Drones cannot be used to monitor social distancing, the Conseil d’Etat holds

The City of Paris cannot use drones to monitor social distance any more. In a lawsuit filed by Human Rights League and Quadrature du Net against the city of Paris for its use of drones to monitor social distance, the Conseil d’Etat (State Council, France’s highest administrative court) ruled on May 18 that aerial drones […]

Tags: , ,

Pennsylvania Bar Association – Formal Opinion 2020-300 “Ethical Obligations For Lawyers Working Remotely”

April 10, 2020, the Committee on Legal Ethics and Professional Responsibility of the Pennsylvania Bar Association issued, Formal Opinion 2020-300 “Ethical Obligations For Lawyers Working Remotely” The Committee noticed that When Pennsylvania Governor Tom Wolf ordered all “non-essential businesses,” including law firms to close their offices during the COVID-19 pandemic, and also ordered all persons […]

Belgian DPA sanctions a controller for appointing as DPO the director of one of its departments

On 28 April 2020, the Belgian DPA sanction Proximus SA (previously Belgacom) for €50,000 on two basis:  non-cooperation under Article 31 of the GDPR and violation of Article 38(6) of the GDPR by appointing as DPO the director of one of its departments (Head of Compliance, Risk and Audit). The problem with the latter was conflict […]

Tags: ,

$5B Facebook’s settlement with FTC over Cambridge Analytica approved by federal court

On April 23, 2020 a federal court officially approved the agreement reached between Facebook and the Federal Trade Commission (FTC) last July. FTC’s investigation began after the events of Cambridge Analytica in 2018. See here for more about this investigation. The reached settlement agreement received some criticism. Facebook agreed to shift its approach to  privacy, […]

Tags:

Washington State privacy legislation: Update

  UPDATE – March 2020 – Washington Privacy Act fails again It was almost given for granted that the Washington Privacy Act would have passed this time. The Washington State House and Senate were debating two similar bills. The difference was in the enforcement mechanism: while in the House’s Bill both the Attorney General’s office and any […]

Tags:

EDPS published revised eCommunications guidelines for EU institutions

On January 31, 2020 the EDPS published Revised Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines). Recognizing that for “most people, electronic communications (eCommunications) such as email, internet and telephony, occupy a central role in their day-to-day professional and personal activities” and that “eCommunications are essential for organisations to operate […]

Tags: ,

EDPB’s Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

On  28 January 2020 adopted the European Data Protection Board (“EDPB”) adopted the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. The EDPB states that “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers […]

Tags: ,

Accepting lawyers’ fees in cryptocurrency – Formal Opinion 2019-5

In Formal Opinion 2019-5, the New York City Bar Ethics Committee advised that agreements requiring the client to pay the lawyer’s fees in cryptocurrency amounted to transactions in which the fee is paid in property rather than standard fee agreements. The Ethics Committee had been asked to opined on the question: Is a fee agreement requiring the […]

DPIA( Data Protection Impact Assessment) in the GDPR – Guidelines, “blacklists” and whitelists

The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 (1)). In line with the risk-based approach embodied by the GDPR, carrying out a […]

Tags: ,

Italian DPA sanctions cell phone carrier EUR 28 million over unlawful data processing

The Italian DPA (“Garante per la Protezione dei dati Personali”) issued a penalty of € 27,802,946 to cell phone carrier Tim Sp.A. for numerous and serious violations of data protection related to processing for marketing activities. The violations affected a few million people overall. From January 2017 to the first months of 2019, the DPA […]

Tags: ,

(ECJ) Advocate General’s opinion in case Case C‑311/18 (so called “Schrems II”)

On December 19, 2019, ECJ’s Advocate General (“AG”)Saugmandsgaard Øe delivered his opinion in case Case C‑311/18. In particular, the AG notes that the request for a preliminary ruling submitted by the High Court of Ireland (‘the High Court’) relates to one of the forms that the “appropriate safeguards” may take: a contract between the exporter and the importer […]

Tags: ,

Advocate General Campos Sánchez-Bordona (ECJ)opines the means and methods of combating terrorism must be compatible with the requirements of the rule of law

Opining in a case in which the ECJ is asked to interpret Directive on privacy and electronic communications to activities relating to national security and combatting terrorism on four references for a preliminary ruling [1] the Advocate General Campos Sánchez-Bordona clarifies the means and methods of combating terrorism must be compatible with the requirements of […]

