ICO’s recommendations on Meltdown and Spectre

In a post of January 5th, Nigel Houlden, the Head of Technology Policy of ICO (the United Kingdom Data Protection Authority) gives organizations recommendations on how to deal with Meltdown and Spectre and protect people’s personal data. As it is now well known, three connected vulnerabilities have been found in Intel’s, AMD’s, and ARM’s processors which could […]

Tags: ,

EU-U.S. Privacy Shield ensures “adequate level of data protection” but could be improved, EU Commission finds

On October 18, 2017, the EU Commission published its report on the first annual review of the EU-U.S. Privacy Shield. The report reflects the Commission’s findings on the implementation and enforcement of the EU-U.S. Privacy Shield framework in its first year of operation. According to the EU Commission, the Privacy Shield “continues to ensure an […]

Tags: ,

FCC repeals net neutrality rules

Today, on Dec 14, 2017, the Federal Communications Commission (“FCC”) voted 3-2 to repeal the 2015 Open Internet Order, i.e., the Obama-era regulation requiring the companies to treat all web traffic alike. The repeal of net neutrality was performed by the passing of an order named “Restoring Internet Freedom,” which “essentially removes the FCC as a regulator […]

SCOTUS heard oral argument in Carpenter vs US: can the Gov’t access carriers’ location data without a warrant?

On November 29, 2017, the Supreme Court heard oral argument in an important privacy case. The Sixth Circuit held that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without a warrant. In Carpenter v. United States Timothy Carpenter and Timothy Sanders […]


WP29 published criteria for appropriate administrative fines in GDPR’s breach

As announced (see here), on October 3, 2017, the Article 29 Working Party(WP29) published its Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR). Once a GDPR infringement is established, the competent supervisory authority (Article 5 1 GDPR)  must identify the most appropriate corrective measure(s) to address the […]

Tags: ,

Digital Single Market: unjustified geoblocking to end by the end of 2018

On November 20, 2017, the European Parliament, the Council and the Commission committed to end all geoblocking that unnecessarily impedes consumers to buy products or services online within the EU. The EU digital single market should “give consumers the same possibility to access the widest range of offers regardless of whether they physically enter a […]


WP29’s plenary meeting: final guidelines on DPIA and opening for comments on data breach notification and profiling

At its plenary meeting held in October 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the so called General Data Protection Regulation (GDPR). WP29 approved the final version of the DPIA guidelines Guidelines on Data Protection Impact Assessment after having examined the comments received during the public consultation which ended […]

Tags: ,

UK publishes Data Protection Bill – data protection will get stricter

As anticipated (see here), a new Data Protection Bill was introduced to the House of Lords on September 13, 2017 and it officially entered Parliament on September 14, 2017. The new Bill aims at substituting the UK Data Protection Act 1998 and updating data protection laws in accordance with the GDPR. What will it change? […]

Spanish DPA issues Eur 1.2 million fine to Facebook

On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law. According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use […]

Tags: ,

Federal Court affirms District Court’s judgement denying general and specific jurisdiction over Japanese company and its U.S. subsidiary

On March 24, 2017, the Ninth Circuit Court of Appeals affirmed the District Court’s dismissal for lack of personal of plaintiffs-appellants’ claims against Yamaha Motor Corporation, U.S.A. (YMUS), in an action alleging violations of federal and state warranty law and other claims, brought by appellants who purchased allegedly defective outboard motors that Yamaha Motor Co. […]

New York City Bar Opinion 2017-5 on lawyer’s duty of confidentiality when crossing borders

On July 25, 2017, the New York City Bar issued Formal Opinion 2017- 5, which concludes that lawyers have a duty to protect clients’ confidential information from disclosure. This duty stretches to U.S. border agents searching electronic devices. Lawyers shall take “reasonable precautions” to avoid disclosure of clients’ confidential information. Such precautions will vary based […]

