Join Us– Webinar: Understanding and Preparing for the California Consumer Privacy Act

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, regardless of where the business is based. The Act will impact information regarding not only consumers, but also employees and business contacts.

Join us for a webinar on May 7, 2019, when Elliot GoldingPhil Zender and Ivan Rothman will provide an overview of the CCPA and discuss the act’s:

  • Scope and applicability (e.g., what companies, data and processes will be impacted)
  • Key requirements (e.g., privacy statement, individual rights, etc.)
  • Contextual comparisons to existing US law and GDPR
  • Suggested steps to build a CCPA compliance program efficiently and effectively
  • Practical tips to manage risk and leverage existing compliance processes where possible

Attendees will have the opportunity to ask questions during the program, with a full Q&A session to follow.

If you would like to attend, or have colleagues who would, please register any interested parties.

Can Police Require Individuals to Unlock Their Smartphones?

Recently Chase Goldstein and Thomas Zeno contributed to our Anticorruption Blog. Their article reviews whether police can force individuals to unlock their smartphones. To unlock or not to unlock? Different rules apply depending on where you are located, as the states of Massachusetts and have seen conflicting rulings. There is also an international dimension, illustrated by a recent decision from Israel. In short, travelers must beware.

Read the full post online.


European Commission Announces Provisional Agreement on Whistleblower Directive

In a press release published on March 12, 2019, the European Parliament and its member states reached a provisional agreement on new rules that will guarantee a high level of protection for whistleblowers who report breaches of EU law. The draft establishes a three-tier reporting system (that potentially allows the whistleblower to inform publicly or through media the information) and robust measures against potential retaliation.

Continue Reading

Senators and Witnesses Debate a Federal Data Privacy Framework in the United States

On February 27, 2019, the Senate Commerce Committee held a hearing to examine what Congress should do to address risks to consumers and implement data protections for all Americans. The hearing was titled “Policy Principles for a Federal Data Privacy Framework.” It focused on six topics, including: (1) federal preemption; (2) privacy values; (3) corporate transparency; (4) trust and informed consent; (5) the Federal Trade Commission (“FTC”) and State Attorneys General enforcement authority; and (6) special protections for children. Senators on both sides of the aisle generally expressed optimism about working together to address the challenges of developing a federal privacy data framework. We anticipate a continuing debate and proposed legislation in Congress over data privacy. Below is a high-level summary of some of the issues discussed. Continue Reading

States’ Focus on Biometric Privacy Developments Warrants Close Attention

Fingerprint Scanning on Blue TechnologyThe Illinois Supreme Court’s recent broad interpretation of the pioneering Illinois Biometric Identity Protection Act justifies close attention to legislative and regulatory developments regarding collection and protection of biometric identifier data.  Our previous report of this decision may be found here.  Two other states, Texas and Washington, already have biometric identifier privacy laws in place, although not with the breadth of the Illinois statute. For example, neither of those statutes provides for a private right of action that is afforded under the Illinois law. In each case, enforcement of provisions is left to the state Attorney General.  Continue Reading

California State Assembly Hearing on the California Consumer Protection Act Illustrates the Need for Further Clarity and Amendments

On February 20, 2019, members of California’s Privacy and Consumer Protection Committee (“Committee”) held a hearing at the State Assembly to review concerns from various stakeholders regarding California’s Consumer Protection Act (“CCPA”). In particular, how the law should be amended prior to its 2020 effective date. Indeed, in its present formulation, the CCPA has given rise to a number of controversies. For example, even though not discussed during the hearing, whether the Act should, as it currently does, apply to California employee data and treat such data in the same manner it treats consumer data. The legislature is almost certain to further amend the CCPA, but it is still early and difficult to determine just how far reaching such amendments will be.

Continue Reading

Understanding the Layered Approach to International Data Transfers Under GDPR

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries.

Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following: Continue Reading

GDPR Enforcement: Portugal

A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR.

The hospital was fined for the following three violations of the GDPR:

  1. Breach of the data minimisation principle;
  2. Breach of the integrity and confidentiality principle; and
  3. The failure to ensure the ongoing security of processing under Article 32 of the GDPR.

For breaches of the data protection principles, a maximum fine of €20,000,000 or 4% of global turnover, whichever is higher, may be imposed. However, the maximum fine for the third violation is €10,000,000 or 2% of global turnover, whichever is higher. Continue Reading

Illinois Supreme Court Decides Actual Harm Not Necessary to Sue under BIPA

On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself is sufficient to support a private right of action under BIPA. The court’s decision will give real teeth to the 200-plus BIPA actions already filed in Illinois – the only biometric law in the country with a private right of action – and we are likely to see a boost in lawsuits against private entities alleging procedural BIPA violations.

In Rosenbach v. Six Flags (a more detailed explanation of the facts and previous inter-district split is provided in a previous blog post), the Court held that Rosenbach’s son can be considered an “aggrieved person” under BIPA based simply on the fact that his fingerprint was taken (for a season pass to Six Flags) without the required written consent. The Illinois Supreme Court opined that even a “technical” breach prevents an individual from maintaining his/her biometric privacy, which the court considers a “real and significant” injury to one’s “statutory right[].”

Continue Reading