Senators and Witnesses Debate a Federal Data Privacy Framework in the United States

On February 27, 2019, the Senate Commerce Committee held a hearing to examine what Congress should do to address risks to consumers and implement data protections for all Americans. The hearing was titled “Policy Principles for a Federal Data Privacy Framework.” It focused on six topics, including: (1) federal preemption; (2) privacy values; (3) corporate transparency; (4) trust and informed consent; (5) the Federal Trade Commission (“FTC”) and State Attorneys General enforcement authority; and (6) special protections for children. Senators on both sides of the aisle generally expressed optimism about working together to address the challenges of developing a federal privacy data framework. We anticipate a continuing debate and proposed legislation in Congress over data privacy. Below is a high-level summary of some of the issues discussed. Continue Reading

States’ Focus on Biometric Privacy Developments Warrants Close Attention

Fingerprint Scanning on Blue TechnologyThe Illinois Supreme Court’s recent broad interpretation of the pioneering Illinois Biometric Identity Protection Act justifies close attention to legislative and regulatory developments regarding collection and protection of biometric identifier data.  Our previous report of this decision may be found here.  Two other states, Texas and Washington, already have biometric identifier privacy laws in place, although not with the breadth of the Illinois statute. For example, neither of those statutes provides for a private right of action that is afforded under the Illinois law. In each case, enforcement of provisions is left to the state Attorney General.  Continue Reading

California State Assembly Hearing on the California Consumer Protection Act Illustrates the Need for Further Clarity and Amendments

On February 20, 2019, members of California’s Privacy and Consumer Protection Committee (“Committee”) held a hearing at the State Assembly to review concerns from various stakeholders regarding California’s Consumer Protection Act (“CCPA”). In particular, how the law should be amended prior to its 2020 effective date. Indeed, in its present formulation, the CCPA has given rise to a number of controversies. For example, even though not discussed during the hearing, whether the Act should, as it currently does, apply to California employee data and treat such data in the same manner it treats consumer data. The legislature is almost certain to further amend the CCPA, but it is still early and difficult to determine just how far reaching such amendments will be.

Continue Reading

Understanding the Layered Approach to International Data Transfers Under GDPR

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries.

Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following: Continue Reading

GDPR Enforcement: Portugal

A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR.

The hospital was fined for the following three violations of the GDPR:

  1. Breach of the data minimisation principle;
  2. Breach of the integrity and confidentiality principle; and
  3. The failure to ensure the ongoing security of processing under Article 32 of the GDPR.

For breaches of the data protection principles, a maximum fine of €20,000,000 or 4% of global turnover, whichever is higher, may be imposed. However, the maximum fine for the third violation is €10,000,000 or 2% of global turnover, whichever is higher. Continue Reading

Illinois Supreme Court Decides Actual Harm Not Necessary to Sue under BIPA

On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself is sufficient to support a private right of action under BIPA. The court’s decision will give real teeth to the 200-plus BIPA actions already filed in Illinois – the only biometric law in the country with a private right of action – and we are likely to see a boost in lawsuits against private entities alleging procedural BIPA violations.

In Rosenbach v. Six Flags (a more detailed explanation of the facts and previous inter-district split is provided in a previous blog post), the Court held that Rosenbach’s son can be considered an “aggrieved person” under BIPA based simply on the fact that his fingerprint was taken (for a season pass to Six Flags) without the required written consent. The Illinois Supreme Court opined that even a “technical” breach prevents an individual from maintaining his/her biometric privacy, which the court considers a “real and significant” injury to one’s “statutory right[].”

Continue Reading

European Commission Adopts Adequacy Decision on Japan

Padlock and EU flag

The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here.

Japan’s data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to the EU. This mutual recognition allows the safe free flow of personal data between the two territories, creating the world’s largest arena of secure data flows.
Continue Reading

Cybersecurity Takes Focus in Healthcare

Cybersecurity awareness recently took center stage in the healthcare industry when the Department of Health and Human Services (HHS) issued comprehensive risk-prioritized cybersecurity best practices to combat top threats.  HHS mapped this guidance to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, cross-referencing 88 individual sub-practices for healthcare organizations of all sizes.

The HHS guidance focuses on ten top-level cybersecurity best practices, coupled with a series of recommended procedure-strengthening “Threat Quick Tips,” to ward off e-mail phishing attacks, ransomware attacks, loss/theft of equipment and data, insider/accidental/intentional data loss, and attacks against connected medical devices that may affect patient safety.  The guidance is complete with mock real world-scenarios, a set of companion technical volumes that HHS designed specifically for IT professionals, and an upcoming practical toolkit.

While this new guidance does not create a new “mandatory” cybersecurity framework, regulators and courts may still defer to it when the “reasonableness” of security safeguards is questioned post-breach in the healthcare sector.

Read more about the HHS report here.

Google Defeats Alleged BIPA Violations for Retention and Collection of Face-geometry Scans via Google Photos

Google recently defeated claims that it violated Illinois’s Biometric Identification Privacy Act (“BIPA”) by collecting and retaining facial scans created from photographs uploaded by Google Photos users without obtaining consent and complying with other statutory requirements. The federal court ultimately held that plaintiffs failed to allege a concrete injury sufficient for Article III standing. Finding in Google’s favor, the court distinguished cases finding standing in BIPA cases because, unlike those cases, Google had not shared plaintiffs’ information with any third parties and there was no evidence that the information would be shared or was otherwise at risk.  Robin Campbell, India Scarver, and Elliot Golding provide a full summary of this case and its implications here.

How Might a No-Deal Brexit Impact Your Organisation’s Data Protection Obligations?

The UK Parliament has today, 15th January 2019, rejected the Government’s Brexit withdrawal agreement with the EU. This turn of events, which was widely anticipated, increases the prospect of a no deal Brexit, i.e. a break-up without a divorce settlement. According to law, the UK will leave the EU on 29th March 2019 with no deal unless Parliament has accepted the withdrawal agreement, or a modified version of it, or a new agreement has been reached with the EU and accepted by Parliament, before then. Although no deal remains an unlikely scenario, it would have consequences for your data protection obligations.

What does this mean for your organisation and the way you manage personal data? Continue Reading