Italian GDPR harmonization law is now in force

On September 19, 2018, Legislative Decree n. 101/2018 harmonizing the Italian privacy law with the General Data Protection Regulation (GDPR) entered into force. Legislative Decree was published on the Official Italian Gazette (Gazzetta ufficiale n. 205 04-09-2018) on September 4, 2018. More on the Legislative Decree and the Italian Privacy Code (Legislative Decree 196/2003) is available […]

Tags: ,

Update on French Conseil d’Etat’s request for a preliminary ruling on the right to be forgotten

On September 11, 2018, the Court of Justice of the European Union (CJEU) began hearing evidence from over 70 stakeholders in the case whose judgement shall outline the territorial scope of the right to be forgotten. The panel of 15 CJEU judges will rule in 2019. The request for a preliminary ruling (Case C-507/17) was […]

Tags: ,

Italian GDPR harmonization law is published on the Official Gazette

On September 4, 2018, Legislative Decree n. 101/2018 harmonizing the national privacy law with the General Data Protection Regulation (GDPR) was published on the official Italian journal (Gazzetta ufficiale n. 205 04-09-2018). The Legislative Decree does not abrogate the Italian Privacy Code (Legislative Decree 196/2003), which therefore remains in force, but that Code is harmonized with […]

Tags: ,

Facebook profile can be accessed by heirs, German federal court says

On July 12, 2018, the German federal court (Bundesgerichtshof, BGH) overturned the judgment of the Berlin’s highest state court (Kammergerichts), which had denied the parents’ access to their daughter’s Facebook account. The case involved a mother trying to access the deceased 15-year-old daughter’s Facebook account in order to understand the cause of death. With its […]

Tags: ,

ECJ’s recommendations to national courts on preliminary ruling procedure

CJEU: in the references for preliminary rulings the national judge must anonymise the data   On July 20, 2018, the Official Journal of the European Union (C 257/1) published a document in which the European Court of Justice (“ECJ”) clarifies to national courts and tribunals the essential characteristics of the preliminary ruling procedure and the […]

Tags: ,

The aftermath of Cambridge Analytica’s scandal and other problems for Facebook in Europe

The scandal of Cambridge Analytica caused several consequences for Facebook in Europe. In the United Kingdom, the Information Commissioner (ICO) is investigating the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors by 30 organizations, including Facebook. See here. The Working Party 29(WP29) created a Social Media Working Group to develop a […]


Arizona adds blockchain technology to corporations law

Arizona signed House Bill 2603 to add a definition in Section 10-140, Definition – Arizona Revised Statutes (Section 10, Corporations and Associations) In particular, now 10-140(53) reads: 53.  “WRITING” OR “WRITTEN” INCLUDES BLOCKCHAIN TECHNOLOGY AS DEFINED IN SECTION 44‑7061. See The definition of “blockchain technology” is contained in Section 44-7061: “distributed ledger technology that uses a distributed, […]


EU Council’s Corrigendum to GDPR

Less than one month to the entering into force of the GDPR, the text (in all language versions) is still subject to changes, sometimes significantly. For more information and for advice on GDPR implementation, Francesca Giannoni-Crystal.    

DPAs’ guidance on exercising data subjects’ rights under GDPR vis-a-vis social media

Several DPAs have issued guidance on how individuals can exercise their rights as data subjects vis-a-vis social media platforms. See for example: – ICO – United Kingdom:… – Data Protection Commissioner – Ireland:… – Croatian Data Protection Agency: request for the protection of rights request for removing personal data from social networks reporting […]

Tags: ,

Italian DPA fines political party for privacy policy violation

In March 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority, issued a fine of Euros 32,000 against the Rousseau association, controller of the processing of data of the website users of the Italian political party “5-Star” (Cinque Stelle). Federprivacy reports. After a data breach, the Italian DPA started investigating whether […]


Cybersecurity Tech Accord signed by 34 global technology and security companies

On April 17, 2018, 34 global technology and security companies signed a Cybersecurity Tech Accord, agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states. The 34 companies include ABB, Arm, Cisco, Facebook, HP, HPE, Microsoft, Nokia, Oracle, and Trend Micro, and together represent tech companies that power the world’s internet […]

