A New Era of Automotive Data Compliance is Coming

A Brief Analysis of Several Provisions on the Security Management for Automotive Data (Trial Implementation)

Connected vehicles capable of connecting to the internet and sharing data with external parties are experiencing exponential growth in China. Despite the apparent benefits of new technologies, they have also raised significant concerns over personal information protection, data protection and cybersecurity. As they are in many other countries, regulators in China are making tremendous efforts to catch up with these new technologies.

On August 16, 2021, China’s first regulation on automotive data security, Provisions on the Security Management for Automotive Data (Trial Implementation) (hereinafter referred to as the “Provisions”), was unveiled and goes into effect on October 1, 2021. The Provisions establish a preliminary compliance framework for automotive data security in China by defining automotive data and regulated entities, stipulating principles for data processing, specifying obligations of data processors, and setting forth rules for cross-border data transmission. Continue Reading

State of the States: Privacy Law Pros Come to Ohio

New: Live and Virtual Privacy Law CLE Event | September 22, 2021

We’re hosting the Southwest Ohio Chapter of the ACC virtually and live in our Cincinnati office.

Join Scott Kane, Alan Friel, Kyle Fath and Kristin Bryan for an up-to-the-minute review of US consumer privacy laws, an in-depth discussion of a proposed new Ohio law, best practices for managing an information governance program, and the latest data security and breach litigation trends and developments.

Click here for complete details.

Date: September 22, 2021

Time: 4:00 PM – 6:00 PM ET; beverages and hors d’oeuvres will be served.

Place: Squire Patton Boggs, 201 E. Fourth Street, Suite 1900, Cincinnati, OH 45202

New PRC Personal Information Protection Law Passed: A Deeper Dive into the Provisions

As reported in our recent post, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China passed the Personal Information Protection Law (the “PIPL”). The implementation date is set for November 1, 2021, though we await some additional detail via promulgation orders on a number of important provisions, as set forth below, from the regulatory authorities. Continue Reading

New York City Passes More City-Level Privacy Legislation

A bill passed by New York City Council regulating data collected by food delivery apps – requiring them to divulge identifiable, customer-level data to restaurants – became law on August 29. The bill, which amends New York City’s Administrative Code, becomes effective on December 27, 2021. Continue Reading

Two (2) Do-Not-Miss Webinars on September 9, 2021: Mark Your Calendars

Register today for the following upcoming events:

Key Learnings From the California AG’s Examples of CCPA Non-Compliance

September 9; 2021: Noon – 1: 00 pm ET

Alan Friel (Squire Patton Boggs) and Ankura’s David Manek and Colleen Yushchak will share insights on the California Attorney General’s recent CCPA enforcement activity.

Hosted by Ankura.

Pending 1.0 hour of general CLE in New York, New Jersey, California, and Arizona, and IAPP credit.

Click here to register.

Beyond HIPAA: Regulating Data in the Health Care Sector

September 9, 2021: 1:00 – 2:00 pm ET

Join Elliot Golding (Squire Patton Boggs), Trinity Car (eHealth) and Joanne Charles (Microsoft) as they look “beyond HIPAA” and highlight other federal and state laws governing health information.

Hosted by the ABA.

Click here to register.

Narrowing the Scope of Data Breach Claims? – Warren v DSG Retail Ltd

Data ProtectionOver the past few years, there has been an increasing number of claims against businesses and public bodies for distress caused by data breaches. The pattern is, by now, a familiar one. A claimant will make a claim for breach of data protection legislation, seeking damages at a relatively low value for the distress and anxiety they say has been caused by the data breach. This claim will be accompanied by claims for one or more of: misuse of private information, breach of confidence and negligence. Added on to the damages claimed will be the legal costs of the claimant’s lawyers, together with the after-the-event (“ATE”) insurance premium for the policy the claimant will have procured to bring a privacy claim. As a result, the defendant is faced with a difficult decision – pay over the odds for a claim where the claimant has suffered no financial loss, or fight litigation with the risk of mounting costs on both sides if the decision goes against them.

Following a cyber-attack in 2017 and 2018, this is the situation that faced DSG Retail Limited (“DSG”), and which has led to an important judgment for these data breach claims, Warren v DSG Retail Ltd [2021] EWHC 2168 (QB). Continue Reading

NEW: China’s Personal Information Protection Law

After three rounds of revisions, on August 20, 2021, the National People’s Congress Standing Committee of the People’s Republic of China officially passed the Personal Information Protection Law (the “PIPL”).

  • Fundamental Principle. The fundamental principles under the PIPL is that collection and processing PI should be limited only the minimum level as necessary to fulfill the specific purpose of PI processing; or the so-called “as minimum and as necessary” principle. PI processing beyond the level of minimum and necessity may be found a violation of the PIPL, even if individual consent is obtained or other formality is fulfilled. PI processing and compliance program should be set up always with the fundamental principles in mind.

Continue Reading

China Passes New Data Privacy and Security Laws

The People’s Republic of China (China), has been active lately in passing several new laws and regulations relating to data privacy and security. Here are 2 of the recent laws which tend to focus more on those handling data national security and/or public interest (ala Critical Information Infrastructure or Important Data). Continue Reading

California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool

On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Continue Reading

Colorado Governor Signs Consumer Privacy Law

With the stroke of his pen on July 7, Governor Jared Polis (D) signed the Colorado Privacy Act (CPA or Act) into law, making the Centennial State the third U.S. state to pass comprehensive consumer privacy legislation.  The Act, passed by the legislature on June 8, is a combination of elements of California and Virginia consumer privacy laws, possibly creating a harmonization model for other states to follow.  For a comprehensive comparison of the three states’ laws click here.   The CPA will be enforceable as of July 1, 2023.