DOJ’s Net Neutrality Lawsuit Against California

On September 30, 2018, the DOJ filed net neutrality lawsuit against the State of California, alleging that Senate Bill 822, a bill signed into law by Governor Jerry Brown, unlawfully imposes burdens on the Federal Government’s deregulatory approach to the Internet. See more here. complaint here Francesca Giannoni-Crystal

Tags:

Portuguese hospital challenges GDPR EUR 400,000 fine

On October 10, 2018, the Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital guilty of violating the integrity and confidentiality principle and the data minimization principle set forth by the GDPR. According to this source, the infringements were punished with a fine of €400,000. The hospital is going to fight the fine, this source […]

Tags: , ,

EU Parliament’s resolution to boost DLTs and blockchains

On October 3, 2018, the European Parliament published a resolution on distributed ledger technologies (DLTs) and blockchain. DLTs and blockchain are the technologies behind bitcoin and other crypto currencies, and basically consist in a ledger of digital information maintained in decentralised form across a large network of computers. See here for more information. The EU […]

Tags: , ,

FTC’s cybersecurity guidance for small businesses

On October 18, 2018, the Federal Trade Commission (FTC) published – along with Department of Homeland Security, the National Institute of Standards and Technology, and the Small Business Administration – guidance for small businesses on how to deal with cyber threats and increase data security. The FTC highlighted a dozen need-to-know topics: Cybersecurity Basics, Understanding […]

Tags: , ,

Digital Single Market: European Parliament adopts new regulation on the free flow of non-personal data in the EU

On October 4, 2018, the European Parliament adopted the proposed EU Regulation on the Free Flow of Non-Personal Data in the European Union. The Regulation aims at removing obstacles to the free movement of non-personal data within the European Union. The Regulation does not cover data mobility outside the EU. The approved Regulation does not […]

Tags: ,

Report on the Blockchain and the GDPR by the European Union Blockchain Observatory and Forum

On October 16, 2018, the European Union Blockchain Observatory and Forum published a thematic report on the Blockchain and the GDPR (“Report”). The report includes the input of a number of different stakeholders and sources. The report aims at answering the question of whether GDPR compliant blockchain is possible. The paper highlights a fundamental point: […]

Tags: , ,

EDPS will open consultation on Guidelines on GDPR’s Territorial Scope

On September 26, 2018, the European Data Protection Board (EDPB) met for their third plenary session. During such session the EDPB adopted Guidelines on the GDPR’s Territorial Scope. The guidelines will be subject to a public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data controller or […]

Tags: ,

Some solutions for dispute resolution in the Blockchain era

Do the benefits of smart contracts overwrite their downfalls? While smart contracts bring a lot of benefits, allowing for a quick execution once a certain condition takes place, a lot of value can get lost in these transactions. For example, it is estimated that in 2017, over $1B in value was lost with smart contracts […]

Tags:

CNIL publishes analysis of blockchain in light of the GDPR

In September 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published a report explaining how Blockchain relates to the GDPR (“Report”). In particular the Report highlights the following. WHO IS THE CONTROLLER IN A BLOCKCHAIN TRANSACTION. Users of the web who decide to submit a transaction to the validation […]

Tags: ,

EDPB publishes opinions on national supervisory authorities’ DPIA lists

The EDPB adopted opinions on the draft lists that several supervisory authorities issued regarding he processing operations subject to the requirement of a data protection impact assessment (DPIAs, according to Article 35.4 GDPR). This power of EDPB is pursuant to Article 63, Article 64 (1a), (3) – (8) and Article 35 (1), (3), (4), (6) […]

Tags: ,

California Consumers Privacy Act got amended and enforcement actions delayed

After only three months from its approval the California Consumers Privacy Act (CCPA) was amended. On September 23, 2018 Senate Bill 1121 was signed into law. The legislation, which takes effect immediately, amends the CCPA, which was passed on June 2018. Among other things, the amendment: – clarifies the definition of “personal information”, explaining that it […]

Tags: ,

NY A.G. Schneiderman Announced a Record Number Of Data Breach Notices For 2017

Attorney General Schneiderman announced that his office received 1,583 data breaches notice in 2017, which was the quadruple of the 2016 number. Hacking was the leading cause of the data security breaches (44%), while  negligence account for another 25% of breaches. In particular Employees’ negligence consisted of a combination of inadvertent exposure of records, insider wrongdoing, […]

