Privacy/Data Protection

Security may not be the first word that comes to mind when thinking about GDPR and UK GDPR compliance, but recent matters indicate it should certainly be near the top of any compliance checklist.

Security of personal data is fundamental to every organization, and its significance scales depending on the type of data processing that takes place. Of the penalties issued for data protection infractions across the EU and UK in 2022 so far, over 70 include security, which is almost 20% of the total fines issued. Specifically, these fines were issued due to a breach of Article 32 of the GDPR/UK GDPR: failing to have appropriate technical and organizational measures in place to protect personal data. A breach of Article 32 of the GDPR or UK GDPR technically only attracts the “standard maximum” fine of €10/£8.7 million or 2% of global annual turnover, however the offence is often coupled with other transgressions, which has led to fines over €20 million.

Continue Reading Data Protection: The Increasing GDPR/ UK GDPR Focus on Security

Artificial intelligence-enabled technology tools are capable of dissecting large quantities of data faster than ever before and in some cases, in real time. However, the increasingly widespread use of AI challenges regulators to balance the benefits of innovation while protecting patient safety, health and privacy rights. An Intellectual Property & Technology Law Journal article on

If 2022 has been any indication, the innovations of Web3—the developing, largely decentralized, autonomous internet, enabled by technologies such as blockchain, smart contracts, decentralized autonomous organizations (DAOs), and digital assets—will lead to an era of rethinking the ways that privacy, cybersecurity, and consumer protection are regulated for these technologies. Proponents of Web3 argue that Web3 will promote individual data ownership, transparency, and freedom, but over the last few years, lawmakers have struggled to keep up with the rapidly changing nature of the Web3 space and force the new technology to fit within the existing legal framework.

This year, however, authorities have called for a more harmonized approach to Web3 regulation. Several recent developments—including Executive Orders from President Biden and California Governor Gavin Newsom, invocation of a long-dormant statutory provision by the Consumer Financial Protection Bureau (CFPB), and proposed amendments to the Cybersecurity Information Sharing Act—have signaled that lawmakers and regulators are prioritizing new approaches to privacy, cybersecurity, and consumer protection in an attempt to regulate Web3.

Continue Reading Privacy, Cybersecurity, and Consumer Protection Are Set To Be Key Focus Areas For Regulators As Web3 Innovation Continues

On 30 September 2022, the Court of Justice of the European Union (CJEU) handed down two judgments in which it ruled, respectively, that Germany’s and France’s data retention laws are incompatible with EU law.

In Joined Cases C‑793/19 and C‑794/19 SpaceNet AG and Telekom Deutschland GmbH (EU:C:2022:702), the CJEU ruled that EU law precludes the general and indiscriminate retention of traffic and location data, except in the case of a serious threat to national security.  It also confirmed, however, that to combat serious crime, Member States may, in strict compliance with the principle of proportionality, provide for the targeted or expedited retention of such data and the general and indiscriminate retention of IP addresses.

Continue Reading EU Data Retention: When Member States Get It Wrong

On June 24, 2022, the U.S. Supreme Court issued its ruling in Dobbs v. Jackson Women’s Health Organization, overturning Roe v. Wade and holding that there is no constitutionally protected right to abortion. The significance of the decision cannot be overstated. Dobbs not only rolled back the Court’s prior protection of reproductive rights, it also raised still-unanswered questions about the privacy of digital data and could lead to the overturning of other previous Court opinions that are similarly grounded in privacy interests. In sparking such questions, Dobbs appears to have reinvigorated a national conversation regarding the protection of personal information and, more generally, the need for stronger data privacy safeguards in the United States.

Continue Reading Four Months after Dobbs, Privacy Concerns Remain in the Spotlight

On 7 October 2022, the White House issued an Executive Order, as well as an accompanying Fact Sheet, which sets out the foundations for the Transatlantic Data Privacy Framework (“Framework”).

