Regulation (EU) 2018/1807 of 14 November 2018, which deals with “non personal data” in the framework of the EU’s digital single market strategy; it aims at removing obstacles to data mobility and the internal single market. In particular, it prohibits data localization requirements by place EU Member States in point of storage or processing of non-personal data, […]

  On February 2, 2019, the Spanish Data Protection Agency (AEPD) published a Survey on Device Fingerprinting. (“Survey“) “Device fingerprinting is the systematic gathering of information on a specific remote device with the aim of identifying, singling out and, thus being able to monitor its user’s activity for the purpose of profiling.” The data set […]

On February 20, 2019, Bulgaria adopted the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR) harmonization law. The law amends and supplements the previous data protection act from 2002. It also transposes the EU Law Enforcement Directive (Directive (EU) 2016/680). The new Law on Personal Data Protection (LASLPDP) entered into force on March 2, 2019 […]

Below a list of the harmonization laws enacted by each EU member state. Austria: the Datenschutz-Anpassungsgesetz 2018, the “Datenschutzgesetz“. Belgium: Framework Act (Dutch) Framework Act (French), DPA Act (Dutch), DPA Act (French) Croatia: Zakona O Provedbi Opće Uredbe O Zaštiti Podataka, the Act on Implementation of the General Data Protection Regulation (Official Gazette no. 42/2018) Cyprus: Law n 125(I)/2018 Czech […]

  On February 12, 2019, Law no. 12/2019, converting into law the so called Decreto Semplificazioni (“Simplification Decree”), Legislative Decree No. 135/2018 was published on the Italian Official Gazette no. 36/2019. Among other provisions, the Simplification Decree defines the concept of “technologies based on distributed ledgers (blockchain)” and “smart contracts”. “Technologies based on distributed ledgers” are technologies and […]

  On January 25, 2015, the European Commission released a statement with an update about the effects of the adoption of Regulation 2016/679/EU (GDPR). See: Joint Statement by First Vice-President Timmermans, Vice-President Ansip, Commissioners Jourová and Gabriel ahead of Data Protection Day Since its entry into force on May 25, 2018, “citizens have become more […]

On December 19, 2018, Advocate General Bobek, published his opinion in case C-40/17, deeming that anyone who enters the Facebook “Like” button on his website can be considered a joint controller. In this case, a German fashion online retailer embedded a Facebook’s ‘Like’ button in its website. As a result, when users landed on the […]

    On January 15, 2019, the United States Court of Appeals for the Ninth Circuit held that websites and mobile applications (app) of places of public accommodation must be fully accessible to persons with disabilities. By way of background, Plaintiff – a blind man – alleged that Defendant Domino’s Pizza, LLC, (Domino’s) failed to […]

On March 28, 2018, Alabama was the last State, after South Dakota, to adopt a data breach notification statute. The Alabama Data Breach Notification Act of 2018 (S.B. 318) went into effect on June 1, 2018. According to the Alabama Statute, any “covered entity” and “third-party agent” must comply. Written notification must be made to all affected […]

On 23 January 2019, the EU Commission adopted its adequacy decision on Japan, allowing personal data to flow freely between Europe and Japan. The adequacy decision started to apply as of January 23. The same will happen on the Japanese side. The adequacy decision includes: a set of Supplementary Rules to strengthen the protection of sensitive data, […]

On January 21, 2019, the CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority), restricted committee, for the first time applies the new sanctions limit provided by the GDPR and sanctions Google for EUR 50 million for two GDPR violations: 1. “violation of the obligations of transparency and information“ “First, the restricted […]

On December 14, 2018, New York Attorney General Barbara D. Underwood announced settlements with Western Union Financial Services, Inc., Priceline.com, LLC, Equifax Consumer Services, LLC, Spark Networks, Inc., and Credit Sesame, Inc., “for having mobile apps that failed to keep sensitive user information secure when transmitted over the Internet.” No fraud had happened with those […]

Washoe County, Reno, in the State of Nevada, uses Ethereum blockchain to provide immutable digital record of wedding certificates. The service allows certified copies of marriage certificates to be emailed. It requires no special technology besides the ability to view a plain PDF. The county uses the services of a company called TitanSeal. At https://www.washoecounty.us… you […]

