Tag Archives: GDPR

Deeper Dive: GDPR a Game-Changer for Data Breach Notification

When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available … Continue Reading

Washington Privacy Act Clears Senate

On March 6, SB 5376, the Washington Privacy Act, passed the Washington Senate in an overwhelming 46-1 vote (with two members excused). Prior to its passage, the Senate adopted important revisions and clarifications that would provide important relief for businesses from some of the more onerous provisions of the legislation. As we reported in our … Continue Reading

EU Regulators Increase Focus on Cookie Practices

In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), … Continue Reading

Washington State Proposes Sweeping Privacy Legislation

On Jan. 17, 2019, a new privacy law was proposed in the Washington state Senate. If passed, the Washington Privacy Act would impose far-reaching responsibilities on companies to protect the privacy of “personal data.” Lifting many provisions almost entirely from the text of the European Union’s General Data Protection Regulation (GDPR), the legislation would arguably … Continue Reading

“No Deal” Brexit May Bring Practical Problems for Privacy and Data Protection

With a “No Deal” Brexit seeming more likely than ever after the UK Parliament voted down a proposed deal in January 2019, concerns are rapidly multiplying about the effects of such a withdrawal from the EU for organizations doing business in the UK, and how those organizations will address numerous practical issues, privacy and data … Continue Reading

Racing to Meet the 72-hour Deadline to Report a Personal Data Breach in the EU? A GDPR Resource Is Available

Companies face substantial challenges in complying with breach notification requirements under Article 33 of the General Data Protection Regulation (GDPR). Article 33 requires a data controller to report a personal data breach to European Union (EU) supervisory authorities within 72 hours of becoming aware of the breach if it is likely to result in a … Continue Reading

Advocate General Opinion Supports Limiting the “Right to be Forgotten” to the EU

On January 10, Advocate General Maciej Szpunar released an opinion recommending that Google and other search engines should not be forced to apply the EU’s “right to be forgotten” beyond the EU.  The advocates general assist the judges of the Court of Justice of the European Union (CJEU), providing independent legal solutions to issues presented … Continue Reading

NFA’s Amended Cybersecurity Guidance Includes New Incident Reporting Requirement

Following other regulators, the National Futures Association (NFA) recently amended its cybersecurity guidance to, among other things, impose a new cybersecurity incident reporting requirement on members. Cybersecurity Incident Reporting. According to the amended guidance, members will be required to report to NFA any cybersecurity incident related to the member’s commodity interest business that resulted in … Continue Reading

Privacy Shield Update: Commission Report, Ombudsperson Deadline, Brexit Guidance

The end of 2018 saw heightened activity surrounding the EU-U.S. Privacy Shield Framework.  This blog post provides a news roundup on the following developments: • The European Commission’s (the “Commission”) December 19th report (the “Report”) summarizing the second annual joint review that was held in October 2018. • The Report’s February 28, 2019 deadline for … Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or … Continue Reading

New Guidance on GDPR Data Processing Contracts Published by the UK ICO

The U.K. Information Commissioner’s Office (ICO) recently published guidance on contracts between controllers and processors. This new guidance provides a more in-depth and detailed discussion of the key issues than did a previously released primer published by the ICO, which set out key points along with helpful checklists. The new guidance discusses (1) when a … Continue Reading

The Weekly Privacy Rewind

GDPR European Regulators Fine Uber Over 2016 Data Breach • British and Dutch privacy regulators issued fines totaling approximately $1.2 million against ride-hailing company Uber over its 2016 data breach. • According to the U.K.’s Information Commissioner’s Office, “a series of avoidable data security flaws” led to the exposure of personal information of approximately 2.7 … Continue Reading

Cookies and Consent Under the EU GDPR

According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies. Article 6(1) of … Continue Reading

The Weekly Privacy Rewind

Class Actions Pennsylvania Supreme Court Declares Employers Have Affirmative Duty to Protect Employee Personal Information • According to a recent opinion by the Pennsylvania Supreme Court, “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.” • The putative … Continue Reading

EU-U.S. Privacy Shield Framework Joint Annual Review 2.0

As we previously reported here, the Federal Trade Commission (FTC) announced several enforcement actions in late 2017, on the eve of the first annual joint EU-U.S. review of the Privacy Shield Framework. Now the second annual review of the EU-U.S. Privacy Shield Framework is underway, and the FTC has announced several new enforcement actions, which … Continue Reading

GDPR Spurring Legal Reforms in South America With New Legislation in Brazil

As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations. The global effects of the GDPR are even more apparent when one surveys new and proposed data … Continue Reading

The Weekly Privacy Rewind

BIPA Medline and Con Tech Lighting Latest Illinois Employers Hit With Claims under BIPA • Two Illinois employers, Con Tech Lighting and Medline Industries, are the latest to face claims alleging violations of Illinois’ Biometric Information Privacy Act. • In the Con Tech complaint, the named plaintiff, who is seeking class certification, alleges that she … Continue Reading

Not Too Early to Start to Prepare for New California Privacy Law

In late June, the California legislature signed into law Assembly Bill 375 (AB 375) as the California Consumer Privacy Act of 2018 (CCPA), a privacy law, unprecedented in the U.S., that grants California residents a broad range of European-like rights when it comes to their personal information (PI), effective Jan. 1, 2020. To be able … Continue Reading

The Weekly Privacy Rewind

Canada Canadian Banks Notify 90,000 Following Breach • Bank of Montreal and Canadian Imperial Bank of Commerce announced that they were contacted by hackers and informed that nearly 90,000 customers’ personal information was accessed. • The banks will notify customers of the breach and indicate they believe they have fixed the vulnerabilities that led to … Continue Reading

Canadian Breach Notification Requirements Take Effect November 1

On April 18, 2018, the Canadian government published long-awaited Breach of Security Safeguards Regulations specifying the requirements for notifying the Office of the Privacy Commissioner and affected individuals of data breaches that pose a “real risk of significant harm.” The Regulations will come into force on November 1. As we previously reported, the Digital Privacy Act, … Continue Reading

The Weekly Privacy Rewind

Class Actions Facebook Cannot Evade Suit Under Illinois’ Biometric Information Privacy Act Even Where No Proof of Harm • In separate rulings handed down last week in the Northern District of California, the court refused to dismiss a case against Facebook under Illinois’ Biometric Information Privacy Act (BIPA) on Article III standing grounds. • According … Continue Reading

Clock Ticking, European Commission Launches GDPR Implementation Guidance Website

With only four months remaining until the EU General Data Protection Regulation takes effect on May 25, 2018, the European Commission has launched a new website offering guidance on requirements and implementation targeted at an array of stakeholders including Member State governments, businesses, data subjects, and other entities whose operations or data processing activities will … Continue Reading

Privacy Shield Update: Ahead of First Joint Review, Europeans Remain Skeptical as FTC Announces Enforcement Actions

On September 8, 2017, the Federal Trade Commission (FTC) announced enforcement actions against three companies alleged to have falsely claimed participation in the EU-U.S. Privacy Shield Framework. The move follows several months of uncertainty surrounding the Framework’s future as EU officials and privacy advocates have questioned its efficacy and validity in the run-up to the … Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

As noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and … Continue Reading
LexBlog