Tags: , ,

Conseil d’Etat requests preliminary ruling from CJEU on Right to be Forgotten

The right to be forgotten has been judicially recognized by the CJEU with the Google Spain judgment  (Case C-131/12). According to the judgement, Europeans have the right to disappear from search engine’s results under certain conditions. The National Commission of Information Technologies and Liberties (CNIL), Commission nationale de l’informatique et des libertés, rejected some complaints […]

Tags: ,

Another jurisdiction finds participation in Avvo, LegalZoom, and Rocket Lawyer unethical

On June 21, 2017, the New Jersey Advisory Committee on Professional Ethics, Committee on Attorney Advertising, and Committee on the Unauthorized Practice of Law opined that New Jersey lawyers may not participate in the Avvo legal service programs “because the programs improperly require the lawyer to share a legal fee with a nonlawyer”. The Committees […]

Tags: ,

WP29 issues Opinion to balance employers’ legitimate interests and employees’ reasonable privacy expectations

On June 8, 2017, Working Party 29 (WP29) issued Opinion 2/2017 on data processing at work, which makes a “new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees” also considering the new challenges to data protection created by new technologies. Opinion 2/2017 updates previousOpinion 08/2001 on the processing […]


Mass publication of personal tax information can be banned, the ECHR holds

On June 27, 2017, the Grand Chamber of the European Court of Human Rights (“ECHR”) issued its judgment in the case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland (application no. 931/13) holding that the publication of personal tax information does not violate Article 10 (freedom of expression) of European Convention on Human Rights. […]


ICO issues data protection self assessment toolkit

The United Kingdom DPA, the Information Commissioner Officer (ICO), published an interactive checklist fro organizations to assess  compliance with the Data Protection law and to explain how to comply the GDPR, The ICO’s toolkit includes the following topics: Data protection assurance Getting ready for the GDPR Information security Direct marketing Records management Data sharing and subject access CCTV […]

Tags: ,

Autonomous delivery vehicles allowed on Virginia sidewalks starting from July 1

Autonomous delivery robots will be legal on Virginia sidewalks starting July 1, with approval from local city councils. Sen. Bill DeSteph introduced SB 1207 in the Virginia Senate. An identical bill, HB 2016, was introduced in the House by Del. Ron Villanueva. On June 1, 2017, Gov. Terry McAuliffe signed the bill into legislation. See here. and SB […]

Misrepresentation in attorney’s LinkedIn profile leads to ethics sanctions

On December 19, 2016, the Office of Disciplinary Counsel of the Supreme Court of Pennsylvania issued an order accepting a recommendation from the State’s Disciplinary Board to suspend an attorney for one year and one day for engaging in unauthorized practice of law. Among other counts, the Respondent allegedly maintained a LinkedIn profile representing to […]

Tags: ,

Italian DPA issues 2016 annual activity report – some interesting (and perhaps unexpected) information

On June 6, 2017, the Italian Data Protection Authority (DPA), the Garante per la Protezione dei Dati Personali, issued the annual report on its activity for 2016. The DPA’s activity concentrated on computer crimes and cyber security; online profiling and social media; cyberbullying; fight against terrorism and mass surveillance; Big Data; use of new technologies […]

Tags: ,

SCOTUS to decide whether a warrant is needed to obtain location data from cellphone carriers

On June 5, 2017, the Supreme Court granted a writ of certiorari to review the decision by the Sixth Circuit holding that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without obtaining a warrant. In Carpenter v. United States […]

Tags: ,

German Parliament approves Data Protection Act to implement the GDPR

On April 28, 2017, the Deutscher Bundestag, the German Parliament adopted the Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – DSANPUG-EU). The Act implements in Germany the provisions of Regulation 2016/679, the General Data Protection Regulation (GDPR) . The Federal Council shall now approve the law, which will enter into force at the same time […]


ICO issues guide to encryption

The Information Commissioner Officer (ICO) published a guide discussing the use of encryption. The guide provides a range of practical scenarios highlighting “when and where different encryption strategies can help provide a greater level of protection.” Overview of the Guide: Encryption protects information stored on mobile and static devices and in transmission. It is a way […]

Tags: , ,

Lawyer who ignored client’s Facebook inquiries about his case received a 90-day suspension