Tags: ,

Host providers with actual knowledge of illegal activities must expeditiously (and worldwide) remove or disable access to the information, the ECJ held

  On October 3, 2019 in Case C-18/18, Eva Glawischnig-Piesczek v. Facebook Ireland Limited, the European Court of Justice (EDJ) held that — under Directive 2000/31, the Directive on electronic commer – cefor a platform (host provider) to be considered hosting provider (and so benefit from liability exception), while it must play a passive role (having no knowledge of the content), must […]

Spanish DPA’s guidance on cookies

On Nov 8, 2019 also the Spanish DPA (Agencia espanola de proteccion de datos – AEPD) issued a guidance on cookies. The guidance (“Guia Sobre el Uso del las Cookies”, “Guia”) applies to cookies and other technologies. After an introduction, the Guia consists of 4 sections:1. ALCANCE DE LAS NORMAS (scope); 2 TERMINOLOGÍA Y DEFINICIONES […]

Tags: ,

EDPB’s Fifteenth Plenary session: Important topics discussed

On November 12 and 13, 2019, the European Data Protection Board (EDPB) met in its fifteenth plenary session. The EDPB discussed important topics. Adoption of EU-US Privacy Shield Third Annual Review Report. After the Third Annual Joint Review of the Shield, the EDPB adopted its report. The EDPB appreciates the improvements by the US Authorities[i] […]

Tags: ,

EDPS Guidelines on controller, processor, and joint controllers: an overview

On November 7, 2019, the European Data Protection Supervisor (EDPS) [i] issued the Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 (“Guidelines”). As a background, Regulation (EU) 2018/1725[ii] (“Regulation”) applies to the processing of personal data by the Union institutions, bodies, offices and agencies. The Guidelines aim at providing […]

Tags: ,

ICO’s Guidance on legitimate interests

This guidance aims at helping controllers “to decide when to rely on legitimate interests as … basis for processing personal data and when to look at alternatives.” The entire Guidance is helpful but particularly helpful are the sections: “Are there cases when legitimate interests is likely to apply?” The GDPR highlights some processing activities where […]

Tags: ,

ICO’s opinion on live facial recognition by enforcement authorities

On October 31, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an opinion on live facial recognition (“LFR”) by enforcement authorities: The use of live facial recognition technology by law enforcement in public places (“Opinion”) The ICO points out that a statutory and binding code of practice issued by government, modelled on […]

Tags: ,

Google “Safari Workaround” action’s “block” overturned by UK Court of Appeal

On October 2, 2019, the UK Court of Appeal unanimously overturned a block on a “class-action” lawsuit (technically a “collective action”) brought by a veteran on behalf of millions iPhone users against  Google for the latter’s use of “Safari Workaround” . Now the case can be heard. The lawsuit alleges that Google secretly tracked some […]

Tags: ,

EDPB’s 14th Plenary Session

On October 8th and 9th, 2019, the European Data Protection Board (“EDPB“), which is the EU body in charge of the application of the General Data Protection Regulation (“GDPR) and consists of a representative of each EU DPA and of the European Data Protection Supervisor (EDPS), met for its fourteenth plenary session and: – adopted the final […]

Tags: ,

Cayman Islands’s data protection law came into effect

The Cayman Islands data protection law 2017 (“DPL”) came into effect on September 30, 2019 and applies to all organizations, businesses and public authorities that use personal data. The DPL is centered on the following principles: Fair and lawful use Purpose limitation Data accuracy Storage limitation Respect for the individual’s rights Security – integrity & confidentiality International transfers (i.e., Personal […]

Tags:

Right to be forgotten and Google – update

UPDATE: On September 24, 2019, the European Court of Justice ruled in favor of Google after the company appealed. The Court found that Google is not forced to censor its search results on a global scale and is only required to remove outdated or irrelevant links on its European sites. The ruling stated, “Currently, there […]

Tags:

The agenda of EDPB’s Thirteenth Plenary Meeting

The EDPB (European Data Protection Board) made public its agenda for the Thirteenth Plenary Meeting of the 10 September 2019. The agenda includes a tribute to Giovanni Buttarelli, former European Data Protection Supervisor and one of the most respected figures in data protection, after his death last month. The agenda includes a discussion on the guidelines on data subject […]

Tags:

