Archives: Privacy & Data Protection

Subscribe to Privacy & Data Protection RSS Feed

House of Lords publishes briefing on Data Protection Bill

The House of Lords Library, which provides research and information services to Members of the House of Lords, has published a briefing on the Data Protection Bill (“Bill”) which sets out an overview of and reactions to the Bill (“Briefing”). The Briefing was prepared in advance of the Bill’s second reading in the House of … Continue Reading

EDPS releases recommendations on ePrivacy Regulation – Still a long way to go

We are only eight months away from the new EU data protection regime entering into force. In addition to the General Data Protection Regulation (“GDPR”), which includes the general data protection provisions, the ePrivacy Regulation shall provide specific rules for electronic communications. However, the legislative process of the ePrivacy Regulation is still in its early … Continue Reading

Proposal for a Regulation on the free flow of non-personal data in the EU

The European Commission has issued a proposal for a new Regulation on the free flow of non-personal data (“the Proposal”). Background The Commission adopted a Communication in January 2017 on “Building a European Data Economy”, in which its work on free flow of data was announced in the context of actions to enhance the data … Continue Reading

Court Deals Blow to FTC’s Position on Unfair Data Security Practices

Over the last several years, the Federal Trade Commission (FTC) has regularly used its authority under Section 5 of the FTC Act to bring cases against companies due to their allegedly unreasonable data security measures. The FTC has paid particular attention to the safeguards that manufacturers have implemented in electronic devices sold to consumers.  Recently, … Continue Reading

39th International Conference of Data Protection and Privacy Commissioners publishes Resolution on Data Protection in Automated and Connected Vehicles

The 39th International Conference of Data Protection and Privacy Commissioners in Hong Kong published a Resolution on Data Protection in Automated and Connected Vehicles, which sets out fundamental data protection requirements for the mobility of the future (“Resolution”). The Resolution proposes common international standards. The Resolution addresses not only vehicle and equipment manufacturers, but also … Continue Reading

Irish High Court asks European Court to rule on legality of EU-US data transfers

Background On 3 October 2017, the Irish High Court held that it is up to the European Court of Justice (“ECJ”) to determine whether Standard Contractual Clauses (“SCCs”) are a valid method of transferring personal data outside of the EU in compliance with privacy law.  SCCs are widely used by businesses that transfer data from … Continue Reading

Spanish DPA fines Facebook €1.2 million for data protection infringements

The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act). In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further … Continue Reading

ICO publishes draft guidance on contracts and liabilities under the GDPR

The UK’s Information Commissioner (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The draft guidance is currently open for consultation,with responses due by 10 October 2017. The purpose of the guidance is to help organisations understand what needs to be included in written contracts between controllers and processors under … Continue Reading

Updated Draft of ePrivacy Regulation: Still Hampering Innovation

On 8 September 2017, the European Council published its first revisions (“Revised Draft”) to the draft EU ePrivacy Regulation (version COM(2017) 10 of 10 January 2017, “ePrivacy Regulation”). The Revised Draft is based on the discussions held in previous meetings of the European Union’s Working Party for Telecommunications and Information Society (“WP TELE”), and on comments … Continue Reading

From the Server Room to the Board Room: D&O and Cybersecurity Emerging Trends

With breaches of nearly 150 million Americans’ personal information flooding the news the last few weeks, followed by the filing of more than 50 class action lawsuits to date, and the announcement of an FTC investigation, cybersecurity is squarely on the minds of and on the table in boardrooms across the country. On September 14, … Continue Reading

ICO sets the record straight on data breach reporting under the GDPR

The latest in the series of blogs from the UK Information Commissioner’s Office (ICO) looks at some of the myths around data breach reporting under the General Data Protection Regulation (GDPR). Given the misleading press stories on this topic, the ICO’s blog should provide some welcome clarification for concerned businesses as they prepare to comply … Continue Reading

EU Case Confirms That Employers Do Not Have Carte Blanche For Workplace Monitoring

In early 2016, a European Court of Human Rights (ECHR) case (Barbulescu v. Romania) attracted much publicity because it appeared to give employers the green light to read employees’ private emails (read our original commentary here). The decision in the original case has now been overturned by the Grand Chamber of the ECHR. Background The … Continue Reading

First judgment on GDPR by German administrative court

The General Data Protection Regulation (“GDPR”) will become applicable 25 May 2018. Even though the GDPR entered into force 24 May 2016, its provisions will be binding and enforceable only from 25 May 2018. In advance of the applicability of the GDPR, the German Administrative Court Karlsruhe (“AC Karlsruhe”) already had to decide on it … Continue Reading

UK Government publishes its position on UK-EU data transfers post-Brexit

The UK Government has published a position paper (“the Paper”), which will form part of a series of papers setting out key issues forming the Government’s vision for their partnership with the EU post-Brexit. The Paper explains how it intends to resolve the much-debated issue of UK-EU data transfers post-Brexit. This issue is a real … Continue Reading

ICO confirms that consent is not the ‘silver bullet’ for GDPR compliance

In her blog last week, the UK Information Commissioner, Elizabeth Denham, tackled the issue of consent under the GDPR. This blog, the second in a series to be published by the ICO, is intended to address some of the myths that have developed around the GDPR. The first blog looked at the ICO’s new fining … Continue Reading

Upcoming first annual review of the EU-U.S. Privacy Shield

During the week of 18 September 2017, the European Commission and the Article 29 Working Party (“WP29”) will undertake the first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). The meetings will take place in the United States. As for the U.S. side, the U.S. Department of Commerce will conduct the review, and it … Continue Reading

Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of … Continue Reading

Ninth Circuit Holds Alleged FCRA Violation Satisfies Article III Standing

The Ninth Circuit added another chapter to the storied tale of Article III standing jurisprudence on August 15 when, on remand from the Supreme Court, the appellate court unanimously revived a plaintiff’s Fair Credit Reporting Act (“FCRA”) suit in Robins v. Spokeo, Inc., __ F.3d __, 2017 WL 3480695 (9th Cir. Aug. 15, 2017). The … Continue Reading

Government announces proposals for a new Data Protection Bill

The government has released a Statement of Intent (“the Statement”) for a new Data Protection Bill (“the Bill”). The Bill was originally announced in the Queen’s Speech earlier this year (see our previous blog on this). This Statement provides further detail on the government’s proposed reforms to data protection laws in the UK. The Bill … Continue Reading

UK government posts new NIS Directive consultation addressing cybersecurity threats

The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has … Continue Reading

Europe Explores Data Ownership

Machine-generated data is a hot commodity, but who owns this information? As more and more valuable data are generated, should there be legislation to establish ownership and, potentially, access rights? The European Commission conducted a public consultation, “Building a European Data Economy,” to find out. The consultation addressed key factors, such as the question to … Continue Reading

SEC Increases Focus on Cyber Incident Response

In the past few years, we have seen an uptick in agencies beginning to focus on the cybersecurity readiness and response of organizations subject to their jurisdiction. The U.S. Securities and Exchange Commission (SEC), for example, has identified cybersecurity as a top priority for many years. This past June, the SEC named Stephanie Avakian and … Continue Reading

ECPA Reform Legislation on the Horizon (Again)

Three bipartisan Senate bills are up for consideration in Congress that would attempt to modernize the legal standards under which the U.S. government can access communications electronically stored by email service providers and cloud computing companies. The proposed bills, introduced July 27, 2017, each provide a different scheme in updating the Electronic Communications Privacy Act … Continue Reading
LexBlog