On April 27, 2017, the Nebraska Supreme Court ordered the suspension of an attorney from the practice of law for a period of 90 days followed by 1 year’s monitored probation. The Counsel for Discipline of the Nebraska Supreme Court filed formal charges against the attorney. According to the charges, the attorney had taken over […]

Tags: , , ,

NY Court of Appeals dismissed Facebook’s appeal on motion to quash 381user accounts’ search warrants

On April 4, 2017, New York Court of Appeals ruled that it does not have authority to hear Facebook’s appeals against motions to quash search warrants issued under the Stored Communications Act (SCA). By way of background. Facebook appealed a September 17, 2013 New York County trial court’s sealed order containing bulk SCA search warrants directing […]


Executive order on strengthening cybersecurity issued by Trump Administration

On May 11, 2017, the Administration Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The executive order contains three sections. The first section deals with cybersecurity of federal networks. Agencies shall implement the NIST framework for risk management and risk reduction, federal IT for shared services shall use the […]


International and Technology Issues for Entrepreneurs Legal Clinic

The SC Bar International Law Committee, in conjunction with Trident Technical College, sponsored a free legal clinic for entrepreneurs in North Charleston on Thursday, May 18. The clinic, titled Technology and International Issues for Entrepreneurs, included information on general corporate issues, cybersecurity, cloud computing, websites, social media, contractual clauses to protect entrepreneurs, data protection, data […]

EDPS comments on the ePrivacy Regulation Proposal and calls for strong rules to protect confidentiality of communications (Opinion 6/2017)

On April 24, 2017, the European Data Protection Supervisor (EDPS) released Opinion 6/2017 on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation Proposal). The EDPS welcomes the Proposal for the Regulation. There is a need of “a specific legal tool to protect the right to private life guaranteed by Article 7 […]

Tags: ,

Facebook fined EUR 150,000 by French DPA for WhatsApp’s unlawful tracking

On May 16, 2017, the French, Belgian and Dutch members of the Data Protection Contact Group published the results of their investigations after WhatsApp issued its new privacy policy in August 2015, after joining Facebook. See here. The DPAs all over the world watched the changes closely and several EU authorities initiated national investigations to verify, […]

WhatsApp was issued a EUR 3 million fine for forcing users to share their personal data with Facebook

On May 11, 2017, the Italian Antitrust Authority (Garante della Concorrenza e del Mercato “ICA”) found that WhatsApp infringed the Italian Consumer Code. In particular, according to the ICA, WhatsApp forced the users of its service “to accept in full the new Terms of Use, and specifically the provision to share their personal data with Facebook, by […]

Tags: ,

Italian court voids share purchase agreement due to unauthorized use of digital signature

On December 20, 2016, the Tribunale di Roma held the unauthorized use of a digital signature smart card could nullify an electronically signed agreement. In this case the Plaintiff had denied the digital subscription of an agreement that transferred stock ownership. Since the share transfer agreement was signed electronically, the judge found that the Codice dell’Amministrazione […]

Bitcoin exchange agreements must comply with consumer protection rules, Italian court holds

On January 24, 2017, a court of Verona (Italy) relied on the European Court of Justice’s decision in Case C‑264/14 to hold that the transactions in which a traditional currency is exchanged for units of Bitcoins and vice versa are “supply of services for consideration” contracts. Indeed,  Bitcoins are given in return for the “payment of a sum equal to the […]

Guidelines for practical implementation of the GDPR issued by the Italian DPA

The Italian Data Protection Authority, Garante per la privacy issued Guidelines for the implementation of Regulation EU/2016/679 on Personal Data Protection (GDPR). The DPA suggests some actions that can be carried out right away to comply with the GDPR and provides a general overview of the major innovations introduced by the legislation. The guidelines are […]

Tags: ,

60% data breach increase in New York, the Attorney general announces

On March 21, 2017, Attorney General Schneiderman announced that his office received a record number of data breach notices in 2016. Around 1,300 data breaches were reported in 2016. This represented a 60% increase over the previous year; these breaches exposed the personal records of 1.6 million New Yorkers in 2016. Hacking represented the leading […]


