South Korea – EDPB adopts an opinion on the Commission’s draft adequacy decision

Photo of Cynthia O’DonoghuePhoto of Asel IbraimovaBy Cynthia O’Donoghue and Asel Ibraimova on Posted in Global Data Transfers

On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

Continue Reading

FTC signals impending enforcement of its Health Breach Notification Rule

Photo of Gerard StegmaierPhoto of Wendell BartnickPhoto of Haylie TreasPhoto of Catherine DavidPhoto of Ellen PighiniBy Gerard Stegmaier, Wendell Bartnick, Haylie Treas, Catherine David and Ellen Pighini on Posted in Privacy & Data Protection, Regulatory

Last week, the Federal Trade Commission (FTC) announced in a Statement of the Commission On Breaches by Health Apps and Other Connected Devices (Policy Statement) that the FTC will begin enforcement of its Health Breach Notification Rule (Rule) issued in 2009. The Rule was issued by the FTC to regulate certain businesses that handle health information when they are not regulated by the Health Insurance Portability and Accountability Act (HIPAA). Many of those businesses are likely not aware of the Rule, because there has been no public enforcement activity. While questions about the Rule’s scope remain, recent actions by the FTC (including the Policy Statement) suggest that it may be time for businesses to consider whether and how their operations may be drawing interest (investigative and enforcement) from regulators.

Persistent uncertainty about the scope of the FTC’s Health Breach Notification Rule

Our colleagues wrote about the Rule when it was first issued, to explain how certain businesses that handle health information may be required by the Rule to provide notice of data breaches affecting health information. We will not restate that analysis here, but it remains as accurate now as it was then. Until last week, the FTC had never publicly enforced or published new guidance on the Rule. Significant questions, therefore persist, about how the FTC will interpret and apply the Rule.

The Rule does not apply to businesses regulated by HIPAA, but the Rule ambiguously describes the types of business to which it does apply. For example, as drafted, employers that hold employee health records electronically could theoretically be regulated by the Rule—even though it was likely not the FTC’s intent for the Rule to apply in the employment context. Given the Rule’s ambiguous scope, businesses may need to conduct a case-by-case assessment of the applicability of the Rule to their data security incidents to avoid missing this little-known and broad regulatory requirement.

In contrast with the FTC’s Health Breach Notification Rule, HIPAA, which is enforced by the Office for Civil Rights in the Department of Health and Human Services, generally provides clear guidelines as to the scope of its applicability. HIPAA is applicable only to health care providers that submit claims electronically, health plans, and health care clearinghouses. Similar to the Rule, a breach of unsecured protected health information regulated by HIPAA triggers potential breach notification requirements. A “breach” under HIPAA involves “an acquisition, access, use, or disclosure of protected health information in a manner not permitted” by HIPAA, which includes many restrictions on disclosures without patient authorization. Failure to comply with the notification requirements under HIPAA could result in civil monetary and other penalties.

Continue Reading

UK Court of Appeal rules AI is not an inventor

Photo of Cynthia O’DonoghuePhoto of Angelika BialowasBy Cynthia O’Donoghue and Angelika Bialowas on Posted in In the Courts

AI is a hot topic, particularly in the area of patent law and inventorship.

On Tuesday 21 September 2021, the UK Court of Appeal ruled that artificial intelligence (AI) cannot be listed as an inventor on a patent application (Thaler v Comptroller General of Patents Trade Marks and Designs [2021] EWCA Civ 1374).

Background

The present case related to two patent applications submitted to the UK Intellectual Property Office (IPO) by Dr Stephen Thaler. Both applications listed the inventor as ‘DABUS’, an AI machine built for the purpose of inventing, which had successfully come up with two patentable inventions. The UK IPO had refused to process either application (considering them withdrawn) as they failed to comply with the requirement to list an inventor and Dr Thaler was not entitled to apply for the patents. According to the Patents Act 1977, an inventor must be a ‘person’.

At the Court of First Instance, Mr. Justice Marcus Smith had upheld the IPO’s decision.

Continue Reading

Illinois Court of Appeals finds one year and five year statute of limitations for BIPA claims

Photo of Michael GaliboisBy Michael Galibois and Hubert Zanczak on Posted in In the Courts, Privacy & Data Protection

On September 17, 2021, the Illinois Court of Appeals for the First District ruled that some BIPA claims are subject to a five year statute of limitations, while others must be brought within one year. In Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563, the appellate court accepted a certified question from the trial court, seeking clarification of BIPA’s applicable statute of limitations.

