New Guidance on GDPR Data Processing Contracts Published by the UK ICO

The U.K. Information Commissioner’s Office (ICO) recently published guidance on contracts between controllers and processors. This new guidance provides a more in-depth and detailed discussion of the key issues than did a previously released primer published by the ICO, which set out key points along with helpful checklists.

The new guidance discusses (1) when a contract is needed and why, (2) specifically what terms need to be included in the contract, (3) the responsibilities and liabilities of controllers when using a processor, and (4) the responsibilities and liabilities of processors.

Continue Reading

Controversial Australian Encryption Act Denounced by Privacy and Cryptography Advocates

Last week, Australia’s parliament passed a controversial act that will enable law enforcement and intelligence agencies to compel access to encrypted communications. In an explanatory memorandum, the Australian Parliament stated that the new act, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, is intended to combat “the challenges posed by ubiquitous encryption.” Under the act, certain law enforcement and intelligence agencies will be able to approach “designated communication providers,” using one of the mechanisms below, for the purpose of gaining access to specific users’ encrypted messages and data.

Continue Reading

The Weekly Privacy Rewind

California Consumer Protection Act

Privacy Groups Urge California Lawmakers Not to Weaken California Consumer Privacy Act

• A variety of privacy groups, including the Electronic Frontier Foundation, the Digital Privacy Alliance and the Center for Digital Democracy, sent a letter to California lawmakers asking them not to “push[] California backward” when it comes to privacy rights and to continue amending the California Consumer Privacy Act (the CCPA) for the better.

• Touting California’s lead on consumer protection, the privacy groups suggested a variety of improvements to the CCPA, including defining and reining in data misuse and abuse, ensuring appropriate security protections for personal information, and providing meaningful redress to individuals, including by expanding the CCPA’s private right of action.

Continue Reading

The Weekly Privacy Rewind


European Regulators Fine Uber Over 2016 Data Breach

• British and Dutch privacy regulators issued fines totaling approximately $1.2 million against ride-hailing company Uber over its 2016 data breach.

• According to the U.K.’s Information Commissioner’s Office, “a series of avoidable data security flaws” led to the exposure of personal information of approximately 2.7 million British Uber users, prompting a fine of £385,000.

• Similarly, the Dutch Data Protection Authority (DPA) fined the company €600,000 for the breach, predominantly for not reporting the breach to the DPA and data subjects within 72 hours.

Continue Reading

HHS OIG Launches Cybersecurity Webpage to Raise Awareness and Boost Cybersecurity Best Practices

Healthcare data can be up to 10 times more valuable to cyber criminals than credit card numbers, according to a report from the Department of Health & Human Services’ (HHS) Office of the Inspector General (OIG). And, with healthcare-focused ransomware attacks like WannaCry and NotPetya in the news more frequently, it’s no wonder that HHS OIG has identified cybersecurity threats as a top management challenge for 2018. “Cybersecurity incidents and breaches pose a significant risk to the confidentiality, integrity, and availability of sensitive data. This could cause a myriad of problems, including placing the health and safety of patients at risk,” OIG’s Top Management and Performance Challenges Facing HHS report warned. HHS wants stakeholders to understand the importance of protecting healthcare data and to focus on initiatives that eradicate inadequacies found in access controls, patch management, configuration management, data encryption, and website security. See OCR’s October 2018 Cybersecurity Newsletter.

Continue Reading

Cookies and Consent Under the EU GDPR

According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies.

Article 6(1) of the GDPR provides, in part, “[p]rocessing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes.” Article 7(4) states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” Continue Reading

The CLOUD Act and the Warrant Canaries That (Sometimes) Live There

The Clarifying Lawful Overseas Use of Data Act (Pub. L. No. 115-141 (2018), or the CLOUD Act, was enacted in the U.S. on March 23, 2018, in response to difficulties U.S. law enforcement agencies (LEAs) had when attempting to gain access to data held by cloud service providers through Stored Communication Act (SCA) warrants, as the SCA did not contemplate cloud computing when it was enacted into law; likewise, LEAs were also forced to utilize U.S. Senate-approved mutual legal-assistance treaties (T.I.A.S. No. 10-201 or MLATs) or letters rogatory to access data stored overseas. Read more >>

The Weekly Privacy Rewind

Class Actions

Pennsylvania Supreme Court Declares Employers Have Affirmative Duty to Protect Employee Personal Information

• According to a recent opinion by the Pennsylvania Supreme Court, “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.”

• The putative class action stems from a 2014 data breach that exposed personal information of 62,000 employees and former employees of the University of Pittsburgh Medical Center. According to the original complaint, the data, which included names, birth dates, Social Security numbers, addresses, tax forms and bank account information, was used to file fraudulent tax returns on behalf of some of the employees. Continue Reading

EU-U.S. Privacy Shield Framework Joint Annual Review 2.0

As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which are meant to highlight the importance of the framework and reaffirm the U.S.’s commitment to strong privacy enforcement.

Continue Reading

GDPR Spurring Legal Reforms in South America With New Legislation in Brazil

As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations. The global effects of the GDPR are even more apparent when one surveys new and proposed data protection legislation around the world. On Aug. 14, 2018, Brazil signed into law the Lei Geral de Proteção de Dados Pessoais (LGPD), the first omnibus privacy law in the nation’s history. The law, which is set to take effect on Feb. 16, 2020, is very similar to the GDPR, including in its expansive definition of personal data and its strong emphasis on both the rights of data subjects and the requirement of lawful bases of processing of personal data.

Continue Reading