ICO publishes draft data sharing code of practice and opens consultation

  On July 16, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), opened a consultation on a data sharing code of practice. The consultation closes on September 9, 2019. The data sharing code is a practical guide for controllers sharing personal data. It gives guidance on the applicable law and provides good […]

Tags: ,

President Trump Issues Executive Order on Maintaining American Leadership in Artificial Intelligence

  On February 11, 2019, President Trump signed an executive order on Maintaining American Leadership in Artificial Intelligence. The executive order has several sections, such as federal investment in AI research and development, data and computing resources for AI research and development, guidance for regulation of AI applications, AI and the American workforce, and an […]

Tags:

Illinois District court finds that improper collection and retention of face-scan measurements doesn’t constituted an injury-in-fact sufficient to meet Article III standing requirements

    On December 28, 2018, Google won summary judgment in a class action alleging that the company handles images in violation of the Illinois 2008 Biometric Information Privacy Act (BIPA). According to the District Court, “plaintiffs have not suffered an injury sufficient to establish Article III standing and their claims are dismissed.” In a (putative) class […]

Tags: , , ,

FCC Sued in Effort to Overturn Net Neutrality Decision

A number of companies and state attorneys general have filed suit against the FCC in efforts to overturn the “Restoring Internet Freedom” decision made in December. This decision rolled back the Net Neutrality rules that regulated how Internet Service Providers (ISPs) handled the web traffic on their network. On February 22nd 2018, the FCC published […]

German subsidiary of H&M fined over €35 million ($41.3 million) for misuse of employees’ data

  A German subsidiary of H&M was fined over €35 million ($41.3 million) for violation of the GDPR in the use of its employees’ data. It was found that since 2014, H&M had been processing a considerable amount of data about its employees’ persona life (such as holiday experiences, family issues, religious beliefs, and illness […]

Tags: ,

Pennsylvania Bar Association – Formal Opinion 2020-300 “Ethical Obligations For Lawyers Working Remotely”

April 10, 2020, the Committee on Legal Ethics and Professional Responsibility of the Pennsylvania Bar Association issued, Formal Opinion 2020-300 “Ethical Obligations For Lawyers Working Remotely” The Committee noticed that When Pennsylvania Governor Tom Wolf ordered all “non-essential businesses,” including law firms to close their offices during the COVID-19 pandemic, and also ordered all persons […]

Belgian DPA sanctions a controller for appointing as DPO the director of one of its departments

On 28 April 2020, the Belgian DPA sanction Proximus SA (previously Belgacom) for €50,000 on two basis:  non-cooperation under Article 31 of the GDPR and violation of Article 38(6) of the GDPR by appointing as DPO the director of one of its departments (Head of Compliance, Risk and Audit). The problem with the latter was conflict […]

Tags: ,

$5B Facebook’s settlement with FTC over Cambridge Analytica approved by federal court

On April 23, 2020 a federal court officially approved the agreement reached between Facebook and the Federal Trade Commission (FTC) last July. FTC’s investigation began after the events of Cambridge Analytica in 2018. See here for more about this investigation. The reached settlement agreement received some criticism. Facebook agreed to shift its approach to  privacy, […]

Tags:

Washington State privacy legislation: Update

  UPDATE – March 2020 – Washington Privacy Act fails again It was almost given for granted that the Washington Privacy Act would have passed this time. The Washington State House and Senate were debating two similar bills. The difference was in the enforcement mechanism: while in the House’s Bill both the Attorney General’s office and any […]

Tags:

EDPS published revised eCommunications guidelines for EU institutions

On January 31, 2020 the EDPS published Revised Guidelines on personal data and electronic communications in the EU institutions (eCommunications guidelines). Recognizing that for “most people, electronic communications (eCommunications) such as email, internet and telephony, occupy a central role in their day-to-day professional and personal activities” and that “eCommunications are essential for organisations to operate […]