On December 28, 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published several principles to help companies comply with the General Data Protection Regulation (GDPR) while transferring personal data to their commercial partners for electronic prospecting. Particularly, the CNIL highlights how: the data subject must give consent before the […]

The DC Attorney General alleged in lawsuit Facebook’s ‘misleading privacy settings’ allowed it to harvest information from DC residents, in violation of  violated the D.C. Consumer Protection Procedures Act. The AG alleged that “nearly half of all District residents’ data to manipulation for political purposes during the 2016 election”. The AG stated Facebook failed to […]

In November 2018, a German local court, the Amtsgericht Diez, decided on a claim for immaterial damages under Art. 82.1, GDPR.  According to this source, on May 25, 2018, Plaintiff received an e-mail in which Plaintiff’s consent to receive a newsletter was requested. An email of this sort is considered spam under German law and […]

On November 27, 2018, the European Consumer Organisation (BEUC), informed that seven EU consumer organizations filed complaints against Google with their national data protection authorities (DPAs) for breaching the General Data Protection Regulation (GDPR) in relation to how the company tracks its users’ location. The complaints are based on new research (Every step you take) […]

On November 16, 2018, the European Data Protection Board (EDPB) adopted guidelines on the territorial application of the GDPR. Guidelines 3/2018 on the territorial scope of Regulation 2016/679/EU- Version for public consultation. The guidelines are now open to public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data […]

Expressing an opinion on a proposed bill aiming at substituting –in a 2015 Ministerial decree, Ministero dell’Interno del 23 dicembre 2015 – the words “father“ and “mother” in place of “parents or legal guardians” on the application for a minor’s ID, the Garante per la Protezione dei Dati (the Italian Data Protection Authority) highlights how the […]

On September 30, 2018, the DOJ filed net neutrality lawsuit against the State of California, alleging that Senate Bill 822, a bill signed into law by Governor Jerry Brown, unlawfully imposes burdens on the Federal Government’s deregulatory approach to the Internet. See more here. complaint here Francesca Giannoni-Crystal

Privacy needs to be reckoned with by “Advanced TV” industry. And this will be more and more the case. According to the press, marketers are investing more and more in advanced TV targeting. Rather than broadcasting the same ad to all households, advanced televisions serve targeted ads to each household. The term “advanced TV” is […]

On October 10, 2018, the Portuguese Data Protection Authority (CNPD) found the Barreiro Hospital guilty of violating the integrity and confidentiality principle and the data minimization principle set forth by the GDPR. According to this source, the infringements were punished with a fine of €400,000. The hospital is going to fight the fine, this source […]

On November 1, 2018, Senator Ron Wyden introduced for discussion the draft of a new Consumer Data Protection Act (Bill SIL18B29). The Bill aims at allowing consumers “to control the sale and sharing of their data, gives the FTC the authority to be an effective cop on the beat, and will spur a new market […]

On October 3, 2018, the European Parliament published a resolution on distributed ledger technologies (DLTs) and blockchain. DLTs and blockchain are the technologies behind bitcoin and other crypto currencies, and basically consist in a ledger of digital information maintained in decentralised form across a large network of computers. See here for more information. The EU […]

On October 18, 2018, the Federal Trade Commission (FTC) published – along with Department of Homeland Security, the National Institute of Standards and Technology, and the Small Business Administration – guidance for small businesses on how to deal with cyber threats and increase data security. The FTC highlighted a dozen need-to-know topics: Cybersecurity Basics, Understanding […]

On October 4, 2018, the European Parliament adopted the proposed EU Regulation on the Free Flow of Non-Personal Data in the European Union. The Regulation aims at removing obstacles to the free movement of non-personal data within the European Union. The Regulation does not cover data mobility outside the EU. The approved Regulation does not […]

On October 16, 2018, the European Union Blockchain Observatory and Forum published a thematic report on the Blockchain and the GDPR (“Report”). The report includes the input of a number of different stakeholders and sources. The report aims at answering the question of whether GDPR compliant blockchain is possible. The paper highlights a fundamental point: […]

On September 26, 2018, the European Data Protection Board (EDPB) met for their third plenary session. During such session the EDPB adopted Guidelines on the GDPR’s Territorial Scope. The guidelines will be subject to a public consultation. The Guidelines aim at clarifying the territorial scope of the GDPR, in particular where the data controller or […]