European Parliament publishes a paper on blockchain and the GDPR

European Parliament publishes a paper on blockchain and the GDPR, titled “The General Data Protection Regulation  Can distributed ledgers be squared with European data protection law?” Here is the link to this interesting paper: http://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf   More information. on GDPR and blockchain, Francesca Giannoni-Crystal 

Tags: ,

ECJ holds by embedding social media plug-ins in website you may become a joint data controller with the social media provider

  On July 29, 2019, the Court of Justice of the European Union (ECJ) published its judgement in case C-40/17, holding – like Advocate General Bobek (see here) suggested – that an organization who embeds a Facebook “Like” button on its website may be considered a data controller. In this case, a German fashion online […]

Tags: ,

ICO publishes updated report into adtech and real time bidding

  On June 20, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an update report into adtech and real time bidding. The ICO is waiting for the adtech sector response to the report and will then undertake a “further industry review in six months’ time”. The report focuses on Real-Time Bidding (RTB). […]

Tags: ,

ICO publishes draft data sharing code of practice and opens consultation

  On July 16, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), opened a consultation on a data sharing code of practice. The consultation closes on September 9, 2019. The data sharing code is a practical guide for controllers sharing personal data. It gives guidance on the applicable law and provides good […]

Tags: ,

CNIL adopts new guidance on cookies

  On July 4, 2019, the Commission Nationale de l’informatique et des Libertés (CNIL), the French Data Protection Authority (DPA) adopted new guidelines on cookies and other tracking devices (“Guidelines”). According to the press release, the scrolling down or swiping through a website or application is no longer viewed as a valid expression of consent to […]

Tags: ,

California federal court holds it can order production of evidence even though it may violate the GDPR

On February 14, 2019, the United States District Court for the Northern District of California ordered a United Kingdom citizen, party to a U.S. litigation, to produce in unredacted form e-mails containing personal information that could be protected under the GDPR. By way of background. In this patent infringement suit, Plaintiff owned patents involving computer […]

Tags: ,

Microsoft cloud banned from Hessian (Germany) schools due to data protection concerns

  On July 9, 2019, the Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), the Hessian Commissioner for Data Protection and Freedom of Information, banned the use of Office 365 from Hessian schools because its cloud solution is not compliant with EU individuals’ data protection rights. The HBDI’s concern is whether schools – acting as a […]

Tags: ,

Devices security measures legislation passed in Oregon

On May 30, 2019, Oregon Governor signed HB 2395 containing security measures required for devices that connect to the Internet and that are assigned an Internet Protocol address or another number that identifies the connected device. The manufacturer shall equip the connected device with “reasonable security features”, which may consist of means for authentication from […]

Tags:

ICO’s notice of intent to issue record fine for Marriott’s data breach / update

    UPDATE ICO was requested the status of this proposed penalties on Nov 12, 2019. ICO issued a response ICO Disclosure Log – Response ENQ0889841: “[Marriott] made representations to the Information Commissioner regarding these notices in accordance with Schedule 16, paragraph 3(3) of the Data Protection Act 2018. The Information Commissioner is considering those representations in […]

Tags: ,

Update: oral hearing before the ECJ on Model Clauses preliminary ruling

On July 9, 2019, the European Court of Justice (CJEU) heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. The CJEU’s decision — will have tangible consequences for businesses performing data transfers from […]

Tags:

Maine adopts what is considered the strictest privacy law in the US for internet service providers

On June 6, 2019 Maine’s governor signed into law LD 946, “An Act To Protect the Privacy of Online Customer Information.” The Act applies to broadband internet service providers (ISPs) defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all […]

Tags:

Update on Cambridge Analytica scandal: Italian DPA fined Facebook in the summer of 2019

  On June 28, 2019, the Garante per la protezione dei dati personali, the Italian Data Protection Authority issued a EUR 1 million fine against Facebook following the scandal of Cambridge Analytica. See here for more info. According to the Italian DPA, 57 Italian users downloaded the incriminated application through the Facebook login function. This […]

Tags: ,

Italian DPA’s guidance on how to record processing activities

On October 8, 2018, the Italian Garante per la Protezione dei Dati Personali, the Italian data protection authority, DPA, released instructions on how to maintain a record of processing activities, as well as a sample document compliant with Regulation (EU) no. 679/2016, the General Data Protection Regulation, GDPR. The record – to be maintained by […]

