Tag Archives: data privacy

South Korea joins APEC’s Cross Border Privacy Rules system

This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC … Continue Reading

J. Crew Credit Card Digit Class Action Dismissed Again Because of Overly Speculative Identity Theft, Fraud Risks

As courts continue to grapple with close calls on standing following the U.S. Supreme Court’s seminal decision in Spokeo v. Robins, another court has given defendants a win for intangible injuries and risk of future harm.  On June 6, the District of New Jersey dismissed – for the second time – a putative class action … Continue Reading

Bare Statutory Violation of FCRA Fails to Satisfy Standing Requirements Post-Spokeo, Says District of New Jersey in Suit Over Michaels Employment Disclosures

Michaels escaped a potential class action alleging Fair Credit Reporting Act (“FCRA”) violations late last month when a federal judge found the United States Supreme Court’s recent decision in Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016) foreclosed the plaintiffs’ claim for a bare statutory violation not resulting in concrete damages.  The recent ruling … Continue Reading

Superior Court of Pennsylvania Affirms Rejection of Proposed Data Breach Class of UPMC Workers, Finding Hospital Owed No Duty to Protect Information

Affirming a lower court decision this blog discussed here, the Superior Court of Pennsylvania held January 12 that dismissal of a proposed data breach class action was proper, because the University of Pittsburgh Medical Center lacked a legal duty to protect employee information stolen by a third party. The 2-1 majority’s finding that UPMC had … Continue Reading

The new Cybersecurity Law of China: What does it mean for the International Market?

On 7 November, the government of the People’s Republic of China passed the much-anticipated Cyber Security Law of China, which will come into force 1 June 2017. After first and second drafts were put out for public consultation in June 2015 and May 2016, respectively, it was a third draft issued in October 2016 that … Continue Reading

U.S. Chamber Releases Results of Data Privacy Consumer Poll Showing Non-Partisan Consensus on Legal Reform

In an election season in which it seems Americans cannot agree on much, a new poll shows that data privacy and security reform is a unifying issue. The U.S. Chamber of Commerce Institute for Legal Reform (ILR) has released the findings of a poll shedding light on American voters’ perception of the legal landscape for data … Continue Reading

Third Circuit Dismissal Affirmance Based on Economic Loss Doctrine Shows Spokeo Shouldn’t Be Your Only Data Breach Class Action Exit Strategy

While the United States Supreme Court’s ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), has garnered much attention after being cited by numerous courts as a means to dismiss data privacy class actions, defendants should never count out any potential avenues for exiting such a suit; in Pennsylvania (and in many other states … Continue Reading

Wisconsin Federal Court Finds Spokeo Spells the End for Consumer Privacy Class Action

In a sign of the continuing significance of the U.S. Supreme Court’s recent ruling in Spokeo v. Robins, 136 S. Ct. 1540 (May 24, 2016), another federal court has cited that ruling in dismissing claims for lack of Article III standing. In Gubula v. Time Warner Cable, Inc., No. 15-cv-1078 (E.D. Wis. June 17, 2016), … Continue Reading

The Data Protection Directive Is Dead! Long Live the General Data Protection Regulation!

After four years of protracted discussions and negotiations, the General Data Protection Regulation (the “GDPR”) gained final approval from the European Parliament 14 April. It will enter into force 20 days after publication in the Official Journal of the European Union (expected imminently), and it comes into force two years after that date – i.e., … Continue Reading

By jointly tackling Facebook, French regulators set an example to large international digital media companies – First prominent enforcement measure after the Safe Harbor invalidation

On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook. The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the … Continue Reading

EU Data Protection Regulators All Set to Scrutinise ‘EU-U.S. Privacy Shield’ and Transfer Mechanisms to the U.S. Generally

On 3 February, the Article 29 Working Party (‘WP29’), a group comprising representatives of the EU Member States’ Data Protection Authorities (‘DPAs’), issued a statement cautiously welcoming the agreement on an “EU-U.S. Privacy Shield”. If it is formally adopted, the Privacy Shield will replace the Safe Harbor agreement that was declared invalid by the EU’s … Continue Reading

Illinois Federal Court Allows Biometric Data Privacy Suit to Proceed

An Illinois federal district court recently denied a request by online image publisher Shutterfly, Inc. and its subsidiary, ThisLife Inc., to dismiss a putative class action lawsuit alleging that the companies’ facial recognition-based system of photo-tagging violates the Illinois Biometric Information Privacy Act (BIPA). That law, which dates to 2008, prohibits companies from collecting and … Continue Reading

What is public can still be ‘private’: European Court of Human Rights halts journalists from re-publishing Finnish citizens’ public tax information

