Archives: Privacy & Data Protection

Subscribe to Privacy & Data Protection RSS Feed

Attorney General Rokita on the possibility of a federal privacy law, Indiana’s breach notification law, and regulating data brokers

By Divonne Smoyer and Roger Gibboni on 24 May 2022 Posted in Privacy & Data Protection

In the June edition of IAPP’s Privacy Advisor, Divonne Smoyer and Roger Gibboni talk to Indiana State Attorney General Todd Rokita on the possibility of Congress passing a federal privacy law, Indiana’s different approaches to data privacy and protection, and its recent announcement that the state was joining Washington, Texas, and D.C. in an enforcement … Continue Reading

UK regulators publish two discussion papers on algorithmic systems

By Cynthia O’Donoghue, Sarah O'Brien and Yunzhe Zhang on 17 May 2022 Posted in Privacy & Data Protection, Regulatory

On 28 April 2022, the UK Digital Regulation Cooperation Forum (DRCF) published two discussion papers on the benefits and harms of algorithms and on the landscape of algorithmic auditing and the role of regulators, respectively. About DRCF The DRCF consists of four UK regulators: the Competition and Markets Authority, Ofcom, the Information Commissioner’s Office and … Continue Reading

Department for Digital, Culture, Media and Sport launches consultation on app security

By Cynthia O’Donoghue, Yunzhe Zhang and Sarah O'Brien on 16 May 2022 Posted in Data & Cyber Security, Privacy & Data Protection, Social, Mobile, Analytics & Cloud (SMAC)

On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.… Continue Reading

European Commission adopts two proposals for cybersecurity and information security regulations

By Cynthia O’Donoghue and Sarah O'Brien on 7 April 2022 Posted in Privacy & Data Protection

On 22 March 2022, the European Commission (“EC”) adopted two new proposals for a Cybersecurity Regulation and an Information Security Regulation (available here and here). These regulations aim to set common priorities and frameworks in order to further strengthen inter-institutional co-operation, minimise risk exposure and further strengthen the EU security culture.… Continue Reading

Kids’ Smart Watchmaker Updates Privacy Practices at Safe Harbor’s Direction

By Gerard Stegmaier, John P. Feldman and Stuart Cobb on 4 April 2022 Posted in Cookies, Tracking & Online Behavioral Advertising, Privacy & Data Protection

On March 8th, the Children’s Advertising Review Unit (“CARU”), a FTC-approved safe harbor organization that monitors compliance with the Children’s Online Privacy Protection Act (“COPPA”), announced it had found TickTalkTickTalk––a children’s smart watchmaker and one of CARU’s member organizations—in violation of COPPA and CARU’s privacy guidelines.… Continue Reading

Time to change to the new EU and UK Standard Contractual Clauses (SCCs)

By Cynthia O’Donoghue, Dr. Andreas Splittgerber and Asélle Ibraimova on 28 March 2022 Posted in Global Data Transfers, Privacy & Data Protection

As you might know, the new EU SCCs were published last year. The UK has now issued new templates for data transfers that can be used from 21 March 2022. With the UK templates confirmed and available, many multinational organisations with presence in the EU and the UK are gearing up to transition their contracts … Continue Reading

Iowa Attorney General Tom Miller on the latest on consumer protection, emerging technologies and data privacy

By Divonne Smoyer and Roger Gibboni on 23 March 2022 Posted in Privacy & Data Protection

In the latest edition of the IAPP Privacy Advisor, Divonne Smoyer and Roger Gibboni talk with Iowa Attorney General (AG) Tom Miller on the latest issues surrounding emerging technology, data privacy and consumer protection. As the longest serving state AG in U.S. history and the President of the National Association of Attorneys General, AG Miller … Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Winter 2022 Edition)

By Dr. Andreas Splittgerber and Sven Schonhofen on 17 March 2022 Posted in Cookies, Tracking & Online Behavioral Advertising, In the Courts, Privacy & Data Protection, Regulatory

The Winter 2022 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released: English version German version… Continue Reading

Maryland and California Propose Biometric Privacy Legislation that Would Include Illinois-Like Private Rights of Action

By Gerard Stegmaier, Sarah Bruno, Mark Quist, Hubert Zanczak and Stuart Cobb on 3 March 2022 Posted in Privacy & Data Protection

Maryland and California look to join the list of states that not only regulate biometric data but provide consumers with the opportunity to seek hefty statutory damages and attorney’s fees from offending businesses. Similar to Illinois’ oft-litigated Biometric Information Privacy Act (“BIPA”), both bills would also (i) require written consent prior to the collection of … Continue Reading

Chinese data security laws increasingly create roadblocks for litigants seeking discovery in U.S. courts

By Gerard Stegmaier, Michael J. Lowell, Mark Quist, Cindy Shen, Eric Manski and Stuart Cobb on 1 March 2022 Posted in In the Courts, Privacy & Data Protection

Two Chinese information security laws, the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”), are creating difficulties for parties involved in litigation in the United States seeking discovery materials stored in China. Both the DSL and the PIPL require data processors to obtain approval from the Chinese government before transferring any data … Continue Reading

Cookie fines in France in January 2022: is it the beginning of a “Cookie Gate”?