Tags: ,

EDPB’s Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications

On  28 January 2020 adopted the European Data Protection Board (“EDPB”) adopted the Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications. The EDPB states that “connected vehicles are generating increasing amounts of data, most of which can be considered personal data since they will relate to drivers […]

Tags: ,

Accepting lawyers’ fees in cryptocurrency – Formal Opinion 2019-5

In Formal Opinion 2019-5, the New York City Bar Ethics Committee advised that agreements requiring the client to pay the lawyer’s fees in cryptocurrency amounted to transactions in which the fee is paid in property rather than standard fee agreements. The Ethics Committee had been asked to opined on the question: Is a fee agreement requiring the […]

DPIA( Data Protection Impact Assessment) in the GDPR – Guidelines, “blacklists” and whitelists

The GDPR requires controllers to implement appropriate measures to be able to demonstrate compliance with the GDPR itself, taking into account among others the “the risks of varying likelihood and severity for the rights and freedoms of natural persons” (article 24 (1)). In line with the risk-based approach embodied by the GDPR, carrying out a […]

Tags: ,

Italian DPA sanctions cell phone carrier EUR 28 million over unlawful data processing

The Italian DPA (“Garante per la Protezione dei dati Personali”) issued a penalty of € 27,802,946 to cell phone carrier Tim Sp.A. for numerous and serious violations of data protection related to processing for marketing activities. The violations affected a few million people overall. From January 2017 to the first months of 2019, the DPA […]

Tags: ,

(ECJ) Advocate General’s opinion in case Case C‑311/18 (so called “Schrems II”)

On December 19, 2019, ECJ’s Advocate General (“AG”)Saugmandsgaard Øe delivered his opinion in case Case C‑311/18. In particular, the AG notes that the request for a preliminary ruling submitted by the High Court of Ireland (‘the High Court’) relates to one of the forms that the “appropriate safeguards” may take: a contract between the exporter and the importer […]

Tags: ,

Advocate General Campos Sánchez-Bordona (ECJ)opines the means and methods of combating terrorism must be compatible with the requirements of the rule of law

Opining in a case in which the ECJ is asked to interpret Directive on privacy and electronic communications to activities relating to national security and combatting terrorism on four references for a preliminary ruling [1] the Advocate General Campos Sánchez-Bordona clarifies the means and methods of combating terrorism must be compatible with the requirements of […]

Tags: ,

Host providers with actual knowledge of illegal activities must expeditiously (and worldwide) remove or disable access to the information, the ECJ held

  On October 3, 2019 in Case C-18/18, Eva Glawischnig-Piesczek v. Facebook Ireland Limited, the European Court of Justice (EDJ) held that — under Directive 2000/31, the Directive on electronic commer – cefor a platform (host provider) to be considered hosting provider (and so benefit from liability exception), while it must play a passive role (having no knowledge of the content), must […]

Spanish DPA’s guidance on cookies

On Nov 8, 2019 also the Spanish DPA (Agencia espanola de proteccion de datos – AEPD) issued a guidance on cookies. The guidance (“Guia Sobre el Uso del las Cookies”, “Guia”) applies to cookies and other technologies. After an introduction, the Guia consists of 4 sections:1. ALCANCE DE LAS NORMAS (scope); 2 TERMINOLOGÍA Y DEFINICIONES […]

Tags: ,

EDPB’s Fifteenth Plenary session: Important topics discussed

On November 12 and 13, 2019, the European Data Protection Board (EDPB) met in its fifteenth plenary session. The EDPB discussed important topics. Adoption of EU-US Privacy Shield Third Annual Review Report. After the Third Annual Joint Review of the Shield, the EDPB adopted its report. The EDPB appreciates the improvements by the US Authorities[i] […]

Tags: ,

EDPS Guidelines on controller, processor, and joint controllers: an overview

On November 7, 2019, the European Data Protection Supervisor (EDPS) [i] issued the Guidelines on the concepts of controller, processor and joint controllership under Regulation (EU) 2018/1725 (“Guidelines”). As a background, Regulation (EU) 2018/1725[ii] (“Regulation”) applies to the processing of personal data by the Union institutions, bodies, offices and agencies. The Guidelines aim at providing […]