WP29 issues guidelines aiming at GDPR implementation

In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR). After having examined the comments received during the public consultation which ended on February 15, 2017 (see here), WP29 adopted the final versions of several guidelines, and […]

Tags: ,

Illinois federal court finds face-scan measurements derived from a photo qualify as biometric identifiers

On February 27, 2017, an Illinois federal court denied Google’s motion to dismiss a claim alleging that Google handles images in violation of the Illinois 2008 Biometric Information Privacy Act (BIPA). In a (putative) class action against Google Photos, plaintiffs alleged that the service collects, stores and uses- without informed consent and in violation of BIPA – the […]

Tags: ,

First data security class action against law firm is sent to individual arbitration

The first filed privacy class law against a law firm was sent to arbitration. On April 15, 2016, Plaintiffs filed the first class action complaint against a law firm for “systematically exposing confidential client information and storing client data without adequate security”. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of failing to […]

Tags: , ,

Comments to proposed amendments to nonlawyers’ provision of legal services in Washington state (update on limited license legal technicians)

Update – April 2017 In December 2016 the Washington Supreme Court published Proposed Amendments to nonlawyers’ provision of legal services opening for Comments (among others). The comment period closes April 30, 2017. Any changes adopted would be effective no earlier than September 2017. See proposed changes here: http://www.courts.wa.gov/court_rules/?fa=court_rules.proposedDetails&proposedId=1101 Background: The Washington state supreme court has adopted […]

Public employees’ communications about public business are subject to disclosure under the Cal. Public Records Act even if employees use personal account, Cal. SC. holds

On March 2, 2017, the California Supreme Court held that the electronic communications of a public employee about the conduct of public business may be subject to disclosure under the California Public Records Act (“CPRA”) even if the employee used a personal account. The court considered how the law, originally designed to cover paper documents, […]

Tags: ,

Criminal defendants don’t have an absolute right to have their data omitted from published decisions, Italian Supreme Court held

On February 15, 2017, the Corte di Cassazione, the Italian Supreme Court, refused to hold that every criminal defendant has a right to have his or her personal data deleted from a published decision. The court must evaluate each case to determine if it is appropriate to omit certain personal data. The Supreme Court clarified the terms under which […]


Facebook user ordered by DPA to remove posts referring to judgments containing data of minor

On February 23, 2017, the Garante per la Protezione dei Dati Personali, the Italian Data Protection Authority (DPA), ordered a mother to delete from her Facebook feed posts containing two  judgments that include private aspects of her family’s life and most of all her daughter’s life. The DPA noted that the posted judgments allowed the identification of the […]


Consent to data processing should not be consideration for a free service, EDPS says

On March 14, 2017, the European Data Protection Supervisor (EDPS) released Opinion 4/2017 on the 2015 Proposal for a Directive (1) on certain aspects concerning contracts for the supply of digital content  (1) on certain aspects concerning contracts for the supply of digital content and  (2) on certain aspects concerning contracts for the online and other […]

Tags: ,

Canadian privacy law (PIPEDA) applies extraterritorially, Federal Court of Canada holds

On January 30, 2017, the Federal Court of Canada found Globe24h.com, a Romanian based website and its sole owner and operator, in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). By way of background, the Romanian based website indexed and reposted Canadian court and tribunal decisions that were also available on Canadian legal […]


House of Representatives voted to repeal FCC’s Broadband Privacy Rules

On March 28, 2017, the US House of Representatives approved 215 to 205 a joint resolution to repeal the order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“Order”) published on November 2016. See here. The joint resolution (S.J.RES34) passed by the US Senate and the House of Representatives disapproves the Order submitted […]

Tags: ,

The House to vote today to repeal Internet Privacy Rules

The House is voting today on a bill to repeal Obama Administration’s internet privacy rules. The Senate already voted last Thursday (March 23, 2017) to repeal those rules. The rules that protect consumers’ online activity (Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274 (December 2, 2016) were passed last year […]

