The U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new set of Health Insurance Portability and Accountability Act (HIPAA) FAQs building upon prior guidance from OCR. The new FAQs discuss the applicability of HIPAA to covered entities and business associates that interact with health apps and explain when HIPAA regulated … Continue Reading
In an interview dated February 2018,[1] Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which … Continue Reading
The Joint Committee on Human Rights has launched an inquiry into the right to privacy under Article 8 of the European Convention on Human Rights (ECHR) and the “Digital Revolution”. The inquiry will examine whether further safeguards to regulate the collection, use, tracking, retention and disclosure of personal data by private companies are required to … Continue Reading
Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with North Carolina Attorney General (AG) Josh Stein. Throughout his tenure as AG, Stein has shown a clear commitment to data privacy and security through his advocacy for strong … Continue Reading
Check out this month’s edition of The Privacy Advisor, a publication of the International Association of Privacy Professionals (IAPP), for Divonne Smoyer and Kimberly Chow’s Q&A with Indiana Attorney General Curtis Hill. AG Hill has prioritized rolling back federal overreach and safeguarding consumers from fraud and scams, along with continuing to take a hard line … Continue Reading
On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in … Continue Reading
Three bipartisan Senate bills are up for consideration in Congress that would attempt to modernize the legal standards under which the U.S. government can access communications electronically stored by email service providers and cloud computing companies. The proposed bills, introduced July 27, 2017, each provide a different scheme in updating the Electronic Communications Privacy Act … Continue Reading
This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC … Continue Reading
As courts continue to grapple with close calls on standing following the U.S. Supreme Court’s seminal decision in Spokeo v. Robins, another court has given defendants a win for intangible injuries and risk of future harm. On June 6, the District of New Jersey dismissed – for the second time – a putative class action … Continue Reading
Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages. The recent ruling … Continue Reading
Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had … Continue Reading
On 7 November, the government of the People’s Republic of China passed the much-anticipated Cyber Security Law of China, which will come into force 1 June 2017. After first and second drafts were put out for public consultation in June 2015 and May 2016, respectively, it was a third draft issued in October 2016 that … Continue Reading
In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue. The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for data … Continue Reading
While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states … Continue Reading
In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June 17, 2016), … Continue Reading
After four years of protracted discussions and negotiations, the General Data Protection Regulation (the “GDPR”) gained final approval from the European Parliament 14 April. It will enter into force 20 days after publication in the Official Journal of the European Union (expected imminently), and it comes into force two years after that date – i.e., … Continue Reading
On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook. The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the … Continue Reading
On 3 February, the Article 29 Working Party (‘WP29’), a group comprising representatives of the EU Member States’ Data Protection Authorities (‘DPAs’), issued a statement cautiously welcoming the agreement on an “EU-U.S. Privacy Shield”. If it is formally adopted, the Privacy Shield will replace the Safe Harbor agreement that was declared invalid by the EU’s … Continue Reading
An Illinois federal district court recently denied a request by online image publisher Shutterfly, Inc. and its subsidiary, ThisLife Inc., to dismiss a putative class action lawsuit alleging that the companies’ facial recognition-based system of photo-tagging violates the Illinois Biometric Information Privacy Act (BIPA). That law, which dates to 2008, prohibits companies from collecting and … Continue Reading
In a ruling by the European Court of Human Rights (“ECHR”) handed down in July 2015, the right to respect for individuals’ privacy balance trumped journalists’ right to freedom of expression. In the case of Satakunnan Markkinapörssi and Satamedia v. the Republic of Finland, it was decided that Finnish magazine, Veröporssi (“V”), could be prevented … Continue Reading
In a favorable decision for defendants in data breach litigation, the Pennsylvania Court of Common Pleas of Allegheny County held that the economic loss doctrine prevented the negligence claim of a group of former and current UPMC employees from going forward in their suit arising out of the theft of information from UPMC’s computer systems. … Continue Reading
On February 11, Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced that they would introduce legislation intended to address the data privacy and security vulnerabilities with Internet-connected cars. The legislation, if passed, would require manufacturers to adhere to a number of security and privacy standards, including the following: Requirement that all wireless access points … Continue Reading
Clark County Nevada District Judge Elizabeth Gonzalez is considering further sanction against Sands China Ltd. for redacting “personal information” from about 2,600 documents the company produced in 2013 as part of an ongoing wrongful termination suit first filed in 2010 by Steven Jacobs, the former president of Sands Macau. Jacobs alleges that he was wrongfully … Continue Reading
The Russian Duma recently set a new deadline for companies to localise their data processing of Russian citizens on Russian soil, while the data protection authority published an order removing Hong Kong and Switzerland from its ‘adequate privacy protection list’. The Russian Duma has voted through, on a first reading, an accelerated effective date for … Continue Reading