Tags: ,

ICO’s Guidance on legitimate interests

This guidance aims at helping controllers “to decide when to rely on legitimate interests as … basis for processing personal data and when to look at alternatives.” The entire Guidance is helpful but particularly helpful are the sections: “Are there cases when legitimate interests is likely to apply?” The GDPR highlights some processing activities where […]

Tags: ,

ICO’s opinion on live facial recognition by enforcement authorities

On October 31, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an opinion on live facial recognition (“LFR”) by enforcement authorities: The use of live facial recognition technology by law enforcement in public places (“Opinion”) The ICO points out that a statutory and binding code of practice issued by government, modelled on […]

Tags: ,

Google “Safari Workaround” action’s “block” overturned by UK Court of Appeal

On October 2, 2019, the UK Court of Appeal unanimously overturned a block on a “class-action” lawsuit (technically a “collective action”) brought by a veteran on behalf of millions iPhone users against  Google for the latter’s use of “Safari Workaround” . Now the case can be heard. The lawsuit alleges that Google secretly tracked some […]

Tags: ,

EDPB’s 14th Plenary Session

On October 8th and 9th, 2019, the European Data Protection Board (“EDPB“), which is the EU body in charge of the application of the General Data Protection Regulation (“GDPR) and consists of a representative of each EU DPA and of the European Data Protection Supervisor (EDPS), met for its fourteenth plenary session and: – adopted the final […]

Tags: ,

Cayman Islands’s data protection law came into effect

The Cayman Islands data protection law 2017 (“DPL”) came into effect on September 30, 2019 and applies to all organizations, businesses and public authorities that use personal data. The DPL is centered on the following principles: Fair and lawful use Purpose limitation Data accuracy Storage limitation Respect for the individual’s rights Security – integrity & confidentiality International transfers (i.e., Personal […]

Tags:

Right to be forgotten and Google – update

UPDATE: On September 24, 2019, the European Court of Justice ruled in favor of Google after the company appealed. The Court found that Google is not forced to censor its search results on a global scale and is only required to remove outdated or irrelevant links on its European sites. The ruling stated, “Currently, there […]

Tags:

The agenda of EDPB’s Thirteenth Plenary Meeting

The EDPB (European Data Protection Board) made public its agenda for the Thirteenth Plenary Meeting of the 10 September 2019. The agenda includes a tribute to Giovanni Buttarelli, former European Data Protection Supervisor and one of the most respected figures in data protection, after his death last month. The agenda includes a discussion on the guidelines on data subject […]

Tags:

European Parliament publishes a paper on blockchain and the GDPR

European Parliament publishes a paper on blockchain and the GDPR, titled “The General Data Protection Regulation  Can distributed ledgers be squared with European data protection law?” Here is the link to this interesting paper: http://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf   More information. on GDPR and blockchain, Francesca Giannoni-Crystal 

Tags: ,

ECJ holds by embedding social media plug-ins in website you may become a joint data controller with the social media provider

  On July 29, 2019, the Court of Justice of the European Union (ECJ) published its judgement in case C-40/17, holding – like Advocate General Bobek (see here) suggested – that an organization who embeds a Facebook “Like” button on its website may be considered a data controller. In this case, a German fashion online […]

Tags: ,

ICO publishes updated report into adtech and real time bidding

  On June 20, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), published an update report into adtech and real time bidding. The ICO is waiting for the adtech sector response to the report and will then undertake a “further industry review in six months’ time”. The report focuses on Real-Time Bidding (RTB). […]

Tags: ,

ICO publishes draft data sharing code of practice and opens consultation

  On July 16, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), opened a consultation on a data sharing code of practice. The consultation closes on September 9, 2019. The data sharing code is a practical guide for controllers sharing personal data. It gives guidance on the applicable law and provides good […]