Tags: ,

Sanction Granted for Spoliation when Defendant Relied on Third Party to Preserve ESI

On February 24, 2017, the US District Court for the Northern District of California imposed sanction on a party failing to preserve electronically stored information (ESI) transferred in the sale of business. In this action for breach of duties under ERISA, the Court granted Plaintiffs’ motion for sanctions for spoliation of evidence. An insurance company […]

Tags: ,

Compelling password production does not violate the Fifth Amendment

On March 20, 2017, the Third Circuit affirmed a ruling of contempt over an Appellant’s claimed inability to remember his drive-decryption passwords. The issue in appeal was whether the Government has the right to compel owners to cooperate in the decryption of digital devices after the Government seizes those devices pursuant to a valid search […]


Use of a file-sharing site without password was found to constitute a waiver of attorney-client privilege and work product protection

On February 9, 2017, a Virginia District Court deemed that the posting of privileged information on the web without protection results in a waiver. In this case, Harleysville Insurance Company, (“Harleysville”) sued the defendants, Holding Funeral Home, Inc. seeking a declaratory judgment that it did not owe them fire loss claim. (Incidentally, the District Court […]

Tags: , ,

ECJ holds dynamic IP addresses are personal data if additional information allowing user identification can reasonably be obtained from third parties

On October 19, 2016, the European Court of Justice (“ECJ”) presented its conclusions in Patrick Breyer v. Bundesrepublik Deutschland (case C‑582/14). According to the ECJ The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify […]

Tags: , ,

Italian DPA issues fines totaling 11 million to group for a data breach

In February 2017, the Italian Data Protection Authority (Garante per la protezione dei Dati Personali)  fined five companies over 11 million euros for the unlawful processing of personal data. The companies, which operate in the money transfer field, unlawfully processed the personal data of over 2 millions people. To avoid money laundering legislation, the companies would use […]


Privacy Shield certification does not mean compliance needs to extend beyond European data

When a US organization decides to self-certify under the EU-U.S. Privacy Shield, compliance with Privacy Shield principles becomes compulsory. This may be a problem for many US organizations because certain processing activities that they perform – which are perfectly lawful under American law — are unlawful under a Privacy Shield’s perspective. Why? And what to do? Let’s step […]

Tags: ,

New York passed first cybersecurity legislation for banks and financial institution

On March 1, 2017, the new Cybersecurity Regulation to Protect Consumers and Financial Institutions proposed by Governor Andrew Cuomo took effect . This first-in-the-nation piece of legislation aims at protecting consumer data and financial systems from cyber-attacks of terrorist organizations and other criminal enterprises. The Regulation requires banks, insurance companies, and other financial services institutions to […]

Tags: ,

FCC partially stays Consumer Broadband Privacy Rules

On March 1, 2017, the Federal Communications Commission (FCC) granted a Stay Petition in part, and ordered a “stay on an interim basis” of certain aspects of the 2016 order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Privacy Order”). The Privacy Order containing broadband privacy rules was published on November 2016. […]

Tags: ,

Update on the Irish High Court’s proceeding to decide request for ECJ’s preliminary ruling on Model Clauses

According to the Irish Data Protection Authority (DPA) the hearing before the Irish High Court brought by the DPA against Facebook Ireland Ltd and Mr Schrems over EU-US data transfers will possibly take another additional week (or two addition weeks) to conclude. More information on the case is available here. According to the available sources (see […]

Tags: ,

Oracle posits that Consumer Broadband Privacy Rules grant Google unfair competitive advantage

On December 21, 2016, Oracle asked the Federal Communications Commission (FCC) to reconsider its decision and order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“Order”) published on November 2016. See here. At the beginning of 2017, several Internet Service Providers (ISPs) and cable associations filed Petitions for Reconsideration requesting the FCC to significantly […]