Tags: ,

FTC publishes 2017 Privacy & Data Security report

The Federal Trade Commission (FTC) issued its 2017 Privacy & Data Security Update. The annual report summarizes the year’s privacy and data security enforcement actions, advocacy, workshops and guidance. Among the FTC’s 2017 privacy and security actions announced, is the first actions enforcing the EU-U.S. Privacy Shield framework.   The 2017 Privacy & Data Security update […]


Italian Council of Ministers’ preliminary approval of GDPR’s “harmonization” decree

The Italian Council of Ministers preliminarily approved a legislative decree (in furtherance of Parliament’s delegation Law October 25 2017, no. 163), containing provisions to amend domestic law in compliance with the GDPR. In fact, effective May 25, 2018, Legislative Decree June 30, 2003 no. 196 will be abrogated and the GDPR will be immediately into […]

Tags: ,

Records of processing activities of Article 30 GDPR – some model forms

Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record. Some DPA made available model forms and notes for keeping records of processing activities: the BayLDA, the Bavarian DPA […]

Tags: ,

NIST releases Blockchain Technology Overview

In, January 2018, NIST, the National Institute of Standards and Technology, released Blockchain Technology Overview.  The document is thought for readers with little or no knowledge of blockchain technology Public comment period: January 24, 2018 through February 23, 2018 Full text available here  


EU Commission’s Guidance on the direct application of GDPR as of May 2018

On January 24, 2018, the Commission issued “Stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018”. In the document the Commission lists the guidelines that the WP29 has issued (and is about to issue) on several important aspects of the Regulations. [1] […]

Tags: ,

ICO’s recommendations on Meltdown and Spectre

In a post of January 5th, Nigel Houlden, the Head of Technology Policy of ICO (the United Kingdom Data Protection Authority) gives organizations recommendations on how to deal with Meltdown and Spectre and protect people’s personal data. As it is now well known, three connected vulnerabilities have been found in Intel’s, AMD’s, and ARM’s processors which could […]

Tags: ,

EU-U.S. Privacy Shield ensures “adequate level of data protection” but could be improved, EU Commission finds

On October 18, 2017, the EU Commission published its report on the first annual review of the EU-U.S. Privacy Shield. The report reflects the Commission’s findings on the implementation and enforcement of the EU-U.S. Privacy Shield framework in its first year of operation. According to the EU Commission, the Privacy Shield “continues to ensure an […]

Tags: ,

FCC repeals net neutrality rules

Today, on Dec 14, 2017, the Federal Communications Commission (“FCC”) voted 3-2 to repeal the 2015 Open Internet Order, i.e., the Obama-era regulation requiring the companies to treat all web traffic alike. The repeal of net neutrality was performed by the passing of an order named “Restoring Internet Freedom,” which “essentially removes the FCC as a regulator […]

SCOTUS heard oral argument in Carpenter vs US: can the Gov’t access carriers’ location data without a warrant?

On November 29, 2017, the Supreme Court heard oral argument in an important privacy case. The Sixth Circuit held that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without a warrant. In Carpenter v. United States Timothy Carpenter and Timothy Sanders […]


Scientific research in Italy slowed down by new data processing rules?

On December 12, 2017, a new Article 110bis of the Italian Privacy Code came into force, redrafting the discipline concerning use of data for scientific research or statistical purposes. The new Article 110bis, Italian Privacy Code, (Legislative Decree n. 196/2003) introduced three changes that might have harmful consequences for scientific developments. First, it restricts the possibility […]

Tags: ,

Legal advertising through texts allowed in NC, NC Ethics Opinion states

North Carolina State Bar 2017 Formal Ethics Opinion 1   April 21, 2017 Topic: text message advertising The Opinion clarifies that lawyers may use the text message advertising that allows the user to initiate a live telephone communication, provided it complies with North Carolina Rules of Professional Conduct 7.1, 7.2, and 7.3, and all applicable federal […]