$999,000 in HIPAA settlements for unauthorized disclosure of patients’ protected health information

On September 20, 2018, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it reached settlement with several medical centers after they allegedly compromised patients’ protected health information (PHI) by inviting film crews on premises to film an ABC’s television documentary series, without first obtaining authorization from patients. According to […]

Tags: ,

ICO served GDPR enforcement notice on a non resident organization (Canadian company)

     On July 6, 2018, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served what looks like the first enforcement notice regarding the processing of UK individuals’ personal data by a nonresident organization. The notice was directed to Aggregate IQ (AIQ), a digital advertising, web and software development company based in Canada. […]

Tags: ,

Italian GDPR harmonization law is now in force

On September 19, 2018, Legislative Decree n. 101/2018 harmonizing the Italian privacy law with the General Data Protection Regulation (GDPR) entered into force. Legislative Decree was published on the Official Italian Gazette (Gazzetta ufficiale n. 205 04-09-2018) on September 4, 2018. More on the Legislative Decree and the Italian Privacy Code (Legislative Decree 196/2003) is available […]

Tags: ,

Update on French Conseil d’Etat’s request for a preliminary ruling on the right to be forgotten

On September 11, 2018, the Court of Justice of the European Union (CJEU) began hearing evidence from over 70 stakeholders in the case whose judgement shall outline the territorial scope of the right to be forgotten. The panel of 15 CJEU judges will rule in 2019. The request for a preliminary ruling (Case C-507/17) was […]

Tags: ,

Italian GDPR harmonization law is published on the Official Gazette

On September 4, 2018, Legislative Decree n. 101/2018 harmonizing the national privacy law with the General Data Protection Regulation (GDPR) was published on the official Italian journal (Gazzetta ufficiale n. 205 04-09-2018). The Legislative Decree does not abrogate the Italian Privacy Code (Legislative Decree 196/2003), which therefore remains in force, but that Code is harmonized with […]

Tags: ,

Facebook profile can be accessed by heirs, German federal court says

On July 12, 2018, the German federal court (Bundesgerichtshof, BGH) overturned the judgment of the Berlin’s highest state court (Kammergerichts), which had denied the parents’ access to their daughter’s Facebook account. The case involved a mother trying to access the deceased 15-year-old daughter’s Facebook account in order to understand the cause of death. With its […]

Tags: ,

ECJ’s recommendations to national courts on preliminary ruling procedure

CJEU: in the references for preliminary rulings the national judge must anonymise the data   On July 20, 2018, the Official Journal of the European Union (C 257/1) published a document in which the European Court of Justice (“ECJ”) clarifies to national courts and tribunals the essential characteristics of the preliminary ruling procedure and the […]

Tags: ,

Italy works on current privacy rules rather than completely deleting them

On August 8, 2018, the Italian Government communicated that the legislative decree that harmonizes the national legislation to the General Data Protection Regulation (GDPR) will not abrogate the Italian Privacy Code previously in force. According to an initial formulation, the legislative decree was intended to completely repeal the privacy laws in force. However, in the […]

Tags: ,

Privacy complaint in Italy shall be field according to GDPR; local rules surpassed

On May 31, 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority (DPA) issued a decision explaining that until a legislative decree that harmonizes domestic law with the GDPR will come into force, the current complaint procedure shall be considered incompatible with the Regulations. The DPA refers to Article 77, GDPR, […]

Tags: ,

EPrivacy Regulation? The EU Council acknowledges further work needs to be done in next presidency

At the beginning of June the EU Council discussed its position on the ePrivacy Regulation to update privacy rules for electronic communications. It appears like no real progress was registered at the Council meeting and that further work is needed under the next presidency (June to December 2018). The ePrivacy Regulation aims at ensuring a […]

Tags: ,

ECJ’s preliminary ruling on case of German DPA against Facebook

On June 5, 2018, the European Court of Justice (CJEU), issued its preliminary ruling in C‑210/16, opining on the definition of data controller, applicable national law, and jurisdiction under EU data protection law according to Directive 95/46/EC. According to the CJEU’s judgement, EU companies that have been advertising through Facebook can be considered data controllers […]

Tags: ,

The aftermath of Cambridge Analytica’s scandal and other problems for Facebook in Europe