Tags: ,

CNIL adopts new guidance on cookies

On July 4, 2019, the Commission Nationale de l’informatique et des Libertés (CNIL), the French Data Protection Authority (DPA) adopted new guidelines on cookies and other tracking devices (“Guidelines”). According to the press release, the scrolling down or swiping through a website or application is no longer viewed as a valid expression of consent to the […]

Tags: ,

EDPB’s oral pleading before EU Court of Justice on Model Clauses preliminary ruling

On July 9, 2019, the Court of Justice of the European Union heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. See here for more info. The oral hearing took place in front […]

Tags: ,

California federal court holds it can order production of evidence even though it may violate the GDPR

On February 14, 2019, the United States District Court for the Northern District of California ordered a United Kingdom citizen, party to a U.S. litigation, to produce in unredacted form e-mails containing personal information that could be protected under the GDPR. By way of background. In this patent infringement suit, Plaintiff owned patents involving computer […]

Tags: ,

EDPS’s Guidelines on video surveillance open for comments until September 15

  On July 10, 2019, the European Data Protection Board (EDPB) adopted Guidelines 3/2019 on processing of personal data through video devices. Objective of the guidelines is to provide guidance on how to apply the General Data Protection Regulation, GDPR, in relation to the processing of personal data through video devices. The Guidelines provide several […]

Tags: ,

Devices security measures legislation passed in Oregon

On May 30, 2019, Oregon Governor signed HB 2395 containing security measures required for devices that connect to the Internet and that are assigned an Internet Protocol address or another number that identifies the connected device. The manufacturer shall equip the connected device with “reasonable security features”, which may consist of means for authentication from […]

Tags:

ICO’s notice of intent to issue record fine for Marriott’s data breach / update

  UPDATE ICO was requested the status of this proposed penalties on Nov 12, 2019. ICO issued a response ICO Disclosure Log – Response ENQ0889841: “[Marriott] made representations to the Information Commissioner regarding these notices in accordance with Schedule 16, paragraph 3(3) of the Data Protection Act 2018. The Information Commissioner is considering those representations in deciding […]

Tags: ,

Update: oral hearing before the ECJ on Model Clauses preliminary ruling

On July 9, 2019, the European Court of Justice (CJEU) heard oral arguments on a landmark case concerning Facebook’s transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. The CJEU’s decision — will have tangible consequences for businesses performing data transfers from […]

Tags:

Maine adopts what is considered the strictest privacy law in the US for internet service providers

On June 6, 2019 Maine’s governor signed into law LD 946, “An Act To Protect the Privacy of Online Customer Information.” The Act applies to broadband internet service providers (ISPs) defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all […]

Tags:

Update on Cambridge Analytica scandal: Italian DPA fined Facebook in the summer of 2019

  On June 28, 2019, the Garante per la protezione dei dati personali, the Italian Data Protection Authority issued a EUR 1 million fine against Facebook following the scandal of Cambridge Analytica. See here for more info. According to the Italian DPA, 57 Italian users downloaded the incriminated application through the Facebook login function. This […]

Tags: ,

District of Columbia Superior Court establishes jurisdiction over data privacy claims brought under general D.C. consumer protection statute

On May 31, 2019, the District of Columbia Superior Court issued an order rejecting Facebook’s request to dismiss or to stay a data privacy litigation brought under a state consumer protection statute. The case is interesting because the order deals with the decision of a state court on the applicability of state general consumer protection […]

Tags:

SDNY rejects ADA claim based on mootness and lack of personal jurisdiction

    On June 4, 2019, the United States District Court for the Southern District of New York granted Defendant’s motion to dismiss since the company mooted Plaintiff’s claims and for lack of personal jurisdiction over Defendant. By way of background, Plaintiff alleged that Defendant’s website denied equal access to visually-impaired customers and that Defendant’s […]

Tags:

Italian DPA’s guidance on how to record processing activities

On October 8, 2018, the Italian Garante per la Protezione dei Dati Personali, the Italian data protection authority, DPA, released instructions on how to maintain a record of processing activities, as well as a sample document compliant with Regulation (EU) no. 679/2016, the General Data Protection Regulation, GDPR. The record – to be maintained by […]