Tags: , , ,

WP29 published criteria for appropriate administrative fines in GDPR’s breach

As announced (see here), on October 3, 2017, the Article 29 Working Party(WP29) published its Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR). Once a GDPR infringement is established, the competent supervisory authority (Article 5 1 GDPR)  must identify the most appropriate corrective measure(s) to address the […]

Tags: ,

Digital Single Market: unjustified geoblocking to end by the end of 2018

On November 20, 2017, the European Parliament, the Council and the Commission committed to end all geoblocking that unnecessarily impedes consumers to buy products or services online within the EU. The EU digital single market should “give consumers the same possibility to access the widest range of offers regardless of whether they physically enter a […]


Apps using facial data cause privacy concerns

On October 22, 2017, the Washington Post shares a new worry about data privacy. The iPhone X’s front sensors scan 30,000 points to make a 3D model of users’ faces and then shares the faces’ maps with lots of apps. However, Apple spokesman Tom Neumayr said “We take privacy and security very seriously. This commitment is reflected […]

WP29’s plenary meeting: final guidelines on DPIA and opening for comments on data breach notification and profiling

At its plenary meeting held in October 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the so called General Data Protection Regulation (GDPR). WP29 approved the final version of the DPIA guidelines Guidelines on Data Protection Impact Assessment after having examined the comments received during the public consultation which ended […]

Tags: ,

UK publishes Data Protection Bill – data protection will get stricter

As anticipated (see here), a new Data Protection Bill was introduced to the House of Lords on September 13, 2017 and it officially entered Parliament on September 14, 2017. The new Bill aims at substituting the UK Data Protection Act 1998 and updating data protection laws in accordance with the GDPR. What will it change? […]

Spanish DPA issues Eur 1.2 million fine to Facebook

On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law. According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use […]

Tags: ,

Federal Court affirms District Court’s judgement denying general and specific jurisdiction over Japanese company and its U.S. subsidiary

On March 24, 2017, the Ninth Circuit Court of Appeals affirmed the District Court’s dismissal for lack of personal of plaintiffs-appellants’ claims against Yamaha Motor Corporation, U.S.A. (YMUS), in an action alleging violations of federal and state warranty law and other claims, brought by appellants who purchased allegedly defective outboard motors that Yamaha Motor Co. […]

New York City Bar Opinion 2017-5 on lawyer’s duty of confidentiality when crossing borders

On July 25, 2017, the New York City Bar issued Formal Opinion 2017- 5, which concludes that lawyers have a duty to protect clients’ confidential information from disclosure. This duty stretches to U.S. border agents searching electronic devices. Lawyers shall take “reasonable precautions” to avoid disclosure of clients’ confidential information. Such precautions will vary based […]

Tags: , ,

Conseil d’Etat requests preliminary ruling from CJEU on Right to be Forgotten

The right to be forgotten has been judicially recognized by the CJEU with the Google Spain judgment  (Case C-131/12). According to the judgement, Europeans have the right to disappear from search engine’s results under certain conditions. The National Commission of Information Technologies and Liberties (CNIL), Commission nationale de l’informatique et des libertés, rejected some complaints […]

Tags: ,

Another jurisdiction finds participation in Avvo, LegalZoom, and Rocket Lawyer unethical

On June 21, 2017, the New Jersey Advisory Committee on Professional Ethics, Committee on Attorney Advertising, and Committee on the Unauthorized Practice of Law opined that New Jersey lawyers may not participate in the Avvo legal service programs “because the programs improperly require the lawyer to share a legal fee with a nonlawyer”. The Committees […]

Tags: ,

WP29 issues Opinion to balance employers’ legitimate interests and employees’ reasonable privacy expectations

On June 8, 2017, Working Party 29 (WP29) issued Opinion 2/2017 on data processing at work, which makes a “new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees” also considering the new challenges to data protection created by new technologies. Opinion 2/2017 updates previousOpinion 08/2001 on the processing […]