The scandal of Cambridge Analytica caused several consequences for Facebook in Europe. In the United Kingdom, the Information Commissioner (ICO) is investigating the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors by 30 organizations, including Facebook. See here. The Working Party 29(WP29) created a Social Media Working Group to develop a […]

Tags:

Arizona adds blockchain technology to corporations law

Arizona signed House Bill 2603 to add a definition in Section 10-140, Definition – Arizona Revised Statutes (Section 10, Corporations and Associations) In particular, now 10-140(53) reads: 53.  “WRITING” OR “WRITTEN” INCLUDES BLOCKCHAIN TECHNOLOGY AS DEFINED IN SECTION 44‑7061. See https://legiscan.com/AZ/text/HB2603/id/1718691 The definition of “blockchain technology” is contained in Section 44-7061: “distributed ledger technology that uses a distributed, […]

Tags:

EU Council’s Corrigendum to GDPR

Less than one month to the entering into force of the GDPR, the text (in all language versions) is still subject to changes, sometimes significantly. http-::data.consilium.europa.eu:doc:document:ST-8088-2018-INIT:en:pdf For more information and for advice on GDPR implementation, Francesca Giannoni-Crystal.    

DPAs’ guidance on exercising data subjects’ rights under GDPR vis-a-vis social media

Several DPAs have issued guidance on how individuals can exercise their rights as data subjects vis-a-vis social media platforms. See for example: – ICO – United Kingdom: https://ico.org.uk… – Data Protection Commissioner – Ireland: https://dataprotection.ie… – Croatian Data Protection Agency: request for the protection of rights request for removing personal data from social networks reporting […]

Tags: ,

Italian DPA fines political party for privacy policy violation

In March 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority, issued a fine of Euros 32,000 against the Rousseau association, controller of the processing of data of the website users of the Italian political party “5-Star” (Cinque Stelle). Federprivacy reports. After a data breach, the Italian DPA started investigating whether […]

Tags:

Cybersecurity Tech Accord signed by 34 global technology and security companies

On April 17, 2018, 34 global technology and security companies signed a Cybersecurity Tech Accord, agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states. The 34 companies include ABB, Arm, Cisco, Facebook, HP, HPE, Microsoft, Nokia, Oracle, and Trend Micro, and together represent tech companies that power the world’s internet […]

Tags: ,

The Ninth Circuit changes standard on standing in data breach class actions: sufficient the “increased risk of future identity theft”

On March 8, 2018, the U.S. Court of Appeals for the Ninth Circuit found that an alleged “increased risk of future identity theft” suffices Article III standing requirement in a data breach putative class action. On June 1, 2015, the District Court of Nevada had dismissed for lack of standing the data breach putative class […]

Tags: ,

FTC publishes 2017 Privacy & Data Security report

The Federal Trade Commission (FTC) issued its 2017 Privacy & Data Security Update. The annual report summarizes the year’s privacy and data security enforcement actions, advocacy, workshops and guidance. Among the FTC’s 2017 privacy and security actions announced, is the first actions enforcing the EU-U.S. Privacy Shield framework.   The 2017 Privacy & Data Security update […]

Tags:

Italian Council of Ministers’ preliminary approval of GDPR’s “harmonization” decree

The Italian Council of Ministers preliminarily approved a legislative decree (in furtherance of Parliament’s delegation Law October 25 2017, no. 163), containing provisions to amend domestic law in compliance with the GDPR. In fact, effective May 25, 2018, Legislative Decree June 30, 2003 no. 196 will be abrogated and the GDPR will be immediately into […]

Tags: ,

Records of processing activities of Article 30 GDPR – some model forms

Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record. Some DPA made available model forms and notes for keeping records of processing activities: the BayLDA, the Bavarian DPA […]

Tags: ,

Scientific research in Italy may be slowed down by new data processing rules

In an early effort to adapt Italian privacy law to the GDP, in November 2017, a new Article 110bis was approved for introduction in the Italian Privacy Code, redrafting the discipline concerning the re-use of data for scientific research or statistical purposes. The new Article 110bis, Italian Privacy Code, (Legislative Decree n. 196/2003) introduced three changes that […]

Tags: ,

NIST releases Blockchain Technology Overview

In, January 2018, NIST, the National Institute of Standards and Technology, released Blockchain Technology Overview.  The document is thought for readers with little or no knowledge of blockchain technology Public comment period: January 24, 2018 through February 23, 2018 Full text available here  