Tags: ,

Arizona A.G. settled over multi-state HIPAA-related data breach for $900,000

  On May 28, 2019, Attorney General Mark Brnovich announced a settlement with healthcare software providers Medical Informatics Engineering Inc. and NoMoreClipboard, LLC regarding some claims brought against them under the federal Health Insurance Portability and Accountability Act (HIPAA). By way of background. Defendants were business associates that were providing health records services that enabled […]

Tags:

Sixth Circuit holds that card brand assessments expenses constituted consequential damages and the merchant shall not bear them

  On June 7, 2019, the US Court of Appeal for the Sixth Circuit held that the district court did not err in awarding judgment in favor of business as it was exempt from liability under a “consequential damages waiver” contained in the “Merchant Agreement” executed with the data processing company. By way of background. Two […]

Tags:

NY A.G. settles with online retailer Bombas which failed to notify data breach involving credit cards details

On June 6, 2019 Attorney General Letitia James, announced a $65,000 settlement with online retailer Bombas LLC for failing to provide notice of payment cards consumers’ data breach that affected 39,561 consumers. In 2014 unauthorized intruders inserted malicious software code to steal payment card information into the ecommerce platform supporting Bombas’ website. Intruders accessed customer […]

Tags: ,

Regulation (EU) 2019/881 sets forth a comprehensive set of measures to face increased cybersecurity challenges

    On June 7, 2019, the Official Journal of the European Union (OJEU) published Regulation (EU) 2019/881, the EU Cybersecurity Act. The EU Cybersecurity Act aims at ensuring the proper functioning of the internal market while achieving a high level of cybersecurity, cyber resilience and trust within the EU. It lays down: (a) the […]

Tags: ,

Blockchain law passed in San Marino contains some interesting aspects

  On June 6, 2019, the Republic of San Marino approved the Blockchain Decree of the Republic of San Marino (Delegate Decree n. 86, dated May 23, 2019). No official press statement has been released yet, but this source revealed the news. The Blockchain Decree provides a regulatory framework formulating specific rules for two different […]

Tags:

Reshaping of civil money penalties penalties for HIPAA violations

    On April 30, 2019, the Department of Health and Human Services (HHS) announced that it would be using its discretion in how it applies HHS regulations concerning the assessment of Civil Money Penalties (CMPs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as such provision was amended by the Health […]

Tags:

The dissemination of sensitive data for defensive purposes doesn’t violate privacy without actual damages, Italian Supreme Court held

  On May 20, 2019, the Corte di Cassazione, the Italian Supreme Court, clarified that if the damage is not proven, there is no crime for the violation of privacy under the Italian Privacy Code (Article 167, Legislative Decree 196/2003). In this case, a father and a son were involved in a civil proceeding. The father […]

Tags: ,

Nigeria’s extensive data protection law is in force

On April 25, 2019, the Nigeria Data Protection Regulation 2019 entered into force. The Regulation was issued by the National Information Technology Development Agency, NITDA, and it mirrors the EU General Data Protection Regulation (GDPR). The Regulation’s scope of application is quite broad. It applies to all transactions intended for the processing of personal data […]

Tags: ,

Important question about the GDPR “one –stop shop” mechanism referred to the ECJ

On May 8, 2019, the Brussel’s Court of Appeal referred certain questions to the Court of Justice of the European Union (CJEU) to ensure that the Belgian Data Protection Authority (DPA) can pursue the case against Facebook also after the GDPR entered into force. In particular, the questions is whether the one-stop shop mechanism (which […]

Tags: ,

North Carolina bill to amend Identity Theft Protection Act and to increase consumer protection post-breach

On April 16, 2019, North Carolina House of Representative introduced H.B. 904. The Bill amends the Identity Theft Protection Act. Among the many changes introduced, the Bill: amends the definition of security breach to include any incident of “unauthorized access to or acquisition of (was, access to and acquisition of) unencrypted and unreacted records or […]