Mass publication of personal tax information can be banned, the ECHR holds

On June 27, 2017, the Grand Chamber of the European Court of Human Rights (“ECHR”) issued its judgment in the case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland (application no. 931/13) holding that the publication of personal tax information does not violate Article 10 (freedom of expression) of European Convention on Human Rights. […]


ICO issues data protection self assessment toolkit

The United Kingdom DPA, the Information Commissioner Officer (ICO), published an interactive checklist fro organizations to assess  compliance with the Data Protection law and to explain how to comply the GDPR, The ICO’s toolkit includes the following topics: Data protection assurance Getting ready for the GDPR Information security Direct marketing Records management Data sharing and subject access CCTV […]

Tags: ,

Autonomous delivery vehicles allowed on Virginia sidewalks starting from July 1

Autonomous delivery robots will be legal on Virginia sidewalks starting July 1, with approval from local city councils. Sen. Bill DeSteph introduced SB 1207 in the Virginia Senate. An identical bill, HB 2016, was introduced in the House by Del. Ron Villanueva. On June 1, 2017, Gov. Terry McAuliffe signed the bill into legislation. See here. and SB […]

Misrepresentation in attorney’s LinkedIn profile leads to ethics sanctions

On December 19, 2016, the Office of Disciplinary Counsel of the Supreme Court of Pennsylvania issued an order accepting a recommendation from the State’s Disciplinary Board to suspend an attorney for one year and one day for engaging in unauthorized practice of law. Among other counts, the Respondent allegedly maintained a LinkedIn profile representing to […]

Tags: ,

Italian DPA issues 2016 annual activity report – some interesting (and perhaps unexpected) information

On June 6, 2017, the Italian Data Protection Authority (DPA), the Garante per la Protezione dei Dati Personali, issued the annual report on its activity for 2016. The DPA’s activity concentrated on computer crimes and cyber security; online profiling and social media; cyberbullying; fight against terrorism and mass surveillance; Big Data; use of new technologies […]

Tags: ,

SCOTUS to decide whether a warrant is needed to obtain location data from cellphone carriers

On June 5, 2017, the Supreme Court granted a writ of certiorari to review the decision by the Sixth Circuit holding that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without obtaining a warrant. In Carpenter v. United States […]

Tags: ,

German Parliament approves Data Protection Act to implement the GDPR

On April 28, 2017, the Deutscher Bundestag, the German Parliament adopted the Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – DSANPUG-EU). The Act implements in Germany the provisions of Regulation 2016/679, the General Data Protection Regulation (GDPR) . The Federal Council shall now approve the law, which will enter into force at the same time […]


ICO issues guide to encryption

The Information Commissioner Officer (ICO) published a guide discussing the use of encryption. The guide provides a range of practical scenarios highlighting “when and where different encryption strategies can help provide a greater level of protection.” Overview of the Guide: Encryption protects information stored on mobile and static devices and in transmission. It is a way […]

Tags: , ,

Lawyer who ignored client’s Facebook inquiries about his case received a 90-day suspension

On April 27, 2017, the Nebraska Supreme Court ordered the suspension of an attorney from the practice of law for a period of 90 days followed by 1 year’s monitored probation. The Counsel for Discipline of the Nebraska Supreme Court filed formal charges against the attorney. According to the charges, the attorney had taken over […]

Tags: , , ,

NY Court of Appeals dismissed Facebook’s appeal on motion to quash 381user accounts’ search warrants

On April 4, 2017, New York Court of Appeals ruled that it does not have authority to hear Facebook’s appeals against motions to quash search warrants issued under the Stored Communications Act (SCA). By way of background. Facebook appealed a September 17, 2013 New York County trial court’s sealed order containing bulk SCA search warrants directing […]


Executive order on strengthening cybersecurity issued by Trump Administration

On May 11, 2017, the Administration Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The executive order contains three sections. The first section deals with cybersecurity of federal networks. Agencies shall implement the NIST framework for risk management and risk reduction, federal IT for shared services shall use the […]