Tags: ,

Arizona A.G. settled over multi-state HIPAA-related data breach for $900,000

  On May 28, 2019, Attorney General Mark Brnovich announced a settlement with healthcare software providers Medical Informatics Engineering Inc. and NoMoreClipboard, LLC regarding some claims brought against them under the federal Health Insurance Portability and Accountability Act (HIPAA). By way of background. Defendants were business associates that were providing health records services that enabled […]

Tags:

NY A.G. settles with online retailer Bombas which failed to notify data breach involving credit cards details

  On June 6, 2019 Attorney General Letitia James, announced a $65,000 settlement with online retailer Bombas LLC for failing to provide notice of payment cards consumers’ data breach that affected 39,561 consumers. In 2014 unauthorized intruders inserted malicious software code to steal payment card information into the ecommerce platform supporting Bombas’ website. Intruders accessed […]

Tags: ,

European AI HLEG’s ethics guidelines for trustworthy artificial intelligence

The “Ethics Guidelines for Trustworthy ArtificialI Intelligence” is a document prepared by the independent high-level expert group on artificial intelligence set up by the European Commission, the High-Level Expert Group on Artificial Intelligence (AI HLEG) presented its ethics guidelines for trustworthy artificial intelligence. According to the AI HLEG, Trustworthy AI has three components: it should be […]

Tags: ,

Blockchain law passed in San Marino contains some interesting aspects

  On June 6, 2019, the Republic of San Marino approved the Blockchain Decree of the Republic of San Marino (Delegate Decree n. 86, dated May 23, 2019). No official press statement has been released yet, but this source revealed the news. The Blockchain Decree provides a regulatory framework formulating specific rules for two different […]

Tags:

Reshaping of civil money penalties penalties for HIPAA violations

    On April 30, 2019, the Department of Health and Human Services (HHS) announced that it would be using its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health […]

Tags:

Nigeria’s extensive data protection law is in force

On April 25, 2019, the Nigeria Data Protection Regulation 2019 entered into force. The Regulation was issued by the National Information Technology Development Agency, NITDA, and it mirrors the EU General Data Protection Regulation (GDPR). The Regulation’s scope of application is quite broad. It applies to all transactions intended for the processing of personal data […]

Tags: ,

Important question about the GDPR “one –stop shop” mechanism referred to the ECJ

On May 8, 2019, the Brussel’s Court of Appeal referred certain questions to the Court of Justice of the European Union (CJEU) to ensure that the Belgian Data Protection Authority (DPA) can pursue the case against Facebook also after the GDPR entered into force. In particular, the questions is whether the one-stop shop mechanism (which […]

Tags: ,

North Carolina bill to amend Identity Theft Protection Act and to increase consumer protection post-breach

On April 16, 2019, North Carolina House of Representative introduced H.B. 904. The Bill amends the Identity Theft Protection Act. Among the many changes introduced, the Bill: amends the definition of security breach to include any incident of “unauthorized access to or acquisition of (was, access to and acquisition of) unencrypted and unreacted records or […]

Tags:

EU Parliament adopts regulation on platform-to-business trading practices

    On April 17, 2019, the EU Parliament adopted the proposed EU Regulation on platform-to-business trading practices. The text adopted by the European Parliament still has to be formally approved by the Council of the European Union. Once approved, the Regulation will enter into force 12 months after its publication in the Official Journal. […]

Tags: ,

Washington state modifies its breach notification law

  On April 22, 2019, the House of Representatives modified chapter 19.255 RCW to amend its data breach notification law. The definition of “data breach” does not change. The security of the system means “unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” But […]

Tags:

Massive violation of US households data

  On April 30, 2019, vpnMentor published an article revealing that hacktivists Noam Rotem and Ran Locar discovered an unprotected database impacting up to 80 million American households (65% of US households). The 24 GB database was hosted by a Microsoft cloud server and included the number of people living in each household with their full […]

Tags:

Washington State’s legislation on blockchain. This is one of the 28 pieces of legislation on blockchain introduced in the several US jurisdictions in 2019

Blockchain companies successfully lobbied for legislation that recognized blockchain as a legitimate record-keeping technology. On April 26, 2019, Washington State Governor signed bill SB 563 recognizing the validity of distributed ledger technology. The bill adds a new chapter to the Revised Code of Washington and it introduces the definitions of Blockchain, which means a cryptographically […]

Tags:

