Blockchain and GDPR – Many Open Questions to be Addressed and Solved!

Blockchain involves various computers that are located in different states around the world so that the jurisdictions and applicable laws are questionable and assumingly not known to the parties using the blockchain technology.

In principle a blockchain is a distributed ledger, that can be defined as a replicated, shared, and synchronized digital data structure maintained by consensus algorithm and spread across multiple locations, countries, and/or institutions. In the blockchain digitally recorded data are stored in packages called blocks which are linked together in chronological order. It is technically very difficult to change the order such blocks, without changing the order of all subsequent blocks. Each block on the network contains a complete copy of the entire ledger, from the first block created to the most recent block and each block contains a hash pointer as a link to a previous block, a timestamp and transaction data. Continue Reading

WP29 Publishes Draft Guidelines on Consent

On 12 December 2017, Article 29 Working Party (WP29) published its long-awaited draft guidelines on consent under the GDPR. The guidelines build on WP29’s ‘Opinion on the definition of consent’, adopted in July 2011. As with the draft guidance on transparency, published the same day, WP29 invites comments to be submitted by 23 January 2018.

The guidelines state that generally, in order to use consent as an appropriate lawful basis the data subject should be offered control and genuine choice when it comes to accepting or declining the terms of processing. The guidelines are broken down into various sections. These sections analyse the different parts of the wording of Article 4(11) of the GDPR, which defines consent, and look into whether controllers need to amend their consent forms in order to comply with the GDPR. Continue Reading

Proposed e-Privacy Regulation in Trilogue Phase Making May 2018 Enforcement Unlikely

Nearly a year ago, on 10 January 2017, the EU Commission released the proposed ePrivacy Regulation (ePR). The three main areas covered by the legislation are the use of electronic communications data by telecommunications operators and other specified entities, the use of tracking applications, and unsolicited direct marketing communications.

The ePR aims to ensure a coherent, up-to-date framework capable of balancing economic interests and privacy rights of natural persons reflected in the Article 7 of the EU Charter of Fundamental Rights (CFR).  Concerns have arisen from many quarters, however, that the proposed ePR is too prescriptive in some respects and too ambiguous in others, including with respect to the way in which the ePR will interoperate with the GDPR and the draft EU Electronic Communications Code. Continue Reading

Increased Recognition to Improve Cybersecurity in Healthcare Sector

There is an increasing recognition of the need to improve cybersecurity in the healthcare sector (particularly relating to medical devices).  For example, the Chairman of the House of Representatives’ Committee on Energy and Commerce recently asked HHS in a formal letter to “develop a plan of action for creating, deploying, and leveraging [bill of materials] for health care technologies,” which refers to the process of listing out medical device components (including software) and any known risks.  The request comes on the heels of similar recommendations in the Health Care Industry Cybersecurity Task Force report and concerns raised by the WannaCry and NotPetya ransomware attacks (which we have covered previously – click here, here and here).  For more information about this development, check out the blog article written by Sarah Stec and me on our sister health care blog, Triage.

While Ninth Circuit Finds No Additional Harm Required for Standing Under the VPPA, It Applies a Narrow Reading of What Constitutes PII Under the VPPA

In Eichenberger-v.-ESPN., Case No. 15-35499 (Nov. 29, 2017), the United States Court of Appeals for the Ninth Circuit affirmed the district court judgment holding that the serial numbers on a consumer’s video streaming device and the titles of the videos an individual watches do not constitute personally identifiable information (PII) under the Video Privacy Protection Act of 1988 (VPPA)—even if a third party has additional information that when coupled with the shared information can identify the individual.
Continue Reading

CNIL Makes Recommendations on “Bad Debtor Data Bases”

It is common for a company to create an exclusion file that allows it to identify “bad debtors” and exclude them from all future transactions.

The Commission nationale de l’informatique et des libertés (“CNIL”) published on 13 November  the following recommendations for this type of data base. Continue Reading

Independent Bank Class Action Alleges Specific Equifax Security Failures, Actual Harm and the Threat of Future Harm

In another lawsuit against Equifax, the Independent Community Bankers of America (ICBA), on behalf of thousands of community banks, seeks to hold Equifax accountable for the July 2017 data breach that potentially affected more than 145.5 million consumers. ICBA, along with Bank of Zachary and First State Bank, filed the class action last week in the U.S. District Court for the Northern District of Georgia.

In analogous litigation, two open issues exist:

(1) First, whether alleging the threat of future harm – as opposed to alleging actual harm suffered – is sufficient to establish Article III standing, and

(2) Whether plaintiffs allege defendants’ acts or omissions with sufficient specificity. Continue Reading