Archives: Privacy & Data Protection

Subscribe to Privacy & Data Protection RSS Feed

FTC report looks to improve mobile device security for businesses

On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in … Continue Reading

Binding corporate rules – Article 29 Working Party issues revised guidelines

On 6 February 2018, the Article 29 Working Party (WP29) adopted revised guidelines on binding corporate rules (BCRs). These were issued following a period of public consultation that concluded on 17 January 2018. Technology Law Dispatch previously covered the issuing of the draft guidelines last December, in a blog setting out the key elements of … Continue Reading

Will EU data protection authorities ‘consistency mechanism’ be ready in time for the GDPR?

During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by … Continue Reading

Get your update on IT and data protection law in our newsletter

The Winter 2018 edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released. We cover new case law on marketing consent, cookie consent, the liability of platform providers, employee data protection, sales of address data and the right to be forgotten. The newsletter also includes multiple recommended reads … Continue Reading

German court issues important judgment on consent and transparency in Facebook case

The Regional Court of Berlin held in a judgment of 16 January 2018 (docket no. 16 O 341/15, German language version of the judgment available here) that Facebook’s default privacy settings and parts of their terms and conditions were invalid. This judgment provides important guidance on consent and transparency. Background The Federation of German Consumer … Continue Reading

New data protection fees for UK businesses – Draft Data Protection (Charges and Information) Regulations 2018 and ICO guide published

On 20 February 2018, The Data Protection (Charges and Information) Regulations 2018 (the Regulations) were laid before the UK parliament. The Regulations affect what businesses have to pay when registering their data protection arrangements with the Information Commissioner’s Office (ICO). On 21 February 2018, the ICO issued a guide for data controllers about the proposed … Continue Reading

Territorial applicability of the GDPR

The GDPR is just around the corner and will be effective in less than three months – on 25 May 2018. Organizations are therefore in the midst of preparations to comply with the new Regulation in order to avoid the potentially high fines. Non-EU organizations have to assess whether the GDPR is applicable to them … Continue Reading

Utah AG and FTC Associate Director discuss emerging regulatory and enforcement trends at Reed Smith

The International Association of Privacy Professionals and Reed Smith’s Washington, D.C. office co-hosted the Association’s KnowledgeNet Chapter meeting, “Key Federal and State Regulatory and Enforcement Trends in Privacy to Watch in 2018 – Direct from the Regulators” on February 27, 2018. Reed Smith partner Divonne Smoyer moderated a panel discussion featuring Utah Attorney General Sean … Continue Reading

Guiding light: SEC adopts updated cybersecurity guidance

Last week, the Securities and Exchange Commission (SEC) unanimously adopted new cybersecurity guidance aimed at assisting public companies in their preparation of cybersecurity risk and incident disclosures. In its new Statement and Interpretive Guidance on Public Company Cybersecurity Disclosures, the SEC is aiming to apply lessons learned from the many major data security incidents that … Continue Reading

Article 29 Working Party issues revised guidance on personal data breach notification

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October … Continue Reading

Full quilt: The final two states without data breach laws push forward to complete the patchwork protecting personal information in the U.S.

There are currently only two U.S. states that do not have a state data breach notification law: South Dakota and Alabama. Recently, South Dakota took a big step toward approving a data breach notification law. On January 25, 2018, the state’s Senate Attorney Judiciary Committee advanced the bill after a 7–0 vote, sending it to … Continue Reading

Massachusetts Attorney General announces new data breach reporting tool and database

Massachusetts Attorney General (AG) Maura Healey has announced that the state will offer an online portal where businesses can more easily report that they have experienced a data breach. Massachusetts will also offer consumers an electronic database to view reported breaches, similar to the online repositories operated by California, Maryland and other states. Affected companies … Continue Reading

“An interview with Utah AG Sean Reyes”

Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Utah Attorney General Sean Reyes. AG Reyes is well known as a bipartisan thought leader among AGs on the issues of privacy and cybersecurity. In the interview, he … Continue Reading

Four months until GDPR: Which EU countries are ready? How relevant are these laws?

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. It will attempt to standardize data protection law throughout the European Union. The GDPR will not be fully harmonized since the law has more than 70 opening clauses that will leave room for the EU Member States’ legislators to implement (stricter, … Continue Reading

Defendant cites data breach investigation conclusions in discovery response, resulting in the Sixth Circuit finding “Sword and Shield” waiver of attorney-client privilege

The U.S. Court of Appeals for the Sixth Circuit recently ruled that a data breach defendant waived its attorney-client privilege for investigation-related communications with counsel after disclosing investigative findings in discovery request and relying on the findings to assert affirmative defense. The attorney-client privilege is a powerful tool, but it must be handled with care. … Continue Reading

Warning light: The FTC is monitoring the connected car marketplace

In a recently published “Staff Perspective,” the Federal Trade Commission (FTC) appears to be staying true to the regulatory humility approach Acting Chairman Maureen K. Ohlhausen underscored in her opening remarks to the connected cars and autonomous vehicles workshop the FTC co-hosted with the National Highway Traffic Safety Administration (NHTSA) last summer. The Consumer Protection … Continue Reading

DHS and DOC Report on Botnets and IoT Security Recommends Increased Collaboration between Stakeholders in Private Industry and Government

On Jan. 5, 2018, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) released their joint draft report on “Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats” for public comment. The report provides a series of recommendations for addressing the threats presented by botnets … Continue Reading

Article 29 Working Party releases guidelines on transparency under the GDPR

On 11 December 2017, the Article 29 Working Party (Art 29 WP) published its draft guidance on transparency. The guidelines are open for consultation until 23 January 2018. The Art 29 WP analyse the elements of transparency required by the General Data Protection Regulation (GDPR). They also provide further details on the information that data … Continue Reading

Article 29 Working Party publishes updated guidance on adequacy referential

On 28 November 2017, the Article 29 Working Party (‘WP29’) published a working document updating its previous guidance on transfers of personal data to third countries (WP12), (‘WP29 Document’). WP29 has reviewed its earlier guidance in the context of the General Data Protection Regulation (‘GDPR’) and recent case law of the European Court of Justice … Continue Reading

Article 29 Working Party releases guidelines on consent under the GDPR

On 28 November 2017, the Article 29 Working Party (“WP29”) published its guidelines on consent under the General Data Protection Regulation (“GDPR”). The guidelines are open for public consultation until 23 January 2018. They provide an analysis of the concept of consent. They also provide practical guidance for organisations on the requirements to obtaining and … Continue Reading

Article 29 Working Party issues new guidelines for Binding Corporate Rules

The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are: (i) Working … Continue Reading

Nation on Hold for Supreme Court Carpenter v. United States Decision

On November 29, many interested audience members packed into the Supreme Court to witness oral argument on the issue of whether the Fourth Amendment demands that the government obtain a warrant in order to acquire long-term, cell-site location information (CSLI) from wireless service providers, in what could be one of the most influential privacy decisions … Continue Reading

Pre-Christmas Update on the ePrivacy Regulation

The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at … Continue Reading

Morrisons found vicariously liable for a data breach committed by one of its employees

Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees ( Background In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. … Continue Reading