Tags: ,

Italian judge blocks Italian access to US-hosted website for privacy violation

According to this source, in February 2017, an Italian judge for the preliminary investigations (usually referred as “GIP”, from Giudice per le Indagini Preliminari) ordered to obscure a website hosted in the US allegedly violating the privacy of an Italian citizen.  The latter had found that his personal data had been published on the website […]

Tags: ,

Understanding colored padlocks in websites

You might have noticed that browsers have recently started to place symbols (colored padlocks) to grade the level of safety of the websites. Look at the web address: on the left, you will find symbols indicating the safety status. There are three types of symbols. Small green padlocks stand for secured websites, information or grey […]


Privacy Assistant for Android smartphones, an app helping to protect privacy online

Carnegie Mellon University (CMU) developed Privacy Assistant, an app that uses machine learning to help users control the information that can be collected and used by mobile apps they install on their Android smartphones. It asks users a number of questions before recommending some possible changes to the permission settings. Privacy Assistant is available here. Follow […]


Data Breach Class Actions dismissed for lack of injury-in-fact requirement

On February 6, 2017, the Court of Appeals for the Fourth Circuit affirmed a district court judgement’s dismissal of two data breach class actions for lack of subject-matter jurisdiction:  Plaintiffs failed to establish a non-speculative, imminent injury-in-fact identity theft after a 2013 and 2014 data breach. This was a consolidated appeal of veterans against William Jennings Bryan […]


California federal court allows service of process on foreign defendant via Twitter

On September 30, 2016, a California federal court granted permission to serve process through Twitter on a foreign defendant. Plaintiff St. Francis Assisi (a non-profit corporation) sued the defendants Kuwait Finance House, Kuveyt-Turk Participation Bank Inc., and Hajjaj al-Ajmi (an individual) for damages and equitable relief arising from the defendants’ financing of the terrorist organization Islamic […]


Chipotle’s social media code of conduct limiting employees’ posting found unlawful

On August 18, 2016, the National Labor Relations Board (NLRB) affirmed the administrative law judge’s (ALJ) ruling that Chipotle maintained an unlawful social media code of conduct that violated the National Labor Relations Act (NLRA). Chipotle fired an employee shortly after he tweeted several times on employees’ working conditions and wages. Chipotle social media policy included […]


Who should you appoint as a DPO? The legal/tech/organizational savvy unicorn?

Article 37(5) General Data Protection Regulation (GDPR) does not list with particularity the professional skills that should be considered when designating the Data Protection Officer (“DPO”). It provides: The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability […]

Tags: ,

Google is compelled to surrender information stored abroad, a federal court holds

On February 3, 2017, the Pennsylvania US District Court granted the Government’s motions to compel Google to comply with search warrants, holding that this was not an extraterritorial application of the stored Communications Act 18 U.S.C. (“SCA“). The District Court had issued two search warrants, pursuant to section 2703 of the SCA §§ 2701 et seq., […]


New guidelines on GDPR implementation published by the Spanish DPA

Inside its newly created website section on GDPR, the Agencia Española de Protección de Datos (AEPD) has recently published three guidelines to assist organizations to comply with the new Regulation: The Guidelines for the data controllers (useful check list is included). Available (in Spanish) here. The Guidelines for entering into agreements between controllers and processors. […]

Irish High Court to decide whether to ask ECJ to issue preliminary ruling on Model Clauses vis-a-vis Safe Harbor decision

Starting on February 7, 2017, the Irish High Court will hear a case brought by the Irish Data Protection Authority (DPA) against Facebook Ireland Ltd and Mr Schrems over EU-US data transfers after the Snowden disclosures. After the ECJ invalidated the “Safe Harbor” decision, Facebook performed its data transfer to the US using the “Model Clauses”. Mr. Schrems […]

Tags: ,

Deadline for comments to WP29 on DPO guideline extended to February 15

The Working Group Article 29 (WP29) has extended the deadline to submit comments on the guidelines that the WP29 recently issued from the ends of January to February 15, 2017. Among the others, comments are accepted on the Guidelines on DPO. For a list of guidelines that the stakeholders can comment on see http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083 For […]

Data controllers have no duty to disclose data enabling an aggrieved party to bring a suit, the Advocate General opines