Do the benefits of smart contracts overwrite their downfalls? While smart contracts bring a lot of benefits, allowing for a quick execution once a certain condition takes place, a lot of value can get lost in these transactions. For example, it is estimated that in 2017, over $1B in value was lost with smart contracts […]

In September 2018, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) published a report explaining how Blockchain relates to the GDPR (“Report”). In particular the Report highlights the following. WHO IS THE CONTROLLER IN A BLOCKCHAIN TRANSACTION. Users of the web who decide to submit a transaction to the validation […]

In August, the FTC took action against false claims of participating to the EU-US Privacy Shield Framework. These are the first cases addressing the Privacy Shield Framework introduced on July 12, 2016. Allegedly, the companies under investigation started the application for the EU-U.S. Privacy Shield but never completed it; yet they falsely claimed to be […]

The EDPB adopted opinions on the draft lists that several supervisory authorities issued regarding he processing operations subject to the requirement of a data protection impact assessment (DPIAs, according to Article 35.4 GDPR). This power of EDPB is pursuant to Article 63, Article 64 (1a), (3) – (8) and Article 35 (1), (3), (4), (6) […]

After only three months from its approval the California Consumers Privacy Act (CCPA) was amended. On September 23, 2018 Senate Bill 1121 was signed into law. The legislation, which takes effect immediately, amends the CCPA, which was passed on June 2018. Among other things, the amendment: – clarifies the definition of “personal information”, explaining that it […]

Aon and DLA Piper released a “price of data security” report on where GDPR’s fines are generally insurable. According to the guide, only Finland and Norway allow insurance for this type of fines. In 20 out of 30 jurisdictions, GDPR fines do not seem insurable (like in UK, France, Italy and Spain), and in the […]

Attorney General Schneiderman announced that his office received 1,583 data breaches notice in 2017, which was the quadruple of the 2016 number. Hacking was the leading cause of the data security breaches (44%), while  negligence account for another 25% of breaches. In particular Employees’ negligence consisted of a combination of inadvertent exposure of records, insider wrongdoing, […]

On September 20, 2018, the Department of Health and Human Services, Office for Civil Rights (OCR) announced that it reached settlement with several medical centers after they allegedly compromised patients’ protected health information (PHI) by inviting film crews on premises to film an ABC’s television documentary series, without first obtaining authorization from patients. According to […]

On September 19, 2018, Argentina’s president sent a data protection bill to the national Congress for approvaI. In Argentina the protection of personal data was constitutionally regulated in 1994 and by means of a law promulgated in 2000. See here. According to the bill’s preface, in consideration of the many technological innovations of the last […]

     On July 6, 2018, the UK Data Protection Authority, the Information Commissioner Officer (ICO), served what looks like the first enforcement notice regarding the processing of UK individuals’ personal data by a nonresident organization. The notice was directed to Aggregate IQ (AIQ), a digital advertising, web and software development company based in Canada. […]

On September 19, 2018, Legislative Decree n. 101/2018 harmonizing the Italian privacy law with the General Data Protection Regulation (GDPR) entered into force. Legislative Decree was published on the Official Italian Gazette (Gazzetta ufficiale n. 205 04-09-2018) on September 4, 2018. More on the Legislative Decree and the Italian Privacy Code (Legislative Decree 196/2003) is available […]

On September 11, 2018, the Court of Justice of the European Union (CJEU) began hearing evidence from over 70 stakeholders in the case whose judgement shall outline the territorial scope of the right to be forgotten. The panel of 15 CJEU judges will rule in 2019. The request for a preliminary ruling (Case C-507/17) was […]

On September 4, 2018, Legislative Decree n. 101/2018 harmonizing the national privacy law with the General Data Protection Regulation (GDPR) was published on the official Italian journal (Gazzetta ufficiale n. 205 04-09-2018). The Legislative Decree does not abrogate the Italian Privacy Code (Legislative Decree 196/2003), which therefore remains in force, but that Code is harmonized with […]

On July 12, 2018, the German federal court (Bundesgerichtshof, BGH) overturned the judgment of the Berlin’s highest state court (Kammergerichts), which had denied the parents’ access to their daughter’s Facebook account. The case involved a mother trying to access the deceased 15-year-old daughter’s Facebook account in order to understand the cause of death. With its […]

