attorney General (AG) William Tong published in the IAPP Privacy Advisor, the AG discusses how he has continued Connecticut’s role as a privacy leader among the states, partnering with the U.S. Federal Trade Commission on data privacy-related matters and other compliance

Virginia’s governor, Ralph Northam, signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2, 2021. The CDPA is set to take effect on January 1, 2023, and is the second most comprehensive consumer privacy law to be enacted in the United States behind the California Consumer Privacy Act (CCPA), recently amended by

In a recent Q&A with Tennessee Attorney General (AG) Herbert Slatery, the eight-year term AG discusses how he makes consumer protection, including privacy and cybersecurity issues, a top priority for Tennessee citizens and businesses. AG Slatery shares his thoughts on privacy on a multi-state state level, the prospect of standards of enforcement for technology companies,

On January 6th, the first day of the New York legislature’s 2021 session, NY lawmakers proposed Assembly Bill 27 (AB 27), the Biometric Privacy Act.  The legislative purpose of AB 27 is to provide safeguards for consumers regarding their biometric identifiers, such as fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition.  Effectively, the proposed Act would require private (non-governmental) organizations that possess a biometric identifier or biometric information (i.e., information “based on” a biometric identifier) (collectively “biometric data”) to develop a written retention policy  setting forth the time period for information containing biometric data, as well as guidelines for permanently destroying such biometric data either when: (i) the initial purpose for obtaining such information “has been satisfied,” or (ii) within three years of the individual’s last interaction with the private entity, whichever happens first.

AB 27 would also require organizations to obtain individuals’ express written consent for the collection of their biometric data prior to collecting or otherwise obtaining such data. In addition, the proposed Act would prohibit organizations from selling or otherwise profiting from the biometric data which they possess, and separately mandate organizations to provide technical and organizational safeguards around biometric data that are the same or more protective than the measures it maintains for other confidential and/or sensitive information.
Continue Reading New York proposes a new Biometric Privacy Act

Recent cases have highlighted the continued tensions between the GDPR and U.S. demands for discovery in the context of U.S. litigation and investigations. This issue can present a real concern for companies operating on both sides of the pond seeking to comply with obligations on either side. Whilst the GDPR provides EU citizens with valuable protections on the processing and cross-border transfer of their data, it is not an automatic shield from the demands of U.S. state or federal laws that require the preservation, collection, and potential disclosure of any documentation relevant to a matter – regardless of where it originates or to whom it relates.

The process of U.S. discovery that requires the transfer of potential evidence originating or stored in the EU to the U.S. will often trigger obligations under the GDPR where it involves the processing and cross-border transfer of personal data. While previous cases have shown U.S. courts to be reluctant to allow foreign laws to be a barrier to U.S. discovery, two recent cases have provided insight on the U.S. courts’ approach when dealing with the GDPR in this context.
Continue Reading GDPR vs. U.S. discovery: The conflict continues

On 13 November 2019, the European Data Protection Board (EDPB) adopted the guidelines on Data Protection by Design and Default (DPbDD) for public consultation (link here) until 16 January 2020, providing an in-depth analysis of the components that make up DPbDD under GDPR article 25. We highlight below some of the key definitions.

Background

DPbDD refers to the effective implementation of data protection principles and data subjects’ rights and freedoms by Design and by Default. Controllers must be able to demonstrate that they have in place appropriate technical and organizational measures and safeguards in an effective manner. Incorporating such measures from the start of the project planning or product design, and embedding considerations of data protection through the launch phase is more effective and pro-active than a retrospective approach. This means that data protection practices and considerations must be ‘baked in’ to business practices and processing activities from the start. Although DPbDD primarily concerns controllers, processors and other parties are advised to take note as they work with controllers to fulfil the latter’s obligations under GDPR article 25.Continue Reading The EDPB on ‘Data Protection by Design and by Default’

Background

On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?Continue Reading The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?

Denmark’s Data Protection Authority Datatilsynet (DPA) recently recommended its first fine for a breach of the GDPR by the taxi company, Taxa 4×35 (Taxa), due to its over-retention of certain customer data.

Breach of the data minimisation principle

The Danish DPA found that Taxa did not adhere to the GDPR’s data minimisation principle by over-retaining personal data long after the envisaged retention limit for such data, thereby finding an affirmative duty to delete expired personal data. Taxa had deleted customers’ names and addresses after two years of retention but had retained customers’ telephone numbers for an additional three years. Taxa argued that telephone numbers were an essential part of its IT database and therefore could not be deleted in the same time span.Continue Reading Danish DPA issues its first GDPR fine for late deletion of customer telephone numbers

On 10 December 2018, the European Parliament, the Council of the European Union, and the European Commission reached agreement on the cybersecurity proposal put forward by the Commission.

The aim of the Commission’s proposal is to build strong cybersecurity standards in the EU, allowing the EU to become a global leader in cybersecurity. The proposal will benefit member states, businesses, and consumers by expanding the mandate of the European Union Agency for Network and Information Security (ENISA) to deal with cyberattacks across the EU and establishing an EU-wide certification process for businesses.

Commissioner Mariya Gabriel, who is in charge of Digital Economy and Society, has explained the motivation behind the proposal by stating: “Enhancing Europe’s cybersecurity, and increasing the trust of citizens and businesses in the digital society is a top priority for the European Union.”

Continue Reading Informal agreement reached on EU cybersecurity proposal