International and Technology Issues for Entrepreneurs Legal Clinic

The SC Bar International Law Committee, in conjunction with Trident Technical College, sponsored a free legal clinic for entrepreneurs in North Charleston on Thursday, May 18. The clinic, titled Technology and International Issues for Entrepreneurs, included information on general corporate issues, cybersecurity, cloud computing, websites, social media, contractual clauses to protect entrepreneurs, data protection, data […]

EDPS comments on the ePrivacy Regulation Proposal and calls for strong rules to protect confidentiality of communications (Opinion 6/2017)

On April 24, 2017, the European Data Protection Supervisor (EDPS) released Opinion 6/2017 on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation Proposal). The EDPS welcomes the Proposal for the Regulation. There is a need of “a specific legal tool to protect the right to private life guaranteed by Article 7 […]

Tags: ,

Facebook fined EUR 150,000 by French DPA for WhatsApp’s unlawful tracking

On May 16, 2017, the French, Belgian and Dutch members of the Data Protection Contact Group published the results of their investigations after WhatsApp issued its new privacy policy in August 2015, after joining Facebook. See here. The DPAs all over the world watched the changes closely and several EU authorities initiated national investigations to verify, […]

WhatsApp was issued a EUR 3 million fine for forcing users to share their personal data with Facebook

On May 11, 2017, the Italian Antitrust Authority (Garante della Concorrenza e del Mercato “ICA”) found that WhatsApp infringed the Italian Consumer Code. In particular, according to the ICA, WhatsApp forced the users of its service “to accept in full the new Terms of Use, and specifically the provision to share their personal data with Facebook, by […]

Tags: ,

Italian court voids share purchase agreement due to unauthorized use of digital signature

On December 20, 2016, the Tribunale di Roma held the unauthorized use of a digital signature smart card could nullify an electronically signed agreement. In this case the Plaintiff had denied the digital subscription of an agreement that transferred stock ownership. Since the share transfer agreement was signed electronically, the judge found that the Codice dell’Amministrazione […]

Bitcoin exchange agreements must comply with consumer protection rules, Italian court holds

On January 24, 2017, a court of Verona (Italy) relied on the European Court of Justice’s decision in Case C‑264/14 to hold that the transactions in which a traditional currency is exchanged for units of Bitcoins and vice versa are “supply of services for consideration” contracts. Indeed,  Bitcoins are given in return for the “payment of a sum equal to the […]

Guidelines for practical implementation of the GDPR issued by the Italian DPA

The Italian Data Protection Authority, Garante per la privacy issued Guidelines for the implementation of Regulation EU/2016/679 on Personal Data Protection (GDPR). The DPA suggests some actions that can be carried out right away to comply with the GDPR and provides a general overview of the major innovations introduced by the legislation. The guidelines are […]

Tags: ,

60% data breach increase in New York, the Attorney general announces

On March 21, 2017, Attorney General Schneiderman announced that his office received a record number of data breach notices in 2016. Around 1,300 data breaches were reported in 2016. This represented a 60% increase over the previous year; these breaches exposed the personal records of 1.6 million New Yorkers in 2016. Hacking represented the leading […]


WP29 issues guidelines aiming at GDPR implementation

In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR). After having examined the comments received during the public consultation which ended on February 15, 2017 (see here), WP29 adopted the final versions of several guidelines, and […]

Tags: ,

Illinois federal court finds face-scan measurements derived from a photo qualify as biometric identifiers

On February 27, 2017, an Illinois federal court denied Google’s motion to dismiss a claim alleging that Google handles images in violation of the Illinois 2008 Biometric Information Privacy Act (BIPA). In a (putative) class action against Google Photos, plaintiffs alleged that the service collects, stores and uses- without informed consent and in violation of BIPA – the […]

Tags: ,

First data security class action against law firm is sent to individual arbitration

The first filed privacy class law against a law firm was sent to arbitration. On April 15, 2016, Plaintiffs filed the first class action complaint against a law firm for “systematically exposing confidential client information and storing client data without adequate security”. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of failing to […]

Tags: , ,

Comments to proposed amendments to nonlawyers’ provision of legal services in Washington state (update on limited license legal technicians)