Tags:

EU Commission’s Guidance on the direct application of GDPR as of May 2018

On January 24, 2018, the Commission issued “Stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018”. In the document the Commission lists the guidelines that the WP29 has issued (and is about to issue) on several important aspects of the Regulations. [1] […]

Tags: ,

FTC’s first-ever settlement for violation of children’s privacy through connected toys

On January 8, 2018, the FTC announced that VTech Electronics Limited and its US subsidiary (VTech) agreed to settle with the Federal Trade Commission (FTC) a claim that the companies violated children’s privacy through the commercialization of some connected toys. Allegedly VTech violated COPPA (Children’s Online Privacy Protection Act of 1998) by collecting personal information from children […]

Tags: ,

Deceased Floridians maintain their Constitutional right to privacy

In this constitutional challenge to the 2013 amendments to sections 766.106 and 766.1065 of the Florida Statutes requiring claimants in a medical malpractice claim to disclose certain protected health information (PHI) and to consent to secret, ex parte interviews between health providers and defendant , the Florida Supreme Court held that the requirements were unconstitutional and […]

Tags:

German DPA against Facebook for processing data without permission

On October 24, 2017, Advocate General Bot issued his preliminary opinion in case C‑210/16, opining on the definition of a data controller, applicable national law, and jurisdiction under EU data protection law under Directive 95/46/EC. The opinion is not binding but if followed by the European Court of Justice (CJEU), EU companies that have been […]

Tags: ,

ICO’s recommendations on Meltdown and Spectre

In a post of January 5th, Nigel Houlden, the Head of Technology Policy of ICO (the United Kingdom Data Protection Authority) gives organizations recommendations on how to deal with Meltdown and Spectre and protect people’s personal data. As it is now well known, three connected vulnerabilities have been found in Intel’s, AMD’s, and ARM’s processors which could […]

Tags: ,

EU-U.S. Privacy Shield ensures “adequate level of data protection” but could be improved, EU Commission finds

On October 18, 2017, the EU Commission published its report on the first annual review of the EU-U.S. Privacy Shield. The report reflects the Commission’s findings on the implementation and enforcement of the EU-U.S. Privacy Shield framework in its first year of operation. According to the EU Commission, the Privacy Shield “continues to ensure an […]

Tags: ,

FCC repeals net neutrality rules

Today, on Dec 14, 2017, the Federal Communications Commission (“FCC”) voted 3-2 to repeal the 2015 Open Internet Order, i.e., the Obama-era regulation requiring the companies to treat all web traffic alike. The repeal of net neutrality was performed by the passing of an order named “Restoring Internet Freedom,” which “essentially removes the FCC as a regulator […]

SCOTUS heard oral argument in Carpenter vs US: can the Gov’t access carriers’ location data without a warrant?

On November 29, 2017, the Supreme Court heard oral argument in an important privacy case. The Sixth Circuit held that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without a warrant. In Carpenter v. United States Timothy Carpenter and Timothy Sanders […]

Tags:

Scientific research in Italy slowed down by new data processing rules?

On December 12, 2017, a new Article 110bis of the Italian Privacy Code came into force, redrafting the discipline concerning use of data for scientific research or statistical purposes. The new Article 110bis, Italian Privacy Code, (Legislative Decree n. 196/2003) introduced three changes that might have harmful consequences for scientific developments. First, it restricts the possibility […]

Tags: ,

Legal advertising through texts allowed in NC, NC Ethics Opinion states

North Carolina State Bar 2017 Formal Ethics Opinion 1   April 21, 2017 Topic: text message advertising The Opinion clarifies that lawyers may use the text message advertising that allows the user to initiate a live telephone communication, provided it complies with North Carolina Rules of Professional Conduct 7.1, 7.2, and 7.3, and all applicable federal […]

Tags: , , ,

WP29 published criteria for appropriate administrative fines in GDPR’s breach

As announced (see here), on October 3, 2017, the Article 29 Working Party(WP29) published its Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR). Once a GDPR infringement is established, the competent supervisory authority (Article 5 1 GDPR)  must identify the most appropriate corrective measure(s) to address the […]

Tags: ,

Digital Single Market: unjustified geoblocking to end by the end of 2018

On November 20, 2017, the European Parliament, the Council and the Commission committed to end all geoblocking that unnecessarily impedes consumers to buy products or services online within the EU. The EU digital single market should “give consumers the same possibility to access the widest range of offers regardless of whether they physically enter a […]