Tags:

EU Parliament adopts regulation on platform-to-business trading practices

    On April 17, 2019, the EU Parliament adopted the proposed EU Regulation on platform-to-business trading practices. The text adopted by the European Parliament still has to be formally approved by the Council of the European Union. Once approved, the Regulation will enter into force 12 months after its publication in the Official Journal. […]

Tags: ,

Washington state modifies its breach notification law

On April 22, 2019, the House of Representatives modified chapter 19.255 RCW to amend its data breach notification law. The definition of “data breach” does not change. The security of the system means “unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” But HB […]

Tags:

Washington State’s legislation on blockchain. This is one of the 28 pieces of legislation on blockchain introduced in the several US jurisdictions in 2019

Blockchain companies successfully lobbied for legislation that recognized blockchain as a legitimate record-keeping technology. On April 26, 2019, Washington State Governor signed bill SB 563 recognizing the validity of distributed ledger technology. The bill adds a new chapter to the Revised Code of Washington and it introduces the definitions of Blockchain, which means a cryptographically […]

Tags:

EU Parliament proposal to create gigantic biometric database

On April 16, 2019, the European Parliament informed that it decided to create the Common Identity Repository (CIR). The CIR will interconnect a series of data systems (listed below) into a gigantic biometric database containing data about EU and non-EU citizens to improve data exchange between EU information systems to manage borders, security and migration. […]

Tags: ,

FTC’s investigation into Facebook data practices could result in a fine up to 5 billion, Facebook estimates

On April 24, 2019, Facebook published its financial results for the first quarter, where it estimated a probable loss and recorded an accrual of $3 billion  in connection with an investigation by the Federal Trade Commission  (FTC).  The investigation could result in a penalty of up to 5 billion. The FTC began its investigation into […]

Tags: ,

EDPS’s Guidelines on Article 6(1)(b) lawful basis for processing in online services open for comments until May 24

On November 9, 2019, the European Data Protection Board (EDPB) adopted guidelines on the GDPR’s lawful basis for processing. In particular, the EDPB provided guidance on the “contractual necessity basis for processing personal data in the context of online services.” Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context […]

Tags: ,

Danish DPA recommends fine for taxi app for violation of GDPR data retention rules

  With a decision published on March 18, 2019, the Danish Privacy Authority, Datatilsynet (DPA), found that a Danish Taxi App – Taxa 4×35 – did not respect the principle of data minimization envisaged by the GDPR (art. 5.1(c)), keeping the personal data of the customers beyond the expected retention period. The company deleted the […]

Tags: ,

Information on data protection regulations in the Middle East

  Bahrain. Bahrain enacted Law No. 30, 2018, the law protecting personal data (Data Protection Law), which goes into force on August 1, 2019. Bahrain has several other laws with provisions relating to data protection, including: Law No. 16, 2014, regarding the Protection of Information and State Documents; Law No. 2, 2017, for Ratifying the Arab Agreement in Combating […]

Tags: ,

UK DPA fined “parenting club” company for violation of the principle of “fairness” in processing

  On April 9, 2019, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served a monetary penalty notice under section 55A of the Data Protection Act 1998 (DPA) of around $ 520,000. The fined company (Bounty) shared the personal data of over 14 million individuals to a number of organizations including credit reference […]

Tags: ,

Utah passes bill regulating warrant (and exceptions) to search certain electronic information

On March 27, 2019, the Utah Governor signed H.B.57 into law. The Bill modifies provisions related to privacy of electronic information or data and their access by law enforcement. H.B 57 defines electronic information and data as being any “information or data including a sign, signal, writing, image, sound, or intelligence of any nature transmitted […]

Tags:

Illinois bill aims at eliminating BIPA (Biometric Information Privacy Act)’s private right of action