CJEU: in the references for preliminary rulings the national judge must anonymise the data   On July 20, 2018, the Official Journal of the European Union (C 257/1) published a document in which the European Court of Justice (“ECJ”) clarifies to national courts and tribunals the essential characteristics of the preliminary ruling procedure and the […]

On May 22, 2018, Vermont passed a new data broker piece of legislation, Act No. 171 (H.764), which adopts a number of consumer protection provisions relating to data brokers, their data collection practices, and consumers’ right to opt out of them. It ensures that data brokers have adequate security standards, it aims at prohibiting the […]

On August 14, 2018, the Brazilian president signed the Lei Geral de Proteção de Dados Pessoais (“LGPD”) into law. The LGPD is a comprehensive data privacy regulation, which has many similarities with the GDPR, such as for example its broad scope of application, which includes processing activities conducted wholly outside of Brazil, but affecting or […]

On August 8, 2018, the Italian Government communicated that the legislative decree that harmonizes the national legislation to the General Data Protection Regulation (GDPR) will not abrogate the Italian Privacy Code previously in force. According to an initial formulation, the legislative decree was intended to completely repeal the privacy laws in force. However, in the […]

On May 31, 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority (DPA) issued a decision explaining that until a legislative decree that harmonizes domestic law with the GDPR will come into force, the current complaint procedure shall be considered incompatible with the Regulations. The DPA refers to Article 77, GDPR, […]

At the beginning of June the EU Council discussed its position on the ePrivacy Regulation to update privacy rules for electronic communications. It appears like no real progress was registered at the Council meeting and that further work is needed under the next presidency (June to December 2018). The ePrivacy Regulation aims at ensuring a […]

On June 5, 2018, the European Court of Justice (CJEU), issued its preliminary ruling in C‑210/16, opining on the definition of data controller, applicable national law, and jurisdiction under EU data protection law according to Directive 95/46/EC. According to the CJEU’s judgement, EU companies that have been advertising through Facebook can be considered data controllers […]

The scandal of Cambridge Analytica caused several consequences for Facebook in Europe. In the United Kingdom, the Information Commissioner (ICO) is investigating the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors by 30 organizations, including Facebook. See here. The Working Party 29(WP29) created a Social Media Working Group to develop a […]

According to Reuters, Facebook is modifying its terms and conditions so that the data of around one and a half billion of its users will be processed by Facebook USA rather than Facebook Ireland. As of today, the data of the users of Africa, Asia, Oceania and Latin America are processed by Facebook Ireland, thus […]

Arizona signed House Bill 2603 to add a definition in Section 10-140, Definition – Arizona Revised Statutes (Section 10, Corporations and Associations) In particular, now 10-140(53) reads: 53.  “WRITING” OR “WRITTEN” INCLUDES BLOCKCHAIN TECHNOLOGY AS DEFINED IN SECTION 44‑7061. See https://legiscan.com/AZ/text/HB2603/id/1718691 The definition of “blockchain technology” is contained in Section 44-7061: “distributed ledger technology that uses a distributed, […]

Less than one month to the entering into force of the GDPR, the text (in all language versions) is still subject to changes, sometimes significantly. http-::data.consilium.europa.eu:doc:document:ST-8088-2018-INIT:en:pdf For more information and for advice on GDPR implementation, Francesca Giannoni-Crystal.    

Several DPAs have issued guidance on how individuals can exercise their rights as data subjects vis-a-vis social media platforms. See for example: – ICO – United Kingdom: https://ico.org.uk… – Data Protection Commissioner – Ireland: https://dataprotection.ie… – Croatian Data Protection Agency: request for the protection of rights request for removing personal data from social networks reporting […]

In March 2018, the Garante per la Protezione dei Dati Personali, Italy’s Data Protection Authority, issued a fine of Euros 32,000 against the Rousseau association, controller of the processing of data of the website users of the Italian political party “5-Star” (Cinque Stelle). Federprivacy reports. After a data breach, the Italian DPA started investigating whether […]

Hackers stole a casino’s high-roller database hacking through a thermometer placed in a fish tank of the casino. The hackers accessed it and were then able to find their way across the network and up to the cloud to the valuable database. Source Businessinsider reports on April 15, 2018. Nowadays a lot of devices and everydaytools […]