Update – April 2017 In December 2016 the Washington Supreme Court published Proposed Amendments to nonlawyers’ provision of legal services opening for Comments (among others). The comment period closes April 30, 2017. Any changes adopted would be effective no earlier than September 2017. See proposed changes here: Background: The Washington state supreme court has adopted […]

Public employees’ communications about public business are subject to disclosure under the Cal. Public Records Act even if employees use personal account, Cal. SC. holds

On March 2, 2017, the California Supreme Court held that the electronic communications of a public employee about the conduct of public business may be subject to disclosure under the California Public Records Act (“CPRA”) even if the employee used a personal account. The court considered how the law, originally designed to cover paper documents, […]

Tags: ,

Criminal defendants don’t have an absolute right to have their data omitted from published decisions, Italian Supreme Court held

On February 15, 2017, the Corte di Cassazione, the Italian Supreme Court, refused to hold that every criminal defendant has a right to have his or her personal data deleted from a published decision. The court must evaluate each case to determine if it is appropriate to omit certain personal data. The Supreme Court clarified the terms under which […]


Facebook user ordered by DPA to remove posts referring to judgments containing data of minor

On February 23, 2017, the Garante per la Protezione dei Dati Personali, the Italian Data Protection Authority (DPA), ordered a mother to delete from her Facebook feed posts containing two  judgments that include private aspects of her family’s life and most of all her daughter’s life. The DPA noted that the posted judgments allowed the identification of the […]


Consent to data processing should not be consideration for a free service, EDPS says

On March 14, 2017, the European Data Protection Supervisor (EDPS) released Opinion 4/2017 on the 2015 Proposal for a Directive (1) on certain aspects concerning contracts for the supply of digital content  (1) on certain aspects concerning contracts for the supply of digital content and  (2) on certain aspects concerning contracts for the online and other […]

Tags: ,

Canadian privacy law (PIPEDA) applies extraterritorially, Federal Court of Canada holds

On January 30, 2017, the Federal Court of Canada found, a Romanian based website and its sole owner and operator, in violation of the Personal Information Protection and Electronic Documents Act (PIPEDA). By way of background, the Romanian based website indexed and reposted Canadian court and tribunal decisions that were also available on Canadian legal […]


House of Representatives voted to repeal FCC’s Broadband Privacy Rules

On March 28, 2017, the US House of Representatives approved 215 to 205 a joint resolution to repeal the order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“Order”) published on November 2016. See here. The joint resolution (S.J.RES34) passed by the US Senate and the House of Representatives disapproves the Order submitted […]

Tags: ,

The House to vote today to repeal Internet Privacy Rules

The House is voting today on a bill to repeal Obama Administration’s internet privacy rules. The Senate already voted last Thursday (March 23, 2017) to repeal those rules. The rules that protect consumers’ online activity (Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (81 Fed. Reg. 87274 (December 2, 2016) were passed last year […]

Tags: ,

Sanction Granted for Spoliation when Defendant Relied on Third Party to Preserve ESI

On February 24, 2017, the US District Court for the Northern District of California imposed sanction on a party failing to preserve electronically stored information (ESI) transferred in the sale of business. In this action for breach of duties under ERISA, the Court granted Plaintiffs’ motion for sanctions for spoliation of evidence. An insurance company […]

Tags: ,

Compelling password production does not violate the Fifth Amendment

On March 20, 2017, the Third Circuit affirmed a ruling of contempt over an Appellant’s claimed inability to remember his drive-decryption passwords. The issue in appeal was whether the Government has the right to compel owners to cooperate in the decryption of digital devices after the Government seizes those devices pursuant to a valid search […]


Use of a file-sharing site without password was found to constitute a waiver of attorney-client privilege and work product protection

On February 9, 2017, a Virginia District Court deemed that the posting of privileged information on the web without protection results in a waiver. In this case, Harleysville Insurance Company, (“Harleysville”) sued the defendants, Holding Funeral Home, Inc. seeking a declaratory judgment that it did not owe them fire loss claim. (Incidentally, the District Court […]