EU Parliament proposal to create gigantic biometric database

On April 16, 2019, the European Parliament informed that it decided to create the Common Identity Repository (CIR). The CIR will interconnect a series of data systems (listed below) into a gigantic biometric database containing data about EU and non-EU citizens to improve data exchange between EU information systems to manage borders, security and migration. […]

Tags: ,

FTC’s investigation into Facebook data practices could result in a fine up to 5 billion, Facebook estimates

On April 24, 2019, Facebook published its financial results for the first quarter, where it estimated a probable loss and recorded an accrual of $3 billion  in connection with an investigation by the Federal Trade Commission  (FTC).  The investigation could result in a penalty of up to 5 billion. The FTC began its investigation into […]

Tags: ,

EDPS’s Guidelines on Article 6(1)(b) lawful basis for processing in online services open for comments until May 24

On November 9, 2019, the European Data Protection Board (EDPB) adopted guidelines on the GDPR’s lawful basis for processing. In particular, the EDPB provided guidance on the “contractual necessity basis for processing personal data in the context of online services.” Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context […]

Tags: ,

Danish DPA recommends fine for taxi app for violation of GDPR data retention rules

  With a decision published on March 18, 2019, the Danish Privacy Authority, Datatilsynet (DPA), found that a Danish Taxi App – Taxa 4×35 – did not respect the principle of data minimization envisaged by the GDPR (art. 5.1(c)), keeping the personal data of the customers beyond the expected retention period. The company deleted the […]

Tags: ,

UK DPA fined “parenting club” company for violation of the principle of “fairness” in processing

  On April 9, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served a monetary penalty notice under section 55A of the Data Protection Act 1998 (DPA) of around $ 520,000. The fined company (Bounty) shared the personal data of over 14 million individuals to a number of organizations including credit reference […]

Tags: ,

Utah passes bill regulating warrant (and exceptions) to search certain electronic information

On March 27, 2019, the Utah Governor signed H.B.57 into law. The Bill modifies provisions related to privacy of electronic information or data and their access by law enforcement. H.B 57 defines electronic information and data as being any “information or data including a sign, signal, writing, image, sound, or intelligence of any nature transmitted […]

Tags:

Illinois bill aims at eliminating BIPA (Biometric Information Privacy Act)’s private right of action

  On February 25, 2019, an Illinois Senator introduced SB2134 to amend the Biometric Information Privacy Act (740 ILCS 14/1 et seq., BIPA) creating a  private right of action. The bill is currently in Committee. The majority of BIPA claims have been brought against businesses as class actions seeking statutory damages.   Synopsis Amends the […]

Tags: ,

Polish DPA imposes first GDPR fine for breach of duty to inform data subjects

On March 26, 2019, Urzędu Ochrony Danych Osobowych (UODO), the Polish Data Protection Agency (DPA) imposed a fine of around $250,000 on a company for failure to fulfill its information obligation as a controller. The UODO explained that the controller did not meet the information obligation (Art. 14 (1) – (3), GDPR) in relation to […]

Tags: ,

Washington State privacy act moves ahead

  On Friday, March 22, 2019,  the Washington State House of Representative’s Committee on Innovation, Technology and Economic Development held its first public hearing on the proposed privacy legislation, SB 5376. The Washington privacy act, SB 5376, was introduced January 17, 2019 and passed its third reading in the Senate with 46 votes (against 1) on […]

Tags:

Dutch DPA is the first European DPA to publish fining policy under GDPR

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) published on Netherlands Official Gazette its own General Data Protection Regulation (GDPR) fining policy. It is the first European Union (EU) country to do so. Article 83, GDPR, provides that DPAs can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines […]

Tags: ,

Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union

Regulation (EU) 2018/1807 of 14 November 2018, which deals with “non personal data” in the framework of the EU’s digital single market strategy; it aims at removing obstacles to data mobility and the internal single market. In particular, it prohibits data localization requirements by place EU Member States in point of storage or processing of non-personal data, […]

Tags: ,

FTC orders $5.7 mln civil penalty for COPPA violation (the biggest ever for COPPA violations)

  On February 27, 2019, the American Federal Trade Commission (FTC) published a proposed stipulated order for civil penalties and other reliefs against Musical.ly for violation of the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from kids without parental consent. The $5.7 million civil penalty is the FTC’s largest ever under COPPA. […]