On February 25, 2019, an Illinois Senator introduced SB2134 to amend the Biometric Information Privacy Act (740 ILCS 14/1 et seq., BIPA) creating a  private right of action. The bill is currently in Committee. The majority of BIPA claims have been brought against businesses as class actions seeking statutory damages.   Synopsis Amends the Biometric […]

Tags: ,

U.S. Supreme Court grants certiorari because settlements may not be “fair, reasonable, and adequate” since Plaintiffs might not have standing in light of Spokeo

On March 20, 2019, the U.S. Supreme Court vacated a judgment of the Ninth Circuit and remanded it for further proceedings “Because there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016).” By way of […]

Tags:

The Australian Gov’t tries to ensure that online platforms cannot be exploited by perpetrators of violence with new bill

On April 4, 2019, the Australian parliament approved the Sharing of Abhorrent Violent Material Bill, which amended the Criminal Code. The bill was approved after Christchurch terrorist attack to ensure that online platforms cannot be exploited by perpetrators of violence. The attack in March 2019 demonstrated the potential for live streaming to be abused by […]

Tags:

Recommendation of self-regulatory units should be taken into account to avoid FTC investigations

The Children’s Advertising Review Unit (CARU), a self-regulatory advertising unit approved by the Federal Trade Commission (FTC) and administered by the Council of Better Business Bureaus, recently found issues with the advertising approach taken by two mobile applications for kids: KleptoCats and My Talking Tom. CARU monitors advertising and privacy practices and determines whether such […]

Tags: ,

U.S. Supreme Court deems sufficient the “increased risk of future identity theft” for standing in data breach putative class actions

On March 25, 2019, the Supreme Court denied Zappo’s petition for certiorari allowing a class action to proceed for a 2012 data breach even though consumers didn’t establish they were injured by the breach. This is a setback for companies hoping to limit their liability in data breach cases. By way of background. On June […]

Tags: ,

Polish DPA imposes first GDPR fine for breach of duty to inform data subjects

On March 26, 2019, Urzędu Ochrony Danych Osobowych (UODO), the Polish Data Protection Agency (DPA) imposed a fine of around $250,000 on a company for failure to fulfill its information obligation as a controller. The UODO explained that the controller did not meet the information obligation (Art. 14 (1) – (3), GDPR) in relation to […]

Tags: ,

Washington State privacy act moves ahead

On Friday, March 22, 2019,  the Washington State House of Representative’s Committee on Innovation, Technology and Economic Development held its first public hearing on the proposed privacy legislation, SB 5376. The Washington privacy act, SB 5376, was introduced January 17, 2019 and passed its third reading in the Senate with 46 votes (against 1) on March […]

Tags:

Facebook users can file civil law suits, in addition to data protection complains, Vienna higher court rules

  On March 25, 2019, Vienna’s higher Regional Court (Oberlandesgericht Wien) ruled that “every citizen can not only file a complaint with the data protection authority, but also submit a lawsuit in courts.” See here. The claims is complicated and concerns Facebook’s breach of EU privacy laws. See here for more info. The admissibility of […]

Tags: ,

EDPB opinion on ePrivace Directive and GDPR respective scope of application

On March 12, 2019, the European Data Protection Board (EDPB) published an opinion defining the GDPR’s scope of application and providing an interpretation on data protection authorities’ competences, tasks and powers. The Belgian Data Protection Authority (DPA) requested the EDPB to examine and issue an opinion on the interplay between the ePrivacy Directive (2002/58/EC) and […]

Tags: ,

Pre-checked boxes aren’t valid for consent nor cookies under EU data protection law

Update: In October 2019, the European Court of Justice held that in order to store cookies on user devices, the users must actively consent and that pre-checked checkbox that users must actively deselect is not a valid form of consent. The European Court of Justice also stated that all types of cookies require active consent, […]

Tags: ,

Dutch DPA is the first European DPA to publish fining policy under GDPR

On March 14, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) published on Netherlands Official Gazette its own General Data Protection Regulation (GDPR) fining policy. It is the first European Union (EU) country to do so. Article 83, GDPR, provides that DPAs can issue to controllers and processors “effective, proportionate and dissuasive” administrative fines […]

