Cookie Guidance from the UK ICO

Many websites rely on implied consent to set cookies notwithstanding the fact that website cookies require the same opt-in consent as marketing emails.  The UK Information Commissioner’s Office (ICO) has made it clear in its new guidance that “opt-in”’ consent must be obtained to set non-essential cookies, such as analytics cookies.

Our team has published an alert which explains the ICO’s interpretation of the rules relating to cookies in the UK and what this means in practice for online businesses. The alert may be accessed here.

China’s Draft Data Security Measures and How They Compare to the GDPR

The Cyberspace Administration of China (the “CAC”) launched a public consultation on the draft Administrative Measures on Data Security (the “Draft Measures”) on May 28, 2019. This consultation falls in the middle of the publication of the drafts for two other data protection rules, namely the Measures for Security Assessment for Cross-border Transfer of Personal Information and the Measures for Cybersecurity Review.

Together, these three measures will implement a significant portion of the Cyber Security Law (the “CSL”) and become the first set of binding laws focused solely on data protection, adopting certain rules from the non-binding Personal Information Security Specification. The Draft Measures were published just over a year after the General Data Protection Regulation (the “GDPR”) came into effect in the EU and certain similarities between the two regimes are apparent. Continue Reading

DOJ False Claims Enforcement Remind Providers to Conduct HIPAA Security Risk Assessments

As explained in a recent post published on Squire Patton Bogg’s Anticorruption Blog, the DOJ is pursuing providers who submit false claims under the electronic health records initiative.  This enforcement action should serve as a reminder to examine carefully attestations of EHR compliance, including the requirement to complete a HIPAA-required security risk assessment.

CCPA’s Applicability

The California  Consumer Privacy Act (“CCPA”), the most expansive state privacy law in US history, will take effect on January 1, 2020.

Our team will share with readers a series of alerts on the major elements of the CCPA. The first in the series – The California Consumer Privacy Act Series – Part 1: Applicability – focuses on the Act’s applicability, including who it will affect, personal information as defined by the CCPA, and the Act’s exemptions.

Our earlier blog posts discuss the nuances of the CCPA and the possibility of a federal privacy framework.

Are DPOs the Best Solution?

On 30 April, Squire Patton Boggs and the Digital Policy Alliance held an event entitled “Data Governance Under the GDPR: Are DPOs the Best Solution?” The aim of the session was to explore different approaches to the management of tasks involved in data governance, data protection and compliance, and the advantages and disadvantages of having a Data Protection Officer (‘DPO’). Following a scene-setting overview provided by Matthew Kirk, Senior Advisor at SPB, the discussion was led by Lord Erroll (Chairman of the Digital Policy Alliance). Jonathan Bamford (Director of Strategic Policy (Domestic) at the ICO) gave the key-note address and then joined the panel alongside Annette Demmel (Partner – Squire Patton Boggs) and Carol Tullo, OBE (Senior Associate and Legal Counsel – The Trust Bridge). Continue Reading

Will the CCPA be the New TCPA for Plaintiffs?

Last year, the California legislature enacted the California Consumer Privacy Act (the “CCPA”), which imposes key data privacy requirements on businesses collecting or storing data about California residents.  The CCPA provides for civil penalties imposed by the California Attorney General (“AG”) and creates a private right of action for those residents impacted by a data breach.  While the CCPA does not go into effect until January 1, 2020, businesses that will likely be subject to the new law have been busy evaluating compliance measures, as the window between enactment and implementation is quickly closing.

Almost 30 years ago, the federal Telephone Consumer Protection Act (the “TCPA”) was likewise implemented to protect consumers when enacted in 1991, but the law was focused on public concern with telemarketing communications at the time.  The amount of litigation, and the number of class actions, under the TCPA has grown exponentially since then, with the U.S. Chamber Institute for Legal Reform reporting a 1,272% increase in TCPA lawsuits from 2010 to 2016. Continue Reading

Did You Miss Our Recent CCPA webinar? Understanding and Preparing for the California Consumer Privacy Act

We have scheduled a make-up session with CLE for June 4, 2019 at 3p EST.

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts. Continue Reading

No More Games! The CNIL Publishes its 2018 and 2019 Activity Report

The CNIL blows the whistle for the end of the transition period.  For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient.

2019 Program

Investigation program

CNIL’s yearly investigation programs account for approximately one quarter of its investigations. This year’s program will focus on three major areas:

  • The complaints it receives (either collective or individual). These complaints, or the exercise of data subjects rights, represented about 73.8 % of all complaints received in 2018.
  • The sharing of responsibilities between processors and subcontractors, which is a cross-sector topic.
  • The data of children (including what data is collected, i.e., photos, biometric data and CCTV in schools, as well as parental consent for children under 15).

As in previous years, the CNIL will also:

  • Investigate complaints and the reports sent to the CNIL.
  • Follow up on past procedures.
  • Gather information from various news sources.

Finally, the CNIL will continue the cooperation initiated in 2018 with its other national Supervisory authorities, such as joint control operations.

Continue Reading

Have You Paid Your Data Protection Fee?

The ICO has issued a penalty notice to over 100 organisations for failing to pay their data protection fee. Failing to pay this fee due to an innocent mistake may not be accepted as a viable excuse, as demonstrated by the recent judgement in Farrow & Ball Limited v The Information Commissioner (Dismissed) [2019] UKFTT 2018_0269 (GRC).

Under the Data Protection (Charges and Information) Regulations 2018, UK organisations are required to pay the ICO an annual data protection fee unless they are exempt. The fee payable depends on the tier of the organisation, and ranges from £40 to £2,900. Continue Reading

The Un-healthiness of the Australian Health Sector’s Data Security

More than twelve months after the commencement of the Australian Notifiable Data Breach Scheme,[1] statistics published by the Office of the Australian Information Commissioner (OAIC) have begun to reveal trends present in the 812 notifiable data breaches recorded in Australia between 22 February and 31 December 2018. One key trend is the clear susceptibility of the health care industry, which suffered one fifth of all data breaches recorded in Australia throughout 2018, the highest number on an  industry scale.
Continue Reading