By Daniel Kadar, Laetitia Gaillard and Sarah O'Brien on 17 February 2022 Posted in Privacy & Data Protection

In January 2022, several decisions by the French data protection regulator (“CNIL”) were published regarding the implementation of French cookie requirements, sending out a strong signal to website operators targeting French users. On 6 January 2022, the CNIL issued fines totalling 150 million euros and 60 million euros, to Google and Facebook respectively, for violations … Continue Reading

ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

By Cynthia O’Donoghue and Angelika Bialowas on 14 February 2022 Posted in Privacy & Data Protection

On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).… Continue Reading

CO AG’s symposium centers on Colorado Privacy Act and data privacy policies

By Divonne Smoyer and Roger Gibboni on 2 February 2022 Posted in Privacy & Data Protection

The Attorney General Alliance and the Colorado Department of Law’s recent symposium “Colorado Privacy Act: Rights, Obligations, and Next Steps” demonstrates a continued commitment by various state attorneys general to influence and enforce data privacy policies. The panel discussions focused on the Colorado Privacy Act (CPA), one of only three comprehensive data privacy laws in … Continue Reading

Additional cybersecurity measure proposed for CIP Reliability Standards

By Colette Honorable, Debra Ann Palmer, Bart Huffman, Wendell Bartnick and Christian Blair on 1 February 2022 Posted in Privacy & Data Protection, Regulatory

In response to recent cybersecurity incidents, the Federal Energy Regulatory Commission (FERC) has announced a Notice of Proposed Rulemaking (NOPR) that would task the North American Electric Reliability Corporation (NERC) to impose additional cybersecurity requirements on high-, medium-, and, potentially, low-impact bulk electric systems in its Critical Infrastructure Protection (CIP) Reliability Standards.… Continue Reading

U.S. Data Privacy Compliance Roadmap for 2022

By Sarah Bruno, Idara Udofia and Hubert Zanczak on 28 January 2022 Posted in Cookies, Tracking & Online Behavioral Advertising, Privacy & Data Protection

There’s no doubt 2022 will be a big year for data privacy compliance with three new laws going into effect in 2023. On January 1, 2023, the California Privacy Rights Act (CPRA) will replace and amend California’s most recent, comprehensive data privacy law, the California Consumer Privacy Act (CCPA), and Virginia’s first extensive privacy law, … Continue Reading

New guidelines on personal data breach notifications

By Philip Thomas, Asélle Ibraimova and Yunzhe Zhang on 18 January 2022 Posted in Privacy & Data Protection

Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach … Continue Reading

Get your update on IT and data protection law in our newsletter (Holiday 2021 edition)

By Dr. Andreas Splittgerber and Sven Schonhofen on 21 December 2021 Posted in Cookies, Tracking & Online Behavioral Advertising, In the Courts, Privacy & Data Protection

The German Holiday 2021 edition of the quarterly IT and Data Protection Newsletter has just been released:… Continue Reading

German court prohibits U.S. data transfers in “Cookiebot” decision: Why this decision is special and should alert, but not upset your organization

By Dr. Andreas Splittgerber and Sven Schonhofen on 15 December 2021 Posted in Cookies, Tracking & Online Behavioral Advertising, In the Courts, Privacy & Data Protection, Regulatory

On December 1, 2021, in a much-noted decision, the Administrative Court of Wiesbaden (AC Wiesbaden) handed down a preliminary injunction dealing with international data transfers (case 6 L 738/21.WI, available in German here). In the specific case, there was no data transfer mechanism in place and thus the court ordered the defendant to stop using … Continue Reading

Prior notice required in New York to monitor employees’ electronic communications

By Gerard Stegmaier, Mark S. Goldstein and Mark Quist on 23 November 2021 Posted in Privacy & Data Protection

Beginning in May 2022, employers in New York state will be required to make certain disclosures to their workers if they engage in electronic monitoring of employee communications. On November 8, a bill signed into law by Governor Kathy Hochul requires that all employers provide written notice to newly-hired employees if they intend to monitor … Continue Reading

Lloyd v. Google: Supreme Court rejects compensation claim

By Cynthia O’Donoghue and Sarah O'Brien on 22 November 2021 Posted in In the Courts, Privacy & Data Protection

In one of the most highly anticipated judgments in recent years, the UK Supreme Court has unanimously rejected a class-action style compensation claim under the Data Protection Act 1998. The Supreme Court decision was handed down as a result of a claim raised against Google LLC (Google) by Richard Lloyd on behalf of four million … Continue Reading

FTC significantly amends GLBA Safeguards Rule

By Gerard Stegmaier and Mark Quist on 8 November 2021 Posted in Data & Cyber Security, Privacy & Data Protection, Regulatory

The Federal Trade Commission (FTC or Commission) has issued a final rule clarifying its data security requirements for certain covered financial institutions. The new rule, which amends the Safeguards Rule originally promulgated in 2002 under the Gramm-Leach-Bliley Act (GLBA), outlines specific criteria to be incorporated as part of GLBA-covered financial institutions’ information security programs. The … Continue Reading