Tags: ,

2018 State for State Courts Survey finds ODR attractive

On December 3, 2018, the National Center for State Courts issued a survey on 2018 State of the State Courts. The annual national survey conducted the study on 1,000 registered voters November 13-17, 2018. The survey shows that there is some interest in alternative methods to dispute resolution. Voters with previous experience dealing with the […]

Italian DPA deems that civic access of deceased data is excluded by law when privacy could be violated

  On January 10, 2019, the Italian Garante per la Protezione dei Dati Personali, the Italian data protection authority, DPA, released an opinion according to which the deceased continues to enjoy the protections provided for by the data protection legislation. In a case of alleged malpractice, an individual asked a healthcare company to allow access […]

Tags: ,

Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union

Regulation (EU) 2018/1807 of 14 November 2018, which deals with “non personal data” in the framework of the EU’s digital single market strategy; it aims at removing obstacles to data mobility and the internal single market. In particular, it prohibits data localization requirements by place EU Member States in point of storage or processing of non-personal data, […]

Tags: ,

FTC orders $5.7 mln civil penalty for COPPA violation (the biggest ever for COPPA violations)

  On February 27, 2019, the American Federal Trade Commission (FTC) published a proposed stipulated order for civil penalties and other reliefs against Musical.ly for violation of the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from kids without parental consent. The $5.7 million civil penalty is the FTC’s largest ever under COPPA. […]

Tags: ,

Spanish DPA publishes survey on device fingerprinting

On February 2, 2019, the Spanish Data Protection Agency (AEPD) published a Survey on Device Fingerprinting. (“Survey“) “Device fingerprinting is the systematic gathering of information on a specific remote device with the aim of identifying, singling out and, thus being able to monitor its user’s activity for the purpose of profiling.” The data set extracted […]

Tags: ,

Bulgaria adopts GDPR harmonization law

On February 20, 2019, Bulgaria adopted the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) harmonization law. The law amends and supplements the previous data protection act from 2002. It also transposes the EU Law Enforcement Directive (Directive (EU) 2016/680). The new Law on Personal Data Protection (LASLPDP) entered into force on March 2, 2019 […]

Tags: ,

German Antitrust ordered Facebook to stop “combining” data of German users without voluntary consent

  On February 7, 2019, the Bundeskartellamt, the German antitrust authority, prohibited Facebook from combining data concerning German Facebook users gathered also from third party websites when the user didn’t give voluntary consent to this practice. The decision concerns all private users of Facebook based in Germany. According to the Bundeskartellamt’s decision, until now, individuals […]

Tags: ,

GDPR’s harmonization laws enacted

Below a list of the harmonization laws enacted by each EU member state. Austria: the Datenschutz-Anpassungsgesetz 2018, the “Datenschutzgesetz“. Belgium: Framework Act (Dutch) Framework Act (French), DPA Act (Dutch), DPA Act (French) Croatia: Zakona O Provedbi Opće Uredbe O Zaštiti Podataka, the Act on Implementation of the General Data Protection Regulation (Official Gazette no. 42/2018) Cyprus: Law n 125(I)/2018 Czech […]

Tags: ,

Massive violations in US health data

  In February 2019 there have been reports of violations of health data affecting thousands of patients in US medical centers. One of the major breaches affected 974,000 patients at the University of Washington clinic (see here), while the other involved 326,000 users of UConn Health, a large medical center academic (see here). In both […]

Tags: ,

Italian law defines blockchain and smart contracts

  On February 12, 2019, Law no. 12/2019, converting into law the so called Decreto Semplificazioni (“Simplification Decree”), Legislative Decree No. 135/2018 was published on the Italian Official Gazette no. 36/2019. Among other provisions, the Simplification Decree defines the concept of “technologies based on distributed ledgers (blockchain)” and “smart contracts”. “Technologies based on distributed ledgers” are technologies and […]

Tags: