Strengthening the US Practice with the Addition of Alan L. Friel!

We are delighted to report that Alan L. Friel has joined our global Data Privacy & Cybersecurity Practice as Deputy Chair.  Alan arrives from BakerHostetler, where he led the US Consumer Privacy practice, co-chaired the retail, restaurant and e-commerce industry initiative, and served as the California Digital Assets and Data Management Leader.

Alan has nearly three decades of experience in the fields of data collection, monetization, protection and in particular AdTech.  He also has many years of experience advising major brands and start-ups on advertising, digital media, and consumer protection law more broadly, including data aspects. With both in-house and private practice experience, Alan has a first-hand understanding of the day-to-day issues that clients face and has the expertise to craft creative and commercial solutions.

Based in Los Angeles, California, Alan has advised hundreds of clients on compliance with the California Consumer Privacy Act and is already counseling clients on compliance issues and options under the California Privacy Rights Act, which will take effect in 2023. His addition to our global Data Privacy & Cybersecurity team will be an excellent complement to our rapidly expanding practice in this area.

Alan has a longstanding commitment to diversity and as an open LGBT professional, has worked to defend LGBT rights and improve support and retention efforts for diverse lawyers.

Additional details about Alan’s background are available on his bio, press release and today’s Law360 article.

Virginia Set to Become Second State to Enact Holistic Data Privacy Law

This article originally published on February 23, 2021, by the American Bar Association, and is republished here with permission. For more information visit   

The article expands on our original report on the Virginia Consumer Data Protection Act published on February 2, 2021.

Computer securityIn the coming days, Governor Ralph Northam is expected to sign into law the Virginia Consumer Data Protection Act (the “Act”), which, if enacted, will become effective on January 1, 2023. As a result, Virginia would become the second state in the US to enact a holistic data privacy law that purports to regulate the collection, use and disclosure of the personal data of its residents generally.

Overview and Quick Take

In many ways, the Act is similar to the California Consumer Privacy Act (the “CCPA”), the first holistic data privacy law in the US, and to the California Privacy Rights Act (the “CPRA”), which was enacted by ballot referendum in November 2020. It also shares some concepts with the EU’s General Data Privacy Regulation (the “GDPR”).  However, it is sufficiently dissimilar to each of those laws that a business developing a compliance strategy for the Act will not be able to rely solely on its previous compliance efforts in complying with the Act.

Continue Reading

Off to the Races: Over 50 Privacy Bills Introduced in the State of New York

The on-going state competition to enact comprehensive privacy legislation, triggered by the enactment of the 2018 California Consumer Privacy Act, is heating up in 2021. We recently wrote a post on the recent Virginia developments, but the Commonwealth of Virginia is not alone.

New York was closely watched in privacy circles last year, as approximately 30 privacy bills had been introduced and were discussed during the 2019-2020 session. None of the bills were enacted but state legislators clearly are not giving up.

More than 50 privacy bills have already been introduced in New York this year for consideration during the 2021-2022 session. We have already posted on the New York Biometric Bill, which is very similar to the Illinois Biometric Information Privacy Act (“BIPA”) and includes a private right of action. Continue Reading

ICO Utilises the Computer Misuse Act to Impose Tougher Penalties for Unauthorised Access to Data

The Information Commissioner’s Office (“ICO”) has, for only the second time in its history, successfully prosecuted individuals under the Computer Misuse Act 1990 (the “Act”) in order to impose harsher criminal penalties for unauthorised access to personal data, (including prison sentences and confiscation orders), than are available under the Data Protection Act 2018 (the “DPA 2018”). Continue Reading

Brexit Updated: EU Set to Publish UK Adequacy Decision

In a draft adequacy decision, reported to have been seen by the Financial Times (FT), the European Commission (the “Commission”) is set to allow the continued free flow of data between the EU and UK, after confirming that the UK offers an adequate level of protection for personal data, pursuant to Article 45 of the General Data Protection Regulation (the “GDPR”). According to the FT, the draft decision can be expected this week.