Tags:

Service providers’ surrender of information stored abroad – The United States of America v Microsoft Corporation

On October 16, 2017, the U.S. Supreme Court accepted the U.S. government’s request to review a previous appeals court ruling in favor of Microsoft, preserving service providers from surrendering information stored abroad. The U.S.’s highest court had to decide if companies have a right to refuse to comply with data disclosure demands made by the […]

Tags: ,

Apps using facial data cause privacy concerns

On October 22, 2017, the Washington Post shares a new worry about data privacy. The iPhone X’s front sensors scan 30,000 points to make a 3D model of users’ faces and then shares the faces’ maps with lots of apps. However, Apple spokesman Tom Neumayr said “We take privacy and security very seriously. This commitment is reflected […]

WP29’s plenary meeting: final guidelines on DPIA and opening for comments on data breach notification and profiling

At its plenary meeting held in October 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the so called General Data Protection Regulation (GDPR). WP29 approved the final version of the DPIA guidelines Guidelines on Data Protection Impact Assessment after having examined the comments received during the public consultation which ended […]

Tags: ,

UK publishes Data Protection Bill – data protection will get stricter

As anticipated (see here), a new Data Protection Bill was introduced to the House of Lords on September 13, 2017 and it officially entered Parliament on September 14, 2017. The new Bill aims at substituting the UK Data Protection Act 1998 and updating data protection laws in accordance with the GDPR. What will it change? […]

Spanish DPA issues Eur 1.2 million fine to Facebook

On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law. According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use […]

Tags: ,

Federal Court affirms District Court’s judgement denying general and specific jurisdiction over Japanese company and its U.S. subsidiary

On March 24, 2017, the Ninth Circuit Court of Appeals affirmed the District Court’s dismissal for lack of personal of plaintiffs-appellants’ claims against Yamaha Motor Corporation, U.S.A. (YMUS), in an action alleging violations of federal and state warranty law and other claims, brought by appellants who purchased allegedly defective outboard motors that Yamaha Motor Co. […]

New York City Bar Opinion 2017-5 on lawyer’s duty of confidentiality when crossing borders

On July 25, 2017, the New York City Bar issued Formal Opinion 2017- 5, which concludes that lawyers have a duty to protect clients’ confidential information from disclosure. This duty stretches to U.S. border agents searching electronic devices. Lawyers shall take “reasonable precautions” to avoid disclosure of clients’ confidential information. Such precautions will vary based […]

Tags: , ,

Conseil d’Etat requests preliminary ruling from CJEU on Right to be Forgotten

The right to be forgotten has been judicially recognized by the CJEU with the Google Spain judgment  (Case C-131/12). According to the judgement, Europeans have the right to disappear from search engine’s results under certain conditions. The National Commission of Information Technologies and Liberties (CNIL), Commission nationale de l’informatique et des libertés, rejected some complaints […]

Tags: ,

Another jurisdiction finds participation in Avvo, LegalZoom, and Rocket Lawyer unethical

On June 21, 2017, the New Jersey Advisory Committee on Professional Ethics, Committee on Attorney Advertising, and Committee on the Unauthorized Practice of Law opined that New Jersey lawyers may not participate in the Avvo legal service programs “because the programs improperly require the lawyer to share a legal fee with a nonlawyer”. The Committees […]

Tags: ,

WP29 issues Opinion to balance employers’ legitimate interests and employees’ reasonable privacy expectations

On June 8, 2017, Working Party 29 (WP29) issued Opinion 2/2017 on data processing at work, which makes a “new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees” also considering the new challenges to data protection created by new technologies. Opinion 2/2017 updates previousOpinion 08/2001 on the processing […]

Tags:

Mass publication of personal tax information can be banned, the ECHR holds

On June 27, 2017, the Grand Chamber of the European Court of Human Rights (“ECHR”) issued its judgment in the case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland (application no. 931/13) holding that the publication of personal tax information does not violate Article 10 (freedom of expression) of European Convention on Human Rights. […]

Tags:

ICO issues data protection self assessment toolkit

The United Kingdom DPA, the Information Commissioner Officer (ICO), published an interactive checklist fro organizations to assess  compliance with the Data Protection law and to explain how to comply the GDPR, The ICO’s toolkit includes the following topics: Data protection assurance Getting ready for the GDPR Information security Direct marketing Records management Data sharing and subject access CCTV […]