European Court of Justice — Case C‑13/16 On January 26, 2017, the Advocate General (AG) to the Court of Justice of the European Union (CJEU) Mr. Bobek opined that there is no legal obligation for a data controller under EU data protection law to disclose data enabling the identification of a person allegedly responsible for an administrative offence. In […]

Tags: ,

Cyber Insurance: ENISA’s report on the last four years’ developments

The European Union Agency for Network and Information Security (ENISA) released an interesting report “to raise awareness for the most impactful market advances, by shortly identifying the most significant cyber insurance developments for the past four years – during 2012 to 2016 – and to capture the good practices and challenges during the early stages […]


Eleventh Circuit restricts FTC’s interpretation of unfair privacy practices

On November 10, 2016, the Eleventh U.S. Circuit Court of Appeals held that merely exposing sensitive data is not reasonably likely to harm consumers. LabMD operated as a clinical laboratory and as part of its business, receives patients’ sensitive personal information, which included their names, birthdates, addresses, and Social Security numbers. LabMD’s billing manager allegedly […]

Tags: ,

More awareness on big data, data protection, and security

On Tuesday, January 31, 2017, a lively panel discussed The Shifting Paradigm of Data Security: Intelligence & Big Data. The German Center for Research and Innovation and the European American Chamber of Commerce organized the event. The panel included Joanna Burkey, Chief Information Security Officer, at Siemens, Joseph V. DeMarco, Partner at DeVore & DeMarco […]

Tags: , ,

Compliance with GDPR is a priority in data-privacy agenda of 92% of big US organizations, a PWC’s survey finds

In a recent PWC’s survey, 92% of the surveyed organizations declared that compliance with EU General Data Protection Regulation (GDPR) is a “top priority on their data-privacy and security agenda in 2017”, being either a top priority or one of the top priorities. The survey was conducted among companies with more than 500 employees. More information here. […]


Russia: Increase of fines for data protection breaches

We would like to inform you of the proposed changes to the Russian Code of the Administrative Offences (hereinafter the “Code of Administrative Offenses”). These changes are aimed at increasing and differentiating administrative liability for violation of Russian personal data protection legislation. On January 11, 2017 the respective draft bill was adopted by the Lower Chamber […]


FCC’s Consumer Broadband Privacy Rules (effective Jan. 2017) have already been challenged

On November 2, 2016, the Federal Communications Commission (“FCC”) published a Report and Order entitled “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“Order”) as a final rule in the Federal Register. The Order applies the privacy requirements of the Communications Act of 1934 as amended (“Act”) to broadband Internet access service (BIAS) […]

Tags: ,

The US & Switzerland sign new Privacy Shield Framework to allow data transfer

On January 12, 2017, Switzerland approved the Swiss-U.S. Privacy Shield Framework. Switzerland considers the agreement as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. The Swiss-U.S. Privacy Shield Framework will replace the U.S.-Swiss Safe Harbor immediately. Switzerland will begin accepting Privacy Shield certifications starting […]

Tags: ,

60% of the requests to be forgotten are granted in Italy

According to Italia Oggi, in 2016 60% of the received request to be forgotten from search results has been granted. The percentage concerns the request to be removed from search results after the European Court of Justice issued its famous “right-to-be-forgotten” decision in the Costeja case, C-131/12. According to the source, the percentage consider the cases where the  Garante […]

Tags: ,

Unconsented hyperlinking to copyrighted material is copyright infringement if for profit

On September 8, 2016, the Court of Justice of the European Union (CJEU) decided whether unconsented hyperlinking to copyrighted material is copyright infringement. It held that when that unconsented hyperlinking generates a profit, then it is is copyright infringement. In 2011, GeenStijl published links to some pirated Playboy photos. Sanoma (Playboy publisher) brought an action at the Rechtbank […]


Microsoft addresses Windows 10 privacy flaws

On January 10, 2017, Terry Myerson, Window’s Executive Vice President, published a post acknowledging Window’s 10 privacy concerns and disclosing which actions have been taken  to solve the issue. Meyerson answered as follows to the several privacy flaws addressed by many, including the French Data Protection Authority (CNIL): Many of you have asked for more control […]