On April 17, 2018, 34 global technology and security companies signed a Cybersecurity Tech Accord, agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states. The 34 companies include ABB, Arm, Cisco, Facebook, HP, HPE, Microsoft, Nokia, Oracle, and Trend Micro, and together represent tech companies that power the world’s internet […]

On March 8, 2018, the U.S. Court of Appeals for the Ninth Circuit found that an alleged “increased risk of future identity theft” suffices Article III standing requirement in a data breach putative class action. On June 1, 2015, the District Court of Nevada had dismissed for lack of standing the data breach putative class […]

On March 23, 2018, the omnibus spending bill was signed into law; a portion contains the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The CLOUD Act’s main goal is to grant governments timely access to electronic data stored by communication-service providers (such as email service providers, certain cloud service providers and social media providers). The […]

On March 21, 2018, South Dakota adopted a data breach notification statute. According to the South Dakota Statute, any “information holder” must comply. An “Information holder” is any person or business that conducts business in South Dakota and owns or licenses “personal information” or “protected information” of residents of South Dakota. The statute is added […]

The Federal Trade Commission (FTC) issued its 2017 Privacy & Data Security Update. The annual report summarizes the year’s privacy and data security enforcement actions, advocacy, workshops and guidance. Among the FTC’s 2017 privacy and security actions announced, is the first actions enforcing the EU-U.S. Privacy Shield framework.   The 2017 Privacy & Data Security update […]

The Italian Council of Ministers preliminarily approved a legislative decree (in furtherance of Parliament’s delegation Law October 25 2017, no. 163), containing provisions to amend domestic law in compliance with the GDPR. In fact, effective May 25, 2018, Legislative Decree June 30, 2003 no. 196 will be abrogated and the GDPR will be immediately into […]

Article 30 GDPR requires each controller and each processor to maintain a record of processing activities under its responsibility which must be in writing (including electronic form). Article 30 details the minimum content of the record. Some DPA made available model forms and notes for keeping records of processing activities: the BayLDA, the Bavarian DPA […]

In an early effort to adapt Italian privacy law to the GDP, in November 2017, a new Article 110bis was approved for introduction in the Italian Privacy Code, redrafting the discipline concerning the re-use of data for scientific research or statistical purposes. The new Article 110bis, Italian Privacy Code, (Legislative Decree n. 196/2003) introduced three changes that […]

In, January 2018, NIST, the National Institute of Standards and Technology, released Blockchain Technology Overview.  The document is thought for readers with little or no knowledge of blockchain technology Public comment period: January 24, 2018 through February 23, 2018 Full text available here  

On January 24, 2018, the Commission issued “Stronger protection, new opportunities – Commission guidance on the direct application of the General Data Protection Regulation as of 25 May 2018”. In the document the Commission lists the guidelines that the WP29 has issued (and is about to issue) on several important aspects of the Regulations. [1] […]

On January 8, 2018, the FTC announced that VTech Electronics Limited and its US subsidiary (VTech) agreed to settle with the Federal Trade Commission (FTC) a claim that the companies violated children’s privacy through the commercialization of some connected toys. Allegedly VTech violated COPPA (Children’s Online Privacy Protection Act of 1998) by collecting personal information from children […]

In this constitutional challenge to the 2013 amendments to sections 766.106 and 766.1065 of the Florida Statutes requiring claimants in a medical malpractice claim to disclose certain protected health information (PHI) and to consent to secret, ex parte interviews between health providers and defendant , the Florida Supreme Court held that the requirements were unconstitutional and […]

On October 24, 2017, Advocate General Bot issued his preliminary opinion in case C‑210/16, opining on the definition of a data controller, applicable national law, and jurisdiction under EU data protection law under Directive 95/46/EC. The opinion is not binding but if followed by the European Court of Justice (CJEU), EU companies that have been […]

In a post of January 5th, Nigel Houlden, the Head of Technology Policy of ICO (the United Kingdom Data Protection Authority) gives organizations recommendations on how to deal with Meltdown and Spectre and protect people’s personal data. As it is now well known, three connected vulnerabilities have been found in Intel’s, AMD’s, and ARM’s processors which could […]

On October 18, 2017, the EU Commission published its report on the first annual review of the EU-U.S. Privacy Shield. The report reflects the Commission’s findings on the implementation and enforcement of the EU-U.S. Privacy Shield framework in its first year of operation. According to the EU Commission, the Privacy Shield “continues to ensure an […]