The Illinois law regulating biometrics has been making headlines in the last few years, with the most recent clash focusing on the period within which plaintiffs have to bring a claimed violation. BIPA itself does not contain a statute of limitations, and courts have wrestled over the proper applicable time period. Some courts have applied the catch-all five year statute of limitations, while others thought the one year statute of limitations applicable to state privacy actions should apply. In Black Horse Carriers, the court found both statutes of limitations applied depending on the specific claimed BIPA violation.

The court found that claims brought under Sections 15(c) and (d), for sale and disclosure of biometrics, respectively, are subject to the one year statute of limitations. All other BIPA claims, such as those brought under Section 15(a) for failure to provide notice, Section 15(b) for failure to obtain written release, and Section 15(e) for failure to use reasonable care, are subject to the state’s five year catch-all requirement.

 Conclusion

As many BIPA-related questions continue to make their way through the appellate process, it is prudent to watch how the judicial landscape continues to take shape.

California privacy update: New state enforcement agency leadership discuss extending CPRA rulemaking deadline and doubling the number of current CCPA regulations

Photo of Sarah BrunoPhoto of Gerard StegmaierPhoto of Mark QuistBy Sarah Bruno, Gerard Stegmaier, Mark Quist and Hubert Zanczak on Posted in Privacy & Data Protection

California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.

CPPA executive director and staff to be appointed

With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.

Extension of the July 1, 2022 rules deadline

With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline.  Continue Reading

DCMS launches public consultation on reforms to the UK’s data protection regime

Photo of Cynthia O’DonoghuePhoto of Howard Womersley SmithBy Cynthia O’Donoghue and Howard Womersley Smith on Posted in Privacy & Data Protection

On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change.

The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its National Data Strategy, published in 2020: to secure a data regime that promotes growth and innovation for UK businesses, while also maintaining public trust.

The UK’s data protection regime has not received a substantive update since 2018 when the European Union’s General Data Protection Regulation (GDPR) took effect, alongside the introduction of the UK’s Data Protection Act 2018. The government’s National Data Strategy has suggested that the UK may start to move away from EU law when it comes to data protection.

According to the Secretary of State, the ultimate aim of the consultation is to ‘create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards’. Continue Reading

Key rules of PRC’s new Personal Information Protection Law

Photo of Amy YinPhoto of Charmian AwBy Amy Yin and Charmian Aw on Posted in Privacy & Data Protection

During the thirtieth meeting of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on August 20, 2021, they finally passed the long-awaited Personal Information Protection Law (PIPL), which will come into force on November 1, 2021.

Our recent client alert, the first in a series which we will be producing, provides a brief introduction to the key rules in the PIPL, focusing on the requirements that multinational companies with operations in China need to be aware of.

In our subsequent alerts, we will also address the particular challenges that companies across different sectors (such as TMT, health care, automotive, and financial services) may face in the context of the PIPL.

The ICO approves the first UK GDPR certification schemes

Photo of Cynthia O’DonoghuePhoto of Asel IbraimovaBy Cynthia O’Donoghue and Asel Ibraimova on Posted in Privacy & Data Protection

Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism  for three UK GDPR certification schemes, in the following areas:

  1. IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
  2. Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
  3. Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.

The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”. Continue Reading

Ohio Attorney General Yost discusses consumer protection and privacy laws

Photo of Divonne SmoyerPhoto of Kile MarksBy Divonne Smoyer and Kile Marks on Posted in Privacy & Data Protection, Regulatory

In a recent Q&A with Ohio Attorney General (AG) Dave Yost published in the IAPP Privacy Advisor, the first term AG discusses how he continued Ohio’s role as a vigorous enforcer of consumer protection and privacy laws, with a lengthy track record of looking out for the needs of the government, business and consumers equally. Since he took office, Attorney General Yost has proven he is prepared to take privacy and consumer protection in Ohio to the next level. AG Yost also shares his views on privacy trends among the states, federal privacy laws, the FTC, preventing ransomware, and data breach litigation safe harbors. Read more in the IAPP Privacy Advisor article here.

The UK’s ICO launches public consultation on employment practices

Photo of Philip ThomasPhoto of Carl De CiccoBy Philip Thomas and Carl De Cicco on Posted in Privacy & Data Protection

The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health.

In particular, the new guidance aims to:

  • Address the changes in data protection law,
  • Reflect the changes in the way that employers use technology and interact with staff, and
  • Meet the needs of people using the ICO’s guidance products.

To this end, the ICO has launched a public consultation to gather views on these and related subject areas.

The consultation

The ICO has prepared a survey for completion by those wishing to take part in the consultation. Contributions may be submitted by responding to an online survey or by completing and returning a word document by email or post.

The deadline for responding is midnight on Thursday 21 October 2021.

Continue Reading

LexBlog