remote workThe UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).

The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’. Continue Reading UK Information Commissioner Launches Data Analytics Toolkit

The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK.

Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society report sounded a note of caution, suggesting that 12 tests should be met by any such proposal. Among other things, vaccine passports would need to meet various ethical and legal standards, including in respect of data protection. Continue Reading Possible Use of COVID Vaccine Passports Raises Data Protection Concerns

Cyber SecurityThe recent High Court case of London Borough of Lambeth v A.M. offers a salutary lesson in the importance of properly redacting documents. This issue comes up more than you’d think – and certainly more than it should.

You’ll recall that, in the spirit of transparency, the European Commission recently publicized a heavily redacted version of its AstraZeneca COVID-19 vaccine contract. The problem was that the Commission had been too transparent – literally. All of the redacted content in the contract could be viewed by simply using the bookmark tool in Adobe Acrobat’s Reader. Redactio ad absurdum. Continue Reading When [Blank] Goes Wrong

On January 12, 2021, the U.S. District Court for the District of Columbia granted a motion to compel production of allegedly privileged cybersecurity documents in Guo Wengui v. Clark Hill, PLC, 1:19-cv-03195.  In doing so, the Court determined that the Defendant’s cybersecurity assessment was neither covered by work product protection nor attorney client privilege because the Defendant law firm would have investigated the breach in the same way as a business function.

Continue Reading DC District Court Requires Production of Cybersecurity Assessment Prepared at Direction of Outside Counsel

Since passage of the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), many states have proposed data protection bills that have floundered in the legislative process. Virginia, previously a dark horse in the race amongst US states to pass data protection legislation, is now poised to take the lead with the Virginia Consumer Data Protection Act (“CDPA”). Unlike bills that have repeatedly stalled in key states like Washington, the CDPA has progressed swiftly and easily in this now “trifecta Blue” Virginia, with the Virginia Senate passing a version of the bill on February 3, less than a week after the House passed a near-identical companion bill. If the governor signs the CDPA into law, the CDPA will take effect January 1, 2023, simultaneously with the CPRA.

Continue Reading Virginia Poised to Join California with Comprehensive Data Protection Framework

Cyber SecurityAs we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight.  We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.

Continue Reading Privacy Year in Review: 2020’s Hottest Topics

GDPROrganizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.
Continue Reading UK Group-Style Data Breach Actions Continue

On December 8, 2020, the Supreme Court heard oral argument to consider the TCPA’s definition of an “automatic telephone dialer system” (ATDS) in Facebook, Inc. v. Duguid, Noah et al., Dkt. 19-511. The Supreme Court is tasked with interpreting the scope of liability under the TCPA, and its resolution may bring much needed clarity to companies struggling with the meaning of that definition, particularly in light of a current split among circuits on the question and the D.C. Circuit’s 2018 decision, ACA International v. Federal Trade Commission striking down the FCC’s own interpretation. Because the TCPA imposes significant statutory penalties for calling or sending text messages using an ATDS to cellphones in violation of the act, clarification of the meaning of an ATDS may help companies mitigate their risks and curtail potential TCPA class action lawsuits.

Continue Reading Supreme Court Reviews Definition of Auto-Dialer Under TCPA To Clarify Circuit Split

Many of the key policy debates that we expected to happen in 2020 seemed to be essentially frozen for the year as we all responded to the horrors of COVID and the seismic political shifts across the globe. So what does this new year hold for us? We hope for a return to normalcy as vaccinations spread across the globe, a new Administration takes the reins in DC, and the UK continues to negotiate the terms of a new relationship with the EU. Here are some of key areas in privacy and data protection where we anticipate potential developments in 2021. Continue Reading 21 Privacy and Cybersecurity Issues for 2021

Digital LockOn Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.

Continue Reading Meet the US’s New Federal IoT Cybersecurity Law