Tags: ,

EU Commission’s ePrivacy Regulation Proposal to align electronic communications privacy to GDPR

On January 10, 2017, the European Commission issued a draft for a new ePrivacy Regulation (“Proposal”) that would replace Directive 2002/58/EC (‘the ePrivacy Directive’), implementing a higher level of privacy for all electronic communications. Scope of application: The Proposal applies to all electronic communication providers – including EU institutions – and aim at aligning the existing rules, which date back […]

Tags: ,

Russia influenced several elections (including US election) in favor of Kremlin-friendly candidates

On January 6, 2016, the National Intelligence Council (NIC) released an Intelligence Community Assessment (ICA): “Assessing Russian Activities and Intentions in the Recent US Elections.” The document is a declassified version of a highly classified assessment provided to the President by the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI), and the National […]

Tags: ,

Conflict of interest under the recently issued WP29’s opinion on DPO

In Section 3.5 of Article 29 Working Party (WP29)’s Guidelines on Data Protection Officer (“DPOs”) (“Opinion”), the WP29 discusses the issue of conflict of interest for DPO. See here for more information on this opinion. The WP29 points out that while Article 38(6) GDPR allows a DPO to perform “other tasks and duties”, the organization […]

Tags: ,

Bavarian DPA sanctions appointment of IT manager of company as DPO

According to German data protection law, German data controllers must appoint a Data Protection Officer (“DPO“) in several cases, for example when ten or more people are involved in the automated processing of personal data. While an employee can be appointed as DPO, the appointee must be knowledgeable on data protection and must be reliable and independent. The […]

Tags: ,

WP29 issues guidelines on data portability, DPO, and lead authority (and lays foundation for much more)

On December 13, 2016, EU Article 29 Data Protection Working Party “(WP29”) dealt with several critical matters with regards to the implementation of the General Data Protection Regulation (GDPR) and the Privacy Shield. It also dealt with the enforcement measures on cases having a cross-border effect. As for the GDPR’s implementation, the WP29 importantly adopted: Guidelines […]

Tags: ,

Privacy Shield update: around 1300 active participants after over 4 months from start

As of mid December 2016, around 1300 companies were active under the EU-US Privacy Shield, according to the US Department of Commerce official website. The Privacy Shield Framework has now been effective for almost 4 months and it replaced the Safe Harbor, which had around 5,500 participants by 2016. The US Department of Commerce, International Trade Administration (ITA), […]

Tags: ,

FCC adopts Broadband Consumer Privacy Rules

On December 2, 2016, the Federal Communications Commission (FCC) published the Broadband Privacy Report and Order which requires broadband Internet Service Providers (ISPs) to protect users’ privacy. The rules implement the privacy requirements of Section 222 of the Communications Act for broadband ISPs, and aim at giving broadband customers more control over the use of their […]


The Public’s Right to know trumps right to be forgotten in case of major crimes, Italian DPA decides

On October 6, 2016, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) (“Italian DPA”)  issued an order denying the right to be forgotten to those involved in major crimes. A former city counselor involved in an investigation for corruption and fraud requested a de-indexation of some related articles. The events occurred […]


Oklahoma updates lawyer’s duty of competence to include tech-savviness (perhaps)

On September 19, 2016, the Oklahoma Supreme Court amended the Oklahoma Rules of Professional Conduct. Among the other amendments, a specific duty to remain “tech-savvy” was introduced as part of lawyers’ duty of competency. According to the approved text to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law […]


EDPS’s Opinion on Personal Information Management Systems

On October 20, 2016, the European Data Protection Supervisor (EDPS) published Opinion 9/2016 on Personal Information Management Systems, PIMS. The opinion acknowledges that the recently adopted GDPR provides for increased transparency, powerful rights of access and data portability, giving individuals more control over their data. However, the EDPS highlighted how market conditions and business practices can […]

Tags: , ,