On November 29, 2017, the Working Party 29 (WP29) established a task force on the Uber data breach case. This task force, led by the Dutch DPA, will be composed of representatives from the French, Italian, Spanish, Belgian and German Data Protection Authorities (DPAs), as well as from the ICO and will coordinate the national […]

Today, on Dec 14, 2017, the Federal Communications Commission (“FCC”) voted 3-2 to repeal the 2015 Open Internet Order, i.e., the Obama-era regulation requiring the companies to treat all web traffic alike. The repeal of net neutrality was performed by the passing of an order named “Restoring Internet Freedom,” which “essentially removes the FCC as a regulator […]

On November 29, 2017, the Supreme Court heard oral argument in an important privacy case. The Sixth Circuit held that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without a warrant. In Carpenter v. United States Timothy Carpenter and Timothy Sanders […]

Apps using face recognition cause some privacy concerns. The iPhone X’s front sensors scan 30,000 points to make a 3D model of users’ faces and then shares the faces’ maps with lots of apps. However, Apple spokesman Tom Neumayr said “We take privacy and security very seriously. This commitment is reflected in the strong protections […]

On October 22, 2017, a Portland resident filed a lawsuit before the Portland District Court seeking class-action status against Uber over a 2016 data breach. According to the complaint, Uber announced in November 2017 a data breach that occurred in late 2016 and that compromised the personal information of 57 million Uber users. Rather than […]

On December 12, 2017, a new Article 110bis of the Italian Privacy Code came into force, redrafting the discipline concerning use of data for scientific research or statistical purposes. The new Article 110bis, Italian Privacy Code, (Legislative Decree n. 196/2003) introduced three changes that might have harmful consequences for scientific developments. First, it restricts the possibility […]

North Carolina State Bar 2017 Formal Ethics Opinion 1   April 21, 2017 Topic: text message advertising The Opinion clarifies that lawyers may use the text message advertising that allows the user to initiate a live telephone communication, provided it complies with North Carolina Rules of Professional Conduct 7.1, 7.2, and 7.3, and all applicable federal […]

As announced (see here), on October 3, 2017, the Article 29 Working Party(WP29) published its Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679 (GDPR). Once a GDPR infringement is established, the competent supervisory authority (Article 5 1 GDPR)  must identify the most appropriate corrective measure(s) to address the […]

On November 20, 2017, the European Parliament, the Council and the Commission committed to end all geoblocking that unnecessarily impedes consumers to buy products or services online within the EU. The EU digital single market should “give consumers the same possibility to access the widest range of offers regardless of whether they physically enter a […]

On October 16, 2017, the U.S. Supreme Court accepted the U.S. government’s request to review a previous appeals court ruling in favor of Microsoft, preserving service providers from surrendering information stored abroad. The U.S.’s highest court had to decide if companies have a right to refuse to comply with data disclosure demands made by the […]

On October 22, 2017, the Washington Post shares a new worry about data privacy. The iPhone X’s front sensors scan 30,000 points to make a 3D model of users’ faces and then shares the faces’ maps with lots of apps. However, Apple spokesman Tom Neumayr said “We take privacy and security very seriously. This commitment is reflected […]

At its plenary meeting held in October 2017, Working Party 29 (WP29) examined certain critical matters regarding the implementation of Regulation 2016/679, the so called General Data Protection Regulation (GDPR). WP29 approved the final version of the DPIA guidelines Guidelines on Data Protection Impact Assessment after having examined the comments received during the public consultation which ended […]

As anticipated (see here), a new Data Protection Bill was introduced to the House of Lords on September 13, 2017 and it officially entered Parliament on September 14, 2017. The new Bill aims at substituting the UK Data Protection Act 1998 and updating data protection laws in accordance with the GDPR. What will it change? […]

On September 11, 2017, the Spanish Data Protection Agency (AEPD) issued a closing resolution against Facebook deeming that the company doesn’t process data in accordance with EU data protection law. According to the AEPD, Facebook “collects data on ideology, sex, religious beliefs, personal preferences or browsing activity without clearly informing about how and for what purpose it will use […]

We are accustomed to high-tech breach of privacy, however we should not forget that our personal information can be appropriated also through more traditional mistakes. It happened to Aetna. The insurance giant sent by mail envelopes with a large clear window through which anyone could see the name and address of the intended recipients. Unfortunately, […]