Tags: ,

Autonomous delivery vehicles allowed on Virginia sidewalks starting from July 1

Autonomous delivery robots will be legal on Virginia sidewalks starting July 1, with approval from local city councils. Sen. Bill DeSteph introduced SB 1207 in the Virginia Senate. An identical bill, HB 2016, was introduced in the House by Del. Ron Villanueva. On June 1, 2017, Gov. Terry McAuliffe signed the bill into legislation. See here. and SB […]

Misrepresentation in attorney’s LinkedIn profile leads to ethics sanctions

On December 19, 2016, the Office of Disciplinary Counsel of the Supreme Court of Pennsylvania issued an order accepting a recommendation from the State’s Disciplinary Board to suspend an attorney for one year and one day for engaging in unauthorized practice of law. Among other counts, the Respondent allegedly maintained a LinkedIn profile representing to […]

Tags: ,

Italian DPA issues 2016 annual activity report – some interesting (and perhaps unexpected) information

On June 6, 2017, the Italian Data Protection Authority (DPA), the Garante per la Protezione dei Dati Personali, issued the annual report on its activity for 2016. The DPA’s activity concentrated on computer crimes and cyber security; online profiling and social media; cyberbullying; fight against terrorism and mass surveillance; Big Data; use of new technologies […]

Tags: ,

SCOTUS to decide whether a warrant is needed to obtain location data from cellphone carriers

On June 5, 2017, the Supreme Court granted a writ of certiorari to review the decision by the Sixth Circuit holding that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without obtaining a warrant. In Carpenter v. United States […]

Tags: ,

German Parliament approves Data Protection Act to implement the GDPR

On April 28, 2017, the Deutscher Bundestag, the German Parliament adopted the Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – DSANPUG-EU). The Act implements in Germany the provisions of Regulation 2016/679, the General Data Protection Regulation (GDPR) . The Federal Council shall now approve the law, which will enter into force at the same time […]

Tags:

ICO issues guide to encryption

The Information Commissioner Officer (ICO) published a guide discussing the use of encryption. The guide provides a range of practical scenarios highlighting “when and where different encryption strategies can help provide a greater level of protection.” Overview of the Guide: Encryption protects information stored on mobile and static devices and in transmission. It is a way […]

Tags: , ,

Lawyer who ignored client’s Facebook inquiries about his case received a 90-day suspension

On April 27, 2017, the Nebraska Supreme Court ordered the suspension of an attorney from the practice of law for a period of 90 days followed by 1 year’s monitored probation. The Counsel for Discipline of the Nebraska Supreme Court filed formal charges against the attorney. According to the charges, the attorney had taken over […]

Tags: , , ,

NY Court of Appeals dismissed Facebook’s appeal on motion to quash 381user accounts’ search warrants

On April 4, 2017, New York Court of Appeals ruled that it does not have authority to hear Facebook’s appeals against motions to quash search warrants issued under the Stored Communications Act (SCA). By way of background. Facebook appealed a September 17, 2013 New York County trial court’s sealed order containing bulk SCA search warrants directing […]

Tags:

Executive order on strengthening cybersecurity issued by Trump Administration

On May 11, 2017, the Administration Trump issued an executive order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The executive order contains three sections. The first section deals with cybersecurity of federal networks. Agencies shall implement the NIST framework for risk management and risk reduction, federal IT for shared services shall use the […]

Tags:

International and Technology Issues for Entrepreneurs Legal Clinic

The SC Bar International Law Committee, in conjunction with Trident Technical College, sponsored a free legal clinic for entrepreneurs in North Charleston on Thursday, May 18. The clinic, titled Technology and International Issues for Entrepreneurs, included information on general corporate issues, cybersecurity, cloud computing, websites, social media, contractual clauses to protect entrepreneurs, data protection, data […]

EDPS comments on the ePrivacy Regulation Proposal and calls for strong rules to protect confidentiality of communications (Opinion 6/2017)

On April 24, 2017, the European Data Protection Supervisor (EDPS) released Opinion 6/2017 on the Proposal for a Regulation on Privacy and Electronic Communications (ePrivacy Regulation Proposal). The EDPS welcomes the Proposal for the Regulation. There is a need of “a specific legal tool to protect the right to private life guaranteed by Article 7 […]