Tags: ,

Spanish DPA publishes survey on device fingerprinting

  On February 2, 2019, the Spanish Data Protection Agency (AEPD) published a Survey on Device Fingerprinting. (“Survey“) “Device fingerprinting is the systematic gathering of information on a specific remote device with the aim of identifying, singling out and, thus being able to monitor its user’s activity for the purpose of profiling.” The data set […]

Tags: ,

Bulgaria adopts GDPR harmonization law

On February 20, 2019, Bulgaria adopted the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) harmonization law. The law amends and supplements the previous data protection act from 2002. It also transposes the EU Law Enforcement Directive (Directive (EU) 2016/680). The new Law on Personal Data Protection (LASLPDP) entered into force on March 2, 2019 […]

Tags: ,

German Antitrust ordered Facebook to stop “combining” data of German users without voluntary consent

  On February 7, 2019, the Bundeskartellamt, the German antitrust authority, prohibited Facebook from combining data concerning German Facebook users gathered also from third party websites when the user didn’t give voluntary consent to this practice. The decision concerns all private users of Facebook based in Germany. According to the Bundeskartellamt’s decision, until now, individuals […]

Tags: ,

GDPR’s harmonization laws enacted

Below a list of the harmonization laws enacted by each EU member state. Austria: the Datenschutz-Anpassungsgesetz 2018, the “Datenschutzgesetz“. Belgium: Framework Act (Dutch) Framework Act (French), DPA Act (Dutch), DPA Act (French) Croatia: Zakona O Provedbi Opće Uredbe O Zaštiti Podataka, the Act on Implementation of the General Data Protection Regulation (Official Gazette no. 42/2018) Cyprus: Law n 125(I)/2018 Czech […]

Tags: ,

Massive violations in US health data

  In February 2019 there have been reports of violations of health data affecting thousands of patients in US medical centers. One of the major breaches affected 974,000 patients at the University of Washington clinic (see here), while the other involved 326,000 users of UConn Health, a large medical center academic (see here). In both […]

Tags: ,

Italian law defines blockchain and smart contracts

  On February 12, 2019, Law no. 12/2019, converting into law the so called Decreto Semplificazioni (“Simplification Decree”), Legislative Decree No. 135/2018 was published on the Italian Official Gazette no. 36/2019. Among other provisions, the Simplification Decree defines the concept of “technologies based on distributed ledgers (blockchain)” and “smart contracts”. “Technologies based on distributed ledgers” are technologies and […]

Tags:

European Commission’s update on GDPR after 8 months of its application (with list of member states’ harmonization laws)

  On January 25, 2015, the European Commission released a statement with an update about the effects of the adoption of Regulation 2016/679/EU (GDPR). See: Joint Statement by First Vice-President Timmermans, Vice-President Ansip, Commissioners Jourová and Gabriel ahead of Data Protection Day Since its entry into force on May 25, 2018, “citizens have become more […]

Tags:

Advocate General opined that embedding a Facebook “Like” button on websites could determine a situation of joint control

On December 19, 2018, Advocate General Bobek, published his opinion in case C-40/17, deeming that anyone who enters the Facebook “Like” button on his website can be considered a joint controller. In this case, a German fashion online retailer embedded a Facebook’s ‘Like’ button in its website. As a result, when users landed on the […]

Tags: ,

Illinois Supreme Court found improper collection and retention of handprints constitutes injury-in-fact sufficient to grant standing

    On January 25, 2019, the Illinois Supreme Court found that data subjects do not need to allege a concrete injury in order to sue under the Biometric Information Privacy Act (Act) (740 ILCS 14/1 et seq., BIPA). Contrary to the appellate court’s view, the Illinois Supreme Court found that “actual injury or adverse […]

Tags:

After Alabama passed its data breach law, there is no American jurisdiction without a data breach statute

On March 28, 2018, Alabama was the last State, after South Dakota, to adopt a data breach notification statute. The Alabama Data Breach Notification Act of 2018 (S.B. 318) went into effect on June 1, 2018. According to the Alabama Statute, any “covered entity” and “third-party agent” must comply. Written notification must be made to all affected […]

Tags:

EU Commission adopts adequacy decision on Japan

On 23 January 2019, the EU Commission adopted its adequacy decision on Japan, allowing personal data to flow freely between Europe and Japan. The adequacy decision started to apply as of January 23. The same will happen on the Japanese side. The adequacy decision includes: a set of Supplementary Rules to strengthen the protection of sensitive data, […]