In a ruling by the European Court of Human Rights (“ECHR”) handed down in July 2015, the right to respect for individuals’ privacy balance trumped journalists’ right to freedom of expression. In the case of Satakunnan Markkinapörssi and Satamedia v. the Republic of Finland, it was decided that Finnish magazine, Veröporssi (“V”), could be prevented … Continue Reading

Employees Can’t Sue Hospital for Negligence, Breach of Contract, After Personal Data Breach

In a favorable decision for defendants in data breach litigation, the Pennsylvania Court of Common Pleas of Allegheny County held that the economic loss doctrine prevented the negligence claim of a group of former and current UPMC employees from going forward in their suit arising out of the theft of information from UPMC’s computer systems. … Continue Reading

Senators Trying to Hit the Brakes on Smart Cars, Citing Privacy and Security Concerns

On February 11, Sens. Ed Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced that they would introduce legislation intended to address the data privacy and security vulnerabilities with Internet-connected cars. The legislation, if passed, would require manufacturers to adhere to a number of security and privacy standards, including the following: Requirement that all wireless access points … Continue Reading

In Nevada Court, Millions of Dollars Wasted in the Name of Macau Data Privacy Law

Clark County Nevada District Judge Elizabeth Gonzalez is considering further sanction against Sands China Ltd. for redacting “personal information” from about 2,600 documents the company produced in 2013 as part of an ongoing wrongful termination suit first filed in 2010 by Steven Jacobs, the former president of Sands Macau. Jacobs alleges that he was wrongfully … Continue Reading

Russia sets a new deadline for data localisation, and removes Hong Kong and Switzerland from Adequate Privacy Protection List

The Russian Duma recently set a new deadline for companies to localise their data processing of Russian citizens on Russian soil, while the data protection authority published an order removing Hong Kong and Switzerland from its ‘adequate privacy protection list’. The Russian Duma has voted through, on a first reading, an accelerated effective date for … Continue Reading

Hong Kong Privacy Commissioner Ends 2014 with Special Interest in Mobile Apps

The Hong Kong Privacy Commissioner of Personal Data (the “Commissioner”) ended 2014 with a special interest in mobile applications (“apps”). In a media statement published 15 December 2014, the Commissioner reported that versions 4.3 and earlier of Google’s Android operating system contained a flaw that allowed others to read shared memory in mobile devices without … Continue Reading

Direct Marketing Association releases New Privacy Code of Practice

On 18 August, the Direct Marketing Association (‘DMA’) issued its new Privacy Code of Practice (‘Code’) to address customer concerns about data privacy. The Code is a result of an 18-month consultation with the Information Commissioner’s Office, the Department for Culture, Media & Sport and Ofcom. The Code focuses on five key principles: Put your … Continue Reading

European Commission releases technical standards on Radio Frequency Identification

In July, the EU introduced new technical standards (‘Standards’) to assist users of Radio Frequency Identification (‘RFID’) technology to comply with the EU Data Protection regime and the Commission’s 2009 recommendation on RFID. The Standards are the result of a long-term EU project which began with a public consultation in 2006. When RFID technology is … Continue Reading

Article 29 Working Party supports recognition of Processor BCRs in the Data Protection Regulation

In June, the Article 29 Working Party (‘Working Party’) wrote to the President of the European Commission, setting out its case for including a reference to Binding Corporate Rules for data processors (‘BCR-P’) in the forthcoming Data Protection Regulation. Binding Corporate Rules are one way in which data controllers or data processors in Europe can … Continue Reading

Ireland and the UK ban forced subject access requests

The practice of employers forcing employees or applicants to exercise subject access rights has been described by the UK’s Information Commissioner’s Office (‘ICO’) as a “clear perversion of an individual’s own rights”. It is now set to become a thing of the past in the UK and Ireland, as both jurisdictions bring laws into effect … Continue Reading

New Russian legislation requires local storage of citizens’ personal data

President Putin recently signed Federal Law No. 242-FZ (the “Law”) which amends Russia’s 2006 data protection statute and primary data security law (Laws 152-FZ and 149-FZ), to require domestic data storage of Russian citizens’ personal data. The Law will allow the websites that do not comply to be blocked from operating in Russia and recorded … Continue Reading

U.S. extraterritorial data warrants: yet another reason for swift Data Protection reform, says EU Commission

In May, we reported that a U.S. magistrate judge had upheld a warrant requiring Microsoft to disclose emails held on servers in Ireland to the U.S. authorities. The ruling has now attracted the attention of Brussels, with the Vice-President of the European Commission, Viviane Reding, voicing her concern. Microsoft had argued before the court that … Continue Reading
LexBlog