Tags: , ,

ECJ holds dynamic IP addresses are personal data if additional information allowing user identification can reasonably be obtained from third parties

On October 19, 2016, the European Court of Justice (“ECJ”) presented its conclusions in Patrick Breyer v. Bundesrepublik Deutschland (case C‑582/14). According to the ECJ The dynamic internet protocol address of a visitor constitutes personal data, with respect to the operator of the website, if that operator has the legal means allowing it to identify […]

Tags: , ,

Italian DPA issues fines totaling 11 million to group for a data breach

In February 2017, the Italian Data Protection Authority (Garante per la protezione dei Dati Personali)  fined five companies over 11 million euros for the unlawful processing of personal data. The companies, which operate in the money transfer field, unlawfully processed the personal data of over 2 millions people. To avoid money laundering legislation, the companies would use […]


Privacy Shield certification does not mean compliance needs to extend beyond European data

When a US organization decides to self-certify under the EU-U.S. Privacy Shield, compliance with Privacy Shield principles becomes compulsory. This may be a problem for many US organizations because certain processing activities that they perform – which are perfectly lawful under American law — are unlawful under a Privacy Shield’s perspective. Why? And what to do? Let’s step […]

Tags: ,

New York passed first cybersecurity legislation for banks and financial institution

On March 1, 2017, the new Cybersecurity Regulation to Protect Consumers and Financial Institutions proposed by Governor Andrew Cuomo took effect . This first-in-the-nation piece of legislation aims at protecting consumer data and financial systems from cyber-attacks of terrorist organizations and other criminal enterprises. The Regulation requires banks, insurance companies, and other financial services institutions to […]

Tags: ,

FCC partially stays Consumer Broadband Privacy Rules

On March 1, 2017, the Federal Communications Commission (FCC) granted a Stay Petition in part, and ordered a “stay on an interim basis” of certain aspects of the 2016 order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (the “Privacy Order”). The Privacy Order containing broadband privacy rules was published on November 2016. […]

Tags: ,

Update on the Irish High Court’s proceeding to decide request for ECJ’s preliminary ruling on Model Clauses

According to the Irish Data Protection Authority (DPA) the hearing before the Irish High Court brought by the DPA against Facebook Ireland Ltd and Mr Schrems over EU-US data transfers will possibly take another additional week (or two addition weeks) to conclude. More information on the case is available here. According to the available sources (see […]

Tags: ,

Oracle posits that Consumer Broadband Privacy Rules grant Google unfair competitive advantage

On December 21, 2016, Oracle asked the Federal Communications Commission (FCC) to reconsider its decision and order “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” (“Order”) published on November 2016. See here. At the beginning of 2017, several Internet Service Providers (ISPs) and cable associations filed Petitions for Reconsideration requesting the FCC to significantly […]

Tags: ,

Italian judge blocks Italian access to US-hosted website for privacy violation

According to this source, in February 2017, an Italian judge for the preliminary investigations (usually referred as “GIP”, from Giudice per le Indagini Preliminari) ordered to obscure a website hosted in the US allegedly violating the privacy of an Italian citizen.  The latter had found that his personal data had been published on the website […]

Tags: ,

Understanding colored padlocks in websites

You might have noticed that browsers have recently started to place symbols (colored padlocks) to grade the level of safety of the websites. Look at the web address: on the left, you will find symbols indicating the safety status. There are three types of symbols. Small green padlocks stand for secured websites, information or grey […]


Privacy Assistant for Android smartphones, an app helping to protect privacy online

Carnegie Mellon University (CMU) developed Privacy Assistant, an app that uses machine learning to help users control the information that can be collected and used by mobile apps they install on their Android smartphones. It asks users a number of questions before recommending some possible changes to the permission settings. Privacy Assistant is available here. Follow […]


Data Breach Class Actions dismissed for lack of injury-in-fact requirement

On February 6, 2017, the Court of Appeals for the Fourth Circuit affirmed a district court judgement’s dismissal of two data breach class actions for lack of subject-matter jurisdiction:  Plaintiffs failed to establish a non-speculative, imminent injury-in-fact identity theft after a 2013 and 2014 data breach. This was a consolidated appeal of veterans against William Jennings Bryan […]