EUR 50 million GDPR sanction issued against Google for lack of transparency, valid legal basis, and lack of consent

On January 21, 2019, the CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority), restricted committee, for the first time applies the new sanctions limit provided by the GDPR and sanctions Google for EUR 50 million for two GDPR violations: 1. “violation of the obligations of transparency and information“ “First, the restricted […]

NY A.G. settled with five companies whose mobile apps were not secure

On December 14, 2018, New York Attorney General Barbara D. Underwood announced settlements with Western Union Financial Services, Inc., Priceline.com, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc., “for having mobile apps that failed to keep sensitive user information secure when transmitted over the Internet.” No fraud had happened with those […]

Tags: ,

A county in Nevada has started to use blockchain to provide marriage certificates

Washoe County, Reno, in the State of Nevada, uses Ethereum blockchain to provide immutable digital record of wedding certificates. The service allows certified copies of marriage certificates to be emailed. It requires no special technology besides the ability to view a plain PDF. The county uses the services of a company called TitanSeal. At https://www.washoecounty.us… you […]

Tags:

CNIL publishes guidance on data transfer to third parties for electronic prospecting

On December 28, 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published several principles to help companies comply with the General Data Protection Regulation (GDPR) while transferring personal data to their commercial partners for electronic prospecting. Particularly, the CNIL highlights how: the data subject must give consent before the […]

Tags: ,

Washington DC sues Facebook over Cambridge Analytica

The DC Attorney General alleged in lawsuit Facebook’s ‘misleading privacy settings’ allowed it to harvest information from DC residents, in violation of  violated the D.C. Consumer Protection Procedures Act. The AG alleged that “nearly half of all District residents’ data to manipulation for political purposes during the 2016 election”. The AG stated Facebook failed to […]

German court decides what can be the first decision on non-material damages under the GDPR

In November 2018, a German local court, the Amtsgericht Diez, decided on a claim for immaterial damages under Art. 82.1, GDPR.  According to this source, on May 25, 2018, Plaintiff received an e-mail in which Plaintiff’s consent to receive a newsletter was requested. An email of this sort is considered spam under German law and […]

Tags: ,

GDPR complaints against Google for tracking filed with seven EU DPAs

On November 27, 2018, the European Consumer Organisation (BEUC), informed that seven EU consumer organizations filed complaints against Google with their national data protection authorities (DPAs) for breaching the General Data Protection Regulation (GDPR) in relation to how the company tracks its users’ location. The complaints are based on new research (Every step you take) […]

Tags: ,

EDPS adopts Guidelines on GDPR’s territorial scope

On November 16, 2018, the European Data Protection Board (EDPB) adopted guidelines on the territorial application of the GDPR. Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU- Version for public consultation. The guidelines are now open to public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data […]

Tags: ,

Italian DPA opines words “father-mother” contained in new bill could force disclosure of inaccurate and unnecessary data

Expressing an opinion on a proposed bill aiming at substituting –in a 2015 Ministerial decree, Ministero dell’Interno del 23 dicembre 2015 – the words “father“ and “mother” in place of “parents or legal guardians” on the application for a minor’s ID, the Garante per la Protezione dei Dati (the Italian Data Protection Authority) highlights how the […]

DOJ’s Net Neutrality Lawsuit Against California

On September 30, 2018, the DOJ filed net neutrality lawsuit against the State of California, alleging that Senate Bill 822, a bill signed into law by Governor Jerry Brown, unlawfully imposes burdens on the Federal Government’s deregulatory approach to the Internet. See more here. complaint here Francesca Giannoni-Crystal

Tags:

Portuguese hospital challenges GDPR EUR 400,000 fine

On October 10, 2018, the Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital guilty of violating the integrity and confidentiality principle and the data minimization principle set forth by the GDPR. According to this source, the infringements were punished with a fine of €400,000. The hospital is going to fight the fine, this source […]

Tags: , ,

EU Parliament’s resolution to boost DLTs and blockchains

On October 3, 2018, the European Parliament published a resolution on distributed ledger technologies (DLTs) and blockchain. DLTs and blockchain are the technologies behind bitcoin and other crypto currencies, and basically consist in a ledger of digital information maintained in decentralised form across a large network of computers. See here for more information. The EU […]

Tags: , ,