Since the decision of the Court of Justice of the European Uon (“CJEU”) in the Schrems II case in mid-2020, organizations have not

Since the joint announcement by US President Joe Biden and European Commission President Ursula von de Leyen, on 25 March 2022, of an agreement in principle on the long-awaited replacement to the EU-US Privacy Shield, transatlantic data flows have again become the focus of GDPR discussions. The lack of details provided to date has, however, resulted in many organisations (and legal commentators alike) wondering where this leaves them.

Should US organisations prepare for certification to yet another incarnation of the Safe Harbor (which will almost certainly be subject to prompt legal challenge in the form of Schrems III)? Should organisations subject to the GDPR continue with their transfer impact assessments and the uncertainty of the standard contractual clauses (“SCCs”) when transferring personal data to the US? Will the new safeguards have any impact on the SCCs at all? And how will this affect transfers to the US from the UK or other non-EU jurisdictions?

Representatives of the US Government and the European Commission recently provided some much-needed context, including further details around the timing of the replacement framework and of the potential shape of the new redress mechanism. Their comments offer some hints about the UK’s approach to transatlantic and other international data flows.

Continue Reading Transatlantic Data Flows – Where Are We Now?

In a unanimous decision issued on February 3, 2022, the Illinois Supreme Court held in McDonald v. Symphony Bronzeville Park that the Illinois State Workers’ Compensation Act (“WCA”) did not bar claims under the Illinois’ Biometric Information Privacy Act (“BIPA”). In doing so, the court eliminated one significant defense commonly raised in such cases, since many BIPA class actions are brought in the context of employment (many of which were stayed pending the decision in McDonald). Critically, though, the decision does not preclude other potential defenses including claims of federal preemption.

BIPA is one of the most actively litigated privacy statutes in the United States. Among other things, it requires that businesses obtain consent prior to collecting biometric information (fingerprints, facial geometry information, iris scans and the like), issue a publicly available data retention policy, and refrain from certain data sales and disclosures. Because BIPA provides for a private right of action along with statutory damages of $1,000 to $5,000 per violation, it has proved fertile ground for the plaintiff’s bar.

Continue Reading Illinois Supreme Court Finds Illinois Biometric Information Privacy Act Not Preempted By State Workers’ Compensation Law

As 2021 comes to a close, it is a great time to take stock of the present state of affairs with respect to U.S. privacy laws. With the relatively recent passage of comprehensive privacy laws in California, and additional countries adopting laws that closely follow the principles of the EU’s General Data Protection Regulation (GDPR), along with increasing public concerns regarding how companies manage customers’ personal data, legal practitioners entered 2021 with high hopes that comprehensive federal privacy legislation may finally be on the horizon. Nevertheless, in a trend that is likely to continue in the year ahead, it was the states rather than federal legislatures that successfully added to the ranks of privacy laws with which businesses will soon need to comply.

Continue Reading Momentum Builds for State Privacy Laws but the Possibility of a Federal Law Remains Remote

2021 was a busy year for data protection law in China. On June 10, 2021, the Standing Committee of the National People’s Congress of the People’s Republic of China adopted the Data Security Law (DSL), which went into effect on September 1, 2021. On August 20, 2021, the Standing Committee of the National People’s Congress enacted the Personal Information Protection Law (PIPL), which went into effect just last month, in November 2021. The DSL applies broadly to processing of all data, not just personal information or electronic data and expands on the provisions from China’s Cybersecurity Law, which was enacted in 2016. In contrast, the PIPL applies only to the processing of personal information and has been compared to Europe’s General Data Protection Regulation (GDPR), although that comparison may obscure the contours of China’s law more than it enlightens.

Consistent with the course of Chinese administrative law, the laws’ key terms, analyses, and processes will continue to be fleshed out and perhaps materially enhanced or diminished in a series of regulations, measures, standards, and guidance documents. The latest draft measures on cross-border transfers, which are being closely watched by organizations contemplating cross border data transfers, were published at the end of October, and comments were accepted through November. We expect China to continue finalizing the laws’ terms and measures in 2022.

Continue Reading What China’s New Data Laws Could Mean for 2022