Illinois Supreme Court Decides Actual Harm Not Necessary to Sue under BIPA

On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself is sufficient to support a private right of action under BIPA. The court’s decision will give real teeth to the 200-plus BIPA actions already filed in Illinois – the only biometric law in the country with a private right of action – and we are likely to see a boost in lawsuits against private entities alleging procedural BIPA violations.

In Rosenbach v. Six Flags (a more detailed explanation of the facts and previous inter-district split is provided in a previous blog post), the Court held that Rosenbach’s son can be considered an “aggrieved person” under BIPA based simply on the fact that his fingerprint was taken (for a season pass to Six Flags) without the required written consent. The Illinois Supreme Court opined that even a “technical” breach prevents an individual from maintaining his/her biometric privacy, which the court considers a “real and significant” injury to one’s “statutory right[].”

Continue Reading

European Commission Adopts Adequacy Decision on Japan

The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here.

Japan’s data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to the EU. This mutual recognition allows the safe free flow of personal data between the two territories, creating the world’s largest arena of secure data flows.
Continue Reading

Cybersecurity Takes Focus in Healthcare

Cybersecurity awareness recently took center stage in the healthcare industry when the Department of Health and Human Services (HHS) issued comprehensive risk-prioritized cybersecurity best practices to combat top threats.  HHS mapped this guidance to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, cross-referencing 88 individual sub-practices for healthcare organizations of all sizes.

The HHS guidance focuses on ten top-level cybersecurity best practices, coupled with a series of recommended procedure-strengthening “Threat Quick Tips,” to ward off e-mail phishing attacks, ransomware attacks, loss/theft of equipment and data, insider/accidental/intentional data loss, and attacks against connected medical devices that may affect patient safety.  The guidance is complete with mock real world-scenarios, a set of companion technical volumes that HHS designed specifically for IT professionals, and an upcoming practical toolkit.

While this new guidance does not create a new “mandatory” cybersecurity framework, regulators and courts may still defer to it when the “reasonableness” of security safeguards is questioned post-breach in the healthcare sector.

Read more about the HHS report here.

Google Defeats Alleged BIPA Violations for Retention and Collection of Face-geometry Scans via Google Photos

Google recently defeated claims that it violated Illinois’s Biometric Identification Privacy Act (“BIPA”) by collecting and retaining facial scans created from photographs uploaded by Google Photos users without obtaining consent and complying with other statutory requirements. The federal court ultimately held that plaintiffs failed to allege a concrete injury sufficient for Article III standing. Finding in Google’s favor, the court distinguished cases finding standing in BIPA cases because, unlike those cases, Google had not shared plaintiffs’ information with any third parties and there was no evidence that the information would be shared or was otherwise at risk.  Robin Campbell, India Scarver, and Elliot Golding provide a full summary of this case and its implications here.

How Might a No-Deal Brexit Impact Your Organisation’s Data Protection Obligations?

The UK Parliament has today, 15th January 2019, rejected the Government’s Brexit withdrawal agreement with the EU. This turn of events, which was widely anticipated, increases the prospect of a no deal Brexit, i.e. a break-up without a divorce settlement. According to law, the UK will leave the EU on 29th March 2019 with no deal unless Parliament has accepted the withdrawal agreement, or a modified version of it, or a new agreement has been reached with the EU and accepted by Parliament, before then. Although no deal remains an unlikely scenario, it would have consequences for your data protection obligations.

What does this mean for your organisation and the way you manage personal data? Continue Reading

The ICO’s New Year’s Resolutions

The ICO has published a draft Regulatory Action Policy (“Policy”) on 28 June 2018 available here, supplementing its Information Rights Strategic Plan for 2017-2021 (here) and International Strategy for 2017-2021 (here). This Policy provides an overview of how and to what extent the ICO will use its newly expanded regulatory enforcement powers provided by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”). Continue Reading

What Does the New European Electronic Communications Code Mean for OTT’s?

As users increasingly use nontraditional modes of communication, such as social media and instant messaging applications, email and VoIP, in place of traditional telephone and data services, so too must privacy laws evolve. The European Electronic Communications Code, proposed on December 4, 2018, expands the definition of electronic communications services to include these “over-the-top services.” As a result, these services become subject to data processing regulations under the existing ePrivacy Directive.

In an article written for IAPP’s Privacy Tracker, Rosa Barcelo and Matthew Buckwell discuss which obligations will apply to OTTs, whether the GDPR takes precedence over the ePD, and what service providers need to evaluate in advance of the December 21, 2020 effective date.

California to Hold Public Forums on California Consumer Privacy Act as Part of Rulemaking Process

California’s Consumer Privacy Act of 2018 (“CCPA”) which was signed into law in June 2018 will take effect on January 1, 2020.

California Attorney General Xavier Becerra has announced that the California Department of Justice has organized six public forums throughout the State that will provide those impacted by the new law an opportunity to comment on the rulemaking process. Continue Reading

Does the GDPR Allow for the Use of Consent for the International Transfer of Data?

Many data controllers would like to use the consent of data subjects to transfer data to countries outside the European Economic Area. Has the General Data Protection Regulation 2016/679 (“GDPR”) made it easier use consent as a basis for international transfer than was the case under the Directive 95/46?

Rules on international transfer under GDPR

Chapter V of GDPR offers several legal bases for the transfer of personal data to third countries or international organizations:

  1. The suitability of the recipient country or entity on the basis of an adequacy decision of the European Commission (Article 45).
  2. The establishment of “appropriate safeguards” by the recipient (Article 46) such as standard contractual clauses adopted by the European Commission or BCRs (Article 47).
  3. The “Derogations for specific situations” provided by Article 49 (1) of the GDPR, which provides that transfers, where neither of the above applies, may be carried if one of the listed conditions is fulfilled. One of the derogations is the case where “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”.

Continue Reading

Data Subject Access Rights – and the Requirement to Issue a Copy of the Undergoing Processing

Within the last couple of months, we have noted that Companies increasingly struggle with data subject access requests.

The Wording of Art. 15 para. 3 GDPR is Ambiguous

As much as Companies understand that they need to confirm whether they process personal data of the individual that issued the request, they oftentimes seem to struggle with the requirement and the meaning of issuing a copy of the underlying processing as stipulated by Art. 15 para. 3 GDPR. Continue Reading

LexBlog