The decision, once adopted, will replace the current interim solution, agreed under the EU-UK Trade and Cooperation Agreement, which allows for companies and organisations to transfer personal data from the EU to the UK up until 30 June 2021. For more information on the interim solution please see our previous update “Brexit Updated: Interim Deal Reached on EU-UK Data Transfers”. Continue Reading

HIPAA Update: Court Vacates OCR HIIPAA Penalty and Limits OCR Enforcement Authority

The Fifth Circuit Court of Appeals recently handed down a landmark decision criticizing and restricting how the Department of Health and Human Services Office of Civil Rights’ (OCR) interprets HIPAA and OCR’s penalty authority. OCR brought an enforcement action against the University of Texas M.D. Anderson Cancer Center (M.D. Anderson) stemming from three alleged data breaches and violations of various HIPAA requirements. OCR imposed a US$4,348,000 penalty, which M.D. Anderson appealed up to the Fifth Circuit. In rejecting the penalty, the Court criticized not only OCR’s interpretation of the HIPAA regulations generally but also OCR’s penalty calculation in this case. Our report on the decision prepared by Elliot Golding, Kristin Bryan and Christina Lamoureux is available here.

Complimentary Webinar: Data Security Breaches – Mitigating Risk and Why It Can Cost You Much More Than a Fine

Join us for a complimentary webinar – Data Security Breaches – Mitigating Risk and Why It Can Cost You Much More Than a Fine.

February 18, 2021 at 2pm GMT/9am EST

Data security breaches remain a key source of concern for most businesses. During this session, our panel of experts will provide you with valuable insights from their experience handling, reporting and communicating on data security breaches and claims. Our panelists will address:

  • The various types of data breach reports that are being handled by the supervisory authorities in both the UK and the EU, as well as the mitigating factors considered in deciding whether to take enforcement action
  • The recent increase in “no win, no fee” data breach claims in the UK following a data breach report made to affected individuals
  • Communication tips when faced with a data breach

Panelists include:

The session will be moderated by Matthew Kirk, International Affairs Advisor.

This is an interactive session and questions are welcome from the audience before and during this session.  Additional information and registration is available here.

M&A Transactions: Don’t Forget About Privacy Due Diligence

Since the GDPR came into force in May 2018, data privacy compliance has become increasingly relevant during M&A transactions throughout the EU.  A buyer may ultimately be responsible for the historical data protection law breaches of the target business and for picking-up the costs of dealing with any data security breaches that occurred pre-completion of the transaction, but are not detected until post-completion. Data protection non-compliance can affect both the vendor and the buyer involved in an M&A transaction, as critical breaches (such as those which affect the ability of the buyer to exploit valuable data) can have a substantial impact on the price of the target business.  In this article our team, including Rosa Barcelo and Francesca Fellowes, examine why this is the case and highlight some of the key pitfalls to watch out for in Italy. Keep in mind these same issues are relevant throughout the EU.

Comprehensive Privacy in the US: Will Virginia be Next?

Virginia may join California as the second US state to enact a comprehensive data-privacy law as soon as next week.

On January 29th the Virginia House of Delegates voted 89-9 to pass HB2307 and sent the bill to the state Senate, which is also moving forward with an identical bill (SB 1392) that is currently before the Senate Finance Committee. Because Virginia’s legislative session is extremely short, absent an extension, the Virginia Senate has less than two weeks to approve the bill before the state legislature adjourns for the year Continue Reading

A New York BIPA in the Making?

Fingerprint Scanning on Blue TechnologyOn January 6, 2021, a group of seventeen democrats and seven republicans introduced in the New York assembly a new bill, A.B. 27, the “Biometric Privacy Act.” The bill (available for download here) is very similar to the Illinois Biometric Information Privacy Act (“BIPA”) which has spawned much litigation, including many class actions lawsuits.  In summary, the bill proposes to regulate private entities’ use of “biometric identifiers” and “biometric information,” which are terms that are specifically defined in the bill by reference to the types of data that each term includes and excludes.

If enacted in its current form, the bill would become only the second biometric privacy act in the United States to provide a private right of action and plaintiffs’ attorneys’ fees for successful litigants.

Continue Reading