On March 24, 2017, the Ninth Circuit Court of Appeals affirmed the District Court’s dismissal for lack of personal of plaintiffs-appellants’ claims against Yamaha Motor Corporation, U.S.A. (YMUS), in an action alleging violations of federal and state warranty law and other claims, brought by appellants who purchased allegedly defective outboard motors that Yamaha Motor Co. […]

On July 25, 2017, the New York City Bar issued Formal Opinion 2017- 5, which concludes that lawyers have a duty to protect clients’ confidential information from disclosure. This duty stretches to U.S. border agents searching electronic devices. Lawyers shall take “reasonable precautions” to avoid disclosure of clients’ confidential information. Such precautions will vary based […]

On July 21, 2017, New Jersey adopted the “Personal Information and Privacy Protection Act.” According to the law, retailers may scan an ID card only under certain circumstances. By “scanning” the law means to access the barcode or any other machine-readable section of the card “with an electronic device capable of deciphering, in an electronically […]

The right to be forgotten has been judicially recognized by the CJEU with the Google Spain judgment  (Case C-131/12). According to the judgement, Europeans have the right to disappear from search engine’s results under certain conditions. The National Commission of Information Technologies and Liberties (CNIL), Commission nationale de l’informatique et des libertés, rejected some complaints […]

On June 21, 2017, the New Jersey Advisory Committee on Professional Ethics, Committee on Attorney Advertising, and Committee on the Unauthorized Practice of Law opined that New Jersey lawyers may not participate in the Avvo legal service programs “because the programs improperly require the lawyer to share a legal fee with a nonlawyer”. The Committees […]

On June 8, 2017, Working Party 29 (WP29) issued Opinion 2/2017 on data processing at work, which makes a “new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees” also considering the new challenges to data protection created by new technologies. Opinion 2/2017 updates previousOpinion 08/2001 on the processing […]

On June 27, 2017, the Grand Chamber of the European Court of Human Rights (“ECHR”) issued its judgment in the case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland (application no. 931/13) holding that the publication of personal tax information does not violate Article 10 (freedom of expression) of European Convention on Human Rights. […]

On March 7, 2017, Reuters reported that the Danish Data Protection Agency was asked to look into Google’s alleged violation of EU privacy laws by not limiting the amount of time personal data is stored on Google’s servers. “We have become aware of the fact that Google today has 9-10 years of data on users […]

The United Kingdom DPA, the Information Commissioner Officer (ICO), published an interactive checklist fro organizations to assess  compliance with the Data Protection law and to explain how to comply the GDPR, The ICO’s toolkit includes the following topics: Data protection assurance Getting ready for the GDPR Information security Direct marketing Records management Data sharing and subject access CCTV […]

Autonomous delivery robots will be legal on Virginia sidewalks starting July 1, with approval from local city councils. Sen. Bill DeSteph introduced SB 1207 in the Virginia Senate. An identical bill, HB 2016, was introduced in the House by Del. Ron Villanueva. On June 1, 2017, Gov. Terry McAuliffe signed the bill into legislation. See here. and SB […]

On December 19, 2016, the Office of Disciplinary Counsel of the Supreme Court of Pennsylvania issued an order accepting a recommendation from the State’s Disciplinary Board to suspend an attorney for one year and one day for engaging in unauthorized practice of law. Among other counts, the Respondent allegedly maintained a LinkedIn profile representing to […]

On June 6, 2017, the Italian Data Protection Authority (DPA), the Garante per la Protezione dei Dati Personali, issued the annual report on its activity for 2016. The DPA’s activity concentrated on computer crimes and cyber security; online profiling and social media; cyberbullying; fight against terrorism and mass surveillance; Big Data; use of new technologies […]

On June 5, 2017, the Supreme Court granted a writ of certiorari to review the decision by the Sixth Circuit holding that the protection granted under the Fourth Amendment did not prevent the government to access business records from the defendants’ wireless carriers revealing the user’s location without obtaining a warrant. In Carpenter v. United States […]

On May 11, 2017, the Spanish Data Protection Agency (DPA), the Agencia Española de Protección de Datos (AEPD) and ISMS Forum Spain, a not for profit, published a Big Data privacy code of conduct, the Código de buenas prácticas en protección de datos para proyectos de Big Data.   The Code refers to Regulation 2016/679, […]