Personal Data

UK Group-Style Data Breach Actions Continue

By Clare Sellars on January 19, 2021

GDPR Organizations which fail to implement appropriate technical and organizational security measures to protect personal data and suffer personal data breaches as a result, increasingly may find themselves facing the double whammy of both enforcement action by the UK Information Commissioner’s Office (ICO), (which can include significant financial penalties) and potentially also group-style legal actions brought by data subjects.

British Airways, which suffered a cyber incident that is believed to have started in June 2018 and led to a personal data breach involving almost 500,000 of its customers, has found itself on the receiving end of such an action.Continue Reading UK Group-Style Data Breach Actions Continue

UK Information Commissioner Publishes New Data Sharing Code of Practice

By Clare Sellars on December 18, 2020

Article29 On 17 December 2020, the UK Information Commissioner’s Office (ICO) published its new Data Sharing Code of Practice, as required under the Data Protection Act 2018 (DPA18).

The new Code provides practical guidance for controllers that share personal data with other controllers on how to ensure that data sharing complies with applicable data protection requirements. The new Code is a statutory code and updates the ICO’s previous data sharing code, which was published in 2011. The ICO has also instigated a new data sharing information hub which provides further support for organizations involved in data sharing.
Continue Reading UK Information Commissioner Publishes New Data Sharing Code of Practice

China Updates its Personal Information Security Specification

By David Chen on July 24, 2020

On March 6, 2020, the China Standardization Administration and the State Administration for Market Regulation jointly released an updated version of the Personal Information Security Specification (the “Specification”) which will become effective on October 1, 2020.[1] The updated Specification updates the current Specifications[2] that have been in effect since May 1, 2018, and is the result of a revision effort by the Specification’s drafters, that included a series of interim drafts published for public comment on January 30, 2019, June 21, 2019, and most recently, on October 22, 2019, in order to address certain loopholes and practices leading to excessive collection of personal information.
Continue Reading China Updates its Personal Information Security Specification

Returning to the Office – Data Privacy Concerns for Companies in Latin America

By Danielle Bogaards & Brendan Kearney on July 20, 2020

Article29 Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic. As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace. Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy.
Continue Reading Returning to the Office – Data Privacy Concerns for Companies in Latin America

Pandemic-Related Privacy Bill May Be Unconstitutional

By Edward McNicholas & Kelsey McIntosh on May 19, 2020

Bill This article appeared in Law360 on May 14, 2020. A group of Republican senators have introduced a new privacy bill that would impose strict privacy obligations on contact tracing apps operated by entities not subject to the Health Insurance Portability and Accountability Act.

Most notably, the COVID-19 Consumer Data Protection Act would obligate such entities to obtain express affirmative consent from individual consumers before using their geolocation, proximity or personal health data.
Continue Reading Pandemic-Related Privacy Bill May Be Unconstitutional

CCPA Regulations Are Likely Final

By Fran Faircloth & Anna Chan on May 13, 2020

CCPA The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Despite requests made by multiple trade associations for delay in the enforcement of CCPA due to COVID-19, the California Attorney General’s office has declined to delay enforcement, which is set to begin July 1, despite the AG’s failure to release final regulations.

The AG’s office first released proposed regulations in October 2019, our summary of the draft regulations can be found here. After the new year, the AG released two sets of modifications to the draft regulations on February 10 and March 11. At a privacy and data security conference last week, a staff member from the California state legislature commented that, due to the pressures and working circumstances created by COVID-19, the most recent version of the regulations, published March 11, are likely to be the version used for enforcement beginning in July. Significantly, the office rejected suggestions that the regulations be delayed because corporations are experiencing these same COVID-19 pressures.
Continue Reading CCPA Regulations Are Likely Final

Data Partnerships: How to Apply Data Solutions to Address COVID-19 and the Financial and Economic Crises (and Accelerate Innovation Long Term)

By Ed Black & Edward McNicholas on May 7, 2020

On May 6, Ropes & Gray, Mass Insight Global Partnerships and the university-industry partners co-hosted a briefing and discussion of the powerful opportunities to accelerate data partnerships to respond to the COVID-19 pandemic and related financial and economic crises – and the long-term impact of these data collaborations on the way we do business. The…

Schrems II and Standard Contractual Clauses – the Advocate-General’s Opinion

By Clare Sellars on January 8, 2020

The Opinion of Advocate-General (AG) Henrik Saugmandsgaardøe in the “Schrems II” case (C-311-18) was delivered on 19 December and will likely leave organisations, which currently rely on EC Commission-approved standard contractual clauses to ensure adequate protection for personal data that they transfer internationally heaving a collective sigh of relief, at least for the moment.
Continue Reading Schrems II and Standard Contractual Clauses – the Advocate-General’s Opinion

New State Bills Inspired by the California Consumer Privacy Act May Re-appear Next Year

By Edward McNicholas on November 7, 2019

Communication network of United States of America.

The California Consumer Privacy Act (CCPA) inspired legislators in several other states to attempt to pass similar legislation aimed at protecting the privacy rights of consumers. As the legislative calendars for most of those states have wound to a close before the recent election, this Alert reviews those bills as a preview to what we should expect in the next legislative session, particularly as several states will be returning a more progressive assembly.
Continue Reading New State Bills Inspired by the California Consumer Privacy Act May Re-appear Next Year

California Governor Signs CCPA Amendments and Other Data Privacy-Related Bills into Law

By Edward McNicholas on October 15, 2019

On October 11, 2019, Governor Gavin Newsom signed into law five bills that directly amend the California Consumer Privacy Act (the “CCPA”) – AB 25, AB 874, AB 1146, AB 1355 and AB 1564. In addition, Governor Newsom signed two other bills related to data privacy, AB 1202 and AB 1130. The Governor’s signature came the day after California Attorney General Xavier Becerra released proposed regulations governing compliance with the CCPA. Ropes & Gray’s recent Alert describing the proposed regulations is available here.
Continue Reading California Governor Signs CCPA Amendments and Other Data Privacy-Related Bills into Law

MENU

RopesDataPhiles