The Illinois Biometric Information Privacy Act (“BIPA”): When Will Companies Heed the Warning Signs?

Fingerprint Scanning on Blue TechnologyThe Illinois Biometric Information Privacy Act (“BIPA”) went into effect in 2008 and has been a steady source of litigation ever since. This post summarizes the obligations BIPA imposes, the current state of BIPA litigation, and what steps businesses can take to reduce litigation risks.

What is BIPA?

The stated intent of BIPA was to address the heightened risk of identity theft associated with the processing of biometric data. The legislator’s findings state that, “unlike other unique identifiers that are used to access finances or other sensitive information,” when biologically unique data is compromised, “the individual has no recourse” because the individual cannot change these identifiers. Continue Reading

Public Consultation in France on the Transposition of the European Electronic Communications Code (Directive 2018/1972 of December 11, 2018)

The French government has launched a public consultation on the transposition of Directive (EU) 2018/1972 December 11, 2018, establishing the EU Electronic Communications Code (EECC), which must be transposed before December 21, 2020.

What Is It About?

The consultation concerns the draft modification of the French Postal Services and Electronic Communications (CPCE) and French Consumer Code, with a view to transposing the EECC.

What Is EECC? Continue Reading

California Attorney General Proposes Modifications to the Proposed CCPA Regulations

CCPA-California-Consumer-Privacy-ActOn February 7, 2020, the California Attorney General (AG) announced changes to the California Consumer Privacy Act of 2018 (CCPA) proposed regulations. The AG updated its announcement on February 10, 2020, to indicate that an additional provision was being modified. The modifications include changes to the “Right to Opt Out,” the permissible uses of data by service providers and the mandatory content of CCPA notices. The deadline for submitting comments on the modified draft of the proposed CCPA regulations is Tuesday, February 25, 2020, at 5 p.m. (PST).

As discussed herein, the Tuesday, February 25, 2020, 5 p.m. timetable indicates that the final rules may be in force before the July 1, 2020, deadline set by the CCPA. Organizations currently working toward CCPA compliance should expect the AG to commence investigative activity as soon as the rulemaking process concludes. Continue Reading

New York Cybersecurity Upgrades: Are You Ready?

Data Protection ShieldThis spring, New York’s cybersecurity landscape shifts dramatically as certain provisions of New York’s Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) take effect.  The SHIELD Act, 2019 N.Y. Ch. 117, which was signed into law by Governor Cuomo on July 25, 2019, modifies existing data breach law to expand the definition of “Private Information” and imposes new substantive cybersecurity requirements.

Among other provisions, it requires companies by March 21, 2020, to adopt cybersecurity programs reminiscent of the Written Information Security Program required under Massachusetts law for entities that own or license the personal information of Massachusetts residents.  Additionally, with the SHIELD Act’s coverage extending to biometric data, New York joins the handful of states that have acted in this area (the others being Illinois, Texas and Washington). Continue Reading

Enforcement of the NYDFS Cybersecurity Regulation Coming in the Near Future

Cyber laser targetThe NY Department of Financial Services Cybersecurity Regulation, 23 N.Y. Comp. Code R. & Regs. § 500, provides for the protection of customer information and information technology systems of Covered Entities, in recognition of the “ever growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.” The Cybersecurity Regulation is nearly three years old now, but for businesses that are not fully up to speed the consequences may soon be serious in light of anticipated enforcement activity. This includes credit-reporting agencies who were not covered under the Cybersecurity Regulation as initially enacted.

While the DFS has yet to impose a fine for inadequate cybersecurity compliance, this year may mark the beginning of more vigorous enforcement. This post provides an overview of the Cybersecurity Regulation for purposes of informing Covered Entities of certain notable requirements. Continue Reading

Absent Guidelines, Many Questions on Facilitating DSARs

At present, companies acting as data controllers lack uniform interpretation of the rules that guide their compliance efforts to respond to data subject rights requests under the EU General Data Protection Regulation. Nevertheless, controllers are expected to adopt internal processes to address such requests in accordance with the applicable legislation. While some EU data protection authorities have published guidance (e.g. the CNIL in France and the UK Information Commissioner’s Office, whose updated draft right of access guidance is in public consultation until Feb. 12), it is not certain that regulators in other EU countries will take a similar position. Even within one jurisdiction, i.e., in Germany, regulators’ interpretation of what constitutes a proper response to, for example, a data subject access request may differ from one supervisory authority to another. Continue Reading

ICO Consults on the Processing of Criminal Convictions Personal Data

The ICO has recently launched a call for views on criminal convictions and offences data, or related security measures, under Article 10 of the GDPR. It is specifically consulting on market practice and understanding in this area.

The Legal Framework

The legal framework surrounding the collection and use of criminal convictions data is complex and in certain sectors, there are additional hurdles to overcome. Continue Reading

Use of the Social Security Number in France

Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member states may define the specific conditions for the processing of a national identification number or any other identifier of general application. As discussed below, France has made an interesting application of this rule regarding, in particular, the social security number.  Continue Reading

Thought Leaders In Privacy: An interview with Rosa Barcelo

Partner Rosa Barcelo sat down with OneTrust DataGuidance for their “Thought Leaders In Privacy” segment, to discuss major data privacy issues that have been a focus over the past year, as well as provide insights for organisations looking to comply with recent guidance issued by the CNIL and ICO, key points regarding proposed ePrivacy Regulations and share her opinion on the developments we will see with global privacy laws in 2020.

The full interview can be viewed here.


ICO Issues Fine Against National Retailer for Security Failings

 An unhappy new year for Currys PC World and Dixons Travel stores, as the ICO has issued owners DSG Retail Limited with a Monetary Penalty Notice of £500,000 for serious security failings involving Point of Sale (“POS”) terminals in stores. Although the incident was investigated and addressed under the pre-GDPR legislation, the fine represents the maximum available to the Commissioner, under the Data Protection Act 1998, who in her findings observed that “but for the statutory limitation on the amount, it would have been reasonable and proportionate to impose a higher penalty”. This decision is important for retailers, particularly on payment information. It is also helpful to understand the factors involved in the breach of security, and offers some insight as to the ICO’s assessment of “appropriate technical and organisational measures” which of course remain crucial requirements for the security of personal data under the GDPR.

Continue Reading