In encouraging news for UK-based organizations involved in the processing of personal data, the European Data Protection Board (EDPB) has adopted two Opinions on the draft UK adequacy decisions which, if approved, would allow the transfer of personal data from the European Economic Area (EEA) to the UK to continue freely.

The first Opinion (Opinion 14/2021) relates to the GDPR and considers general data protection issues and also government access to personal data transferred from the EEA for national security and law enforcement purposes set out in the draft adequacy decision. The second Opinion (Opinion 15/2021) relates to the Law Enforcement Directive (LED) and considers various issues. Continue Reading European Data Protection Board Adopts Two Opinions on Draft UK Adequacy Decisions

Data, privacy & cybersecurity partner and co-chair Edward McNicholas (Washington, D.C.) presented at the Cybersecurity Docket Incident Response Forum Masterclass 2021 “Incident Response – State of Play” virtual panel on April 8. The event was geared to legal and compliance professionals who are critical during the aftermath of a data security incident.

Ed and the panelists addressed topics including current industry trends, cybersecurity insurance markets, cybersecurity certifications, threat containment as well as ransomware risks, economics and enforcement.

With a rise in the scale of ransomware attacks, increased ransom demands, the emergence of public data-shaming, and recent military cyber attacks on privacy companies, Ed suggested the development of a global cyber war “Genova Convention” to address the growth in  threats.

BillThe proposed Washington Privacy Act (WPA) continues to move forward with new enforcement provisions, including a limited private right of action. The Washington House Committee on Civil Rights and Judiciary narrowly approved the so-called “striker” amendment, which would enable state residents to sue companies for injunctive relief over alleged violations; but does not allow suit for monetary damages. The bill had already passed in the Washington Senate by a vote of 48-1. Continue Reading Proposed Washington Privacy Act Gets a Different Set of Teeth with Private Right of Action for Injunctive Relief

Thursday, in a unanimous decision, the Supreme Court narrowed the potential scope of the Telephone Consumer Protection Act (“TCPA”), which has been fertile ground for plaintiffs’ attorneys seeking class-wide damages. Justice Sotomayor wrote the opinion in Facebook v. Duguid, which found that for telephone dialing equipment to constitute an “automatic telephone dialing system” (“ATDS”) under the TCPA, “a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator.” The upshot of this distinction is that computer systems that simply store phone numbers, not generated randomly or sequentially, for later dialing are not an ATDS.

Continue Reading Supreme Court Narrows Potential Scope of the Telephone Consumer Protection Act

The Supreme Court heard arguments Tuesday morning, March 30, regarding class certification related to Article III standing in TransUnion v. Ramirez, where only 25% of a certified class suffered injury.  In its briefing and in yesterday’s arguments, TransUnion argued that class certification should only apply where every class member has standing and the lead plaintiff does not allege atypical injuries. Continue Reading Supreme Court Hears Arguments on FCRA Class Certification

The California Attorney General’s Office of Administrative Law has approved additional amendments to the California Consumer Privacy Act (CCPA) regulations, which went into effect March 15, 2021. A preliminary version of these new regulations were initially to be submitted as part of the CCPA regulations that went into effect on August 14, 2020, but were ultimately removed from that set of regulations. Instead these four new regulations were pulled from the proposal last minute and were not submitted for review, only to be reintroduced in October 2020 (see article here). Continue Reading Yet Another Round of CCPA Regulations

BillOn March 2, 2021, Virginia Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law without further amendments. Virginia now joins California as the second U.S. state to enact comprehensive privacy legislation. The CDPA will come into effect January 1, 2023 simultaneously with California’s Consumer Privacy Rights Act (CPRA). While similar, the laws reflect somewhat differing approaches to a consumer data law, and covered businesses should begin preparing compliance strategies now. In particular, the new Virginia law may well presage movement in other states, such as Washington, New York, etc., or perhaps movement on a federal privacy law. In light of these developments, many clients are shifting away from jurisdiction-specific policies and towards a rationalized national or global approach to privacy and data protection – with local variations as appropriate. Continue Reading Step Aside California: Virginia Consumer Data Protection Act Becomes Law

GDPRAn interesting article in today’s FT on the need to update the GDPR will not be welcomed by those that toiled with compliance programs, policy updates and the preparation of records of processing less than three years ago.

It is reported that German MEP Axel Voss, a driving force behind the GDPR, recognizes that the GDPR is not sufficiently nuanced for some of today’s challenges including blockchain, facial or voice recognition, text and data mining. The COVID pandemic and the shift to remote working have also created unexpected issues, including the technical challenges of compliance by organizations with a remote  workforce using software that authenticates them for a host of services with a single login or monitors what they do online. Continue Reading Is the GDPR Outdated and in Need of Replacement?

remote workThe UK Information Commissioner (ICO) has launched a new toolkit for organizations which are planning to use personal data for data analytics as part of the ICO’s priority work on artificial intelligence (AI).

The toolkit outlines some important personal data protection considerations which organizations should take into account at the beginning of any scheme involving such personal data processing and follows the ICO’s recent publications ‘Explaining decisions made with AI’ and ‘Guidance on AI and data protection’. Continue Reading UK Information Commissioner Launches Data Analytics Toolkit

The debate surrounding vaccine passports to assist with the easing of lockdown restrictions and controlling the spread of COVID-19 continues to raise a number of concerns in the UK.

Although the use of such passports is apparently under consideration, such proposals raise a number of different ethical, scientific and legal issues. A recent Royal Society report sounded a note of caution, suggesting that 12 tests should be met by any such proposal. Among other things, vaccine passports would need to meet various ethical and legal standards, including in respect of data protection. Continue Reading Possible Use of COVID Vaccine Passports Raises Data Protection Concerns