Tags: ,

Facebook fined EUR 150,000 by French DPA for WhatsApp’s unlawful tracking

On May 16, 2017, the French, Belgian and Dutch members of the Data Protection Contact Group published the results of their investigations after WhatsApp issued its new privacy policy in August 2015, after joining Facebook. See here. The DPAs all over the world watched the changes closely and several EU authorities initiated national investigations to verify, […]

WhatsApp was issued a EUR 3 million fine for forcing users to share their personal data with Facebook

On May 11, 2017, the Italian Antitrust Authority (Garante della Concorrenza e del Mercato “ICA”) found that WhatsApp infringed the Italian Consumer Code. In particular, according to the ICA, WhatsApp forced the users of its service “to accept in full the new Terms of Use, and specifically the provision to share their personal data with Facebook, by […]

Tags: ,

Italian court voids share purchase agreement due to unauthorized use of digital signature

On December 20, 2016, the Tribunale di Roma held the unauthorized use of a digital signature smart card could nullify an electronically signed agreement. In this case the Plaintiff had denied the digital subscription of an agreement that transferred stock ownership. Since the share transfer agreement was signed electronically, the judge found that the Codice dell’Amministrazione […]

Bitcoin exchange agreements must comply with consumer protection rules, Italian court holds

On January 24, 2017, a court of Verona (Italy) relied on the European Court of Justice’s decision in Case C‑264/14 to hold that the transactions in which a traditional currency is exchanged for units of Bitcoins and vice versa are “supply of services for consideration” contracts. Indeed,  Bitcoins are given in return for the “payment of a sum equal to the […]

Guidelines for practical implementation of the GDPR issued by the Italian DPA

The Italian Data Protection Authority, Garante per la privacy issued Guidelines for the implementation of Regulation EU/2016/679 on Personal Data Protection (GDPR). The DPA suggests some actions that can be carried out right away to comply with the GDPR and provides a general overview of the major innovations introduced by the legislation. The guidelines are […]

Tags: ,

60% data breach increase in New York, the Attorney general announces

On March 21, 2017, Attorney General Schneiderman announced that his office received a record number of data breach notices in 2016. Around 1,300 data breaches were reported in 2016. This represented a 60% increase over the previous year; these breaches exposed the personal records of 1.6 million New Yorkers in 2016. Hacking represented the leading […]

Tags:

WP29 issues guidelines aiming at GDPR implementation

In its plenary meeting held in April 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the s.c. General Data Protection Regulation (GDPR). After having examined the comments received during the public consultation which ended on February 15, 2017 (see here), WP29 adopted the final versions of several guidelines, and […]

Tags: ,

Illinois federal court finds face-scan measurements derived from a photo qualify as biometric identifiers

On February 27, 2017, an Illinois federal court denied Google’s motion to dismiss a claim alleging that Google handles images in violation of the Illinois 2008 Biometric Information Privacy Act (BIPA). In a (putative) class action against Google Photos, plaintiffs alleged that the service collects, stores and uses- without informed consent and in violation of BIPA – the […]

Tags: ,

First data security class action against law firm is sent to individual arbitration

The first filed privacy class law against a law firm was sent to arbitration. On April 15, 2016, Plaintiffs filed the first class action complaint against a law firm for “systematically exposing confidential client information and storing client data without adequate security”. The complaint accuses Johnson & Bell, a mid-sized Chicago firm, of failing to […]

Tags: , ,

Comments to proposed amendments to nonlawyers’ provision of legal services in Washington state (update on limited license legal technicians)

Update – April 2017 In December 2016 the Washington Supreme Court published Proposed Amendments to nonlawyers’ provision of legal services opening for Comments (among others). The comment period closes April 30, 2017. Any changes adopted would be effective no earlier than September 2017. See proposed changes here: http://www.courts.wa.gov/court_rules/?fa=court_rules.proposedDetails&proposedId=1101 Background: The Washington state supreme court has adopted […]

Public employees’ communications about public business are subject to disclosure under the Cal. Public Records Act even if employees use personal account, Cal. SC. holds

On March 2, 2017, the California Supreme Court held that the electronic communications of a public employee about the conduct of public business may be subject to disclosure under the California Public Records Act (“CPRA”) even if the employee used a personal account. The court considered how the law, originally designed to cover paper documents, […]

Tags: ,