California federal court allows service of process on foreign defendant via Twitter

On September 30, 2016, a California federal court granted permission to serve process through Twitter on a foreign defendant. Plaintiff St. Francis Assisi (a non-profit corporation) sued the defendants Kuwait Finance House, Kuveyt-Turk Participation Bank Inc., and Hajjaj al-Ajmi (an individual) for damages and equitable relief arising from the defendants’ financing of the terrorist organization Islamic […]


Chipotle’s social media code of conduct limiting employees’ posting found unlawful

On August 18, 2016, the National Labor Relations Board (NLRB) affirmed the administrative law judge’s (ALJ) ruling that Chipotle maintained an unlawful social media code of conduct that violated the National Labor Relations Act (NLRA). Chipotle fired an employee shortly after he tweeted several times on employees’ working conditions and wages. Chipotle social media policy included […]


Who should you appoint as a DPO? The legal/tech/organizational savvy unicorn?

Article 37(5) General Data Protection Regulation (GDPR) does not list with particularity the professional skills that should be considered when designating the Data Protection Officer (“DPO”). It provides: The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability […]

Tags: ,

Google is compelled to surrender information stored abroad, a federal court holds

On February 3, 2017, the Pennsylvania US District Court granted the Government’s motions to compel Google to comply with search warrants, holding that this was not an extraterritorial application of the stored Communications Act 18 U.S.C. (“SCA“). The District Court had issued two search warrants, pursuant to section 2703 of the SCA §§ 2701 et seq., […]


New guidelines on GDPR implementation published by the Spanish DPA

Inside its newly created website section on GDPR, the Agencia Española de Protección de Datos (AEPD) has recently published three guidelines to assist organizations to comply with the new Regulation: The Guidelines for the data controllers (useful check list is included). Available (in Spanish) here. The Guidelines for entering into agreements between controllers and processors. […]

Irish High Court to decide whether to ask ECJ to issue preliminary ruling on Model Clauses vis-a-vis Safe Harbor decision

Starting on February 7, 2017, the Irish High Court will hear a case brought by the Irish Data Protection Authority (DPA) against Facebook Ireland Ltd and Mr Schrems over EU-US data transfers after the Snowden disclosures. After the ECJ invalidated the “Safe Harbor” decision, Facebook performed its data transfer to the US using the “Model Clauses”. Mr. Schrems […]

Tags: ,

Deadline for comments to WP29 on DPO guideline extended to February 15

The Working Group Article 29 (WP29) has extended the deadline to submit comments on the guidelines that the WP29 recently issued from the ends of January to February 15, 2017. Among the others, comments are accepted on the Guidelines on DPO. For a list of guidelines that the stakeholders can comment on see For […]

Data controllers have no duty to disclose data enabling an aggrieved party to bring a suit, the Advocate General opines

European Court of Justice — Case C‑13/16 On January 26, 2017, the Advocate General (AG) to the Court of Justice of the European Union (CJEU) Mr. Bobek opined that there is no legal obligation for a data controller under EU data protection law to disclose data enabling the identification of a person allegedly responsible for an administrative offence. In […]

Tags: ,

Cyber Insurance: ENISA’s report on the last four years’ developments

The European Union Agency for Network and Information Security (ENISA) released an interesting report “to raise awareness for the most impactful market advances, by shortly identifying the most significant cyber insurance developments for the past four years – during 2012 to 2016 – and to capture the good practices and challenges during the early stages […]


Eleventh Circuit restricts FTC’s interpretation of unfair privacy practices

On November 10, 2016, the Eleventh U.S. Circuit Court of Appeals held that merely exposing sensitive data is not reasonably likely to harm consumers. LabMD operated as a clinical laboratory and as part of its business, receives patients’ sensitive personal information, which included their names, birthdates, addresses, and Social Security numbers. LabMD’s billing manager allegedly […]

Tags: ,