The Information Commissioner’s Officer ruled, on 3 July 2017, that the Royal Free NHS Foundation Trust had failed to comply with the Data Protection Act 1998 when it provided 1.6 million patient details to Google DeepMind as part of a trial diagnosis and detection system for acute kidney injury, and required the Trust to sign an undertaking. The investigation brings together some of the most potent and controversial issues in data privacy today; sensitive health information and its use by the public sector to develop solutions combined with innovative technology driven by a sophisticated global digital company. This analysis provides insight on the investigation into Google DeepMind with focus on how the General Data Protection Regulation may impact the use of patient data going forward.
According to the German Federal Labor Court, Germany’s highest court for employment disputes, German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty. This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data privacy laws from their proceedings.
Please join us for our June 2017 Privacy and Cybersecurity Events.
Join us for a discussion of hot topics in Federal Trade Commission (FTC) and state consumer protection enforcement. Partners Bret Cohen, Meghan Rissmiller, and Steven Steinborn will cover recent developments and enforcement trends in data privacy/security, advertising/endorsements, and claim substantiation in practice before the FTC and state authorities.
Please join us for our March 2017 Privacy and Cybersecurity Events.
The Polish Data Protection Authority has just released its inspection plans for 2017. This year, the GIODO has decided to target its review of compliance with data protection laws on the health services sector, as well as on the consumer sector, with particular attention to certain profiling activities taking place in stores and shopping malls.
Please join us for our January 2017 Privacy and Cybersecurity Events.
The fourth annual Global Privacy Enforcement Network sweep, which focused on Internet of Things devices, found that privacy communications in relation to such devices were generally poor and companies demonstrating good practice were in the minority. Here, we summarize and explore the key findings of the fourth annual GPEN sweep .
Please join us for our October 2016 Privacy and Cybersecurity Events.
Not many people will remember this but in 2008, Richard Thomas, the former UK Information Commissioner caused a fairly dramatic stir in the privacy world – at least among policy makers and fellow regulators – by unashamedly proclaiming that European data protection law was outdated and ineffective to address the technological and privacy challenges of the 21st century. At first, this was regarded by some as an embarrassing admission that could not possibly be right. But only two years later, the European Commission started a process of wholesale legislative reform that culminated with the adoption of the EU General Data Protection Regulation in April 2016. We all know by now that the GDPR is the result of many political and regulatory compromises caused by the precarious balance created by the various forces at play – the unstoppable development of technology, the increasing value of data, the urgent need to protect people’s digital lives, and the prosperity of Europe and the rest of the work.
The Philippines’ first comprehensive data protection law, the Data Privacy Act of 2012, took effect on 8 September 2012. The Act mandated the creation of a National Privacy Commission to implement, enforce and monitor compliance with the Act, with one of its duties to promulgate rules and regulations to effectively implement the provisions of the Act. It was not until March 2016 that the NPC was officially formed, and soon after issued draft implementing rules and regulations of the Act. Following a period of public consultation, the implementing rules and regulations were finalised and formally promulgated on 24 August 2016 and will come into effect today, 9 September 2016.
The free flow of data is essential to an ever-growing segment of the global economy. Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large. After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.
In a previous post back in 2010, we discussed a then-new data-privacy case decided by the French Cour de Casson (high court), called Bruno B v. Giraud et Migot, Cour de Cassation [Cass.], soc., Paris, 15 Dec. 2009, No. 07-44264. As we said at the time, Bruno B was “a significant development” because, previously, French privacy laws offered an extremely high level of protection for employees’ data, as exemplified by the 2001 decision, Nikon France v. Onof, Cour de Cassation [Cass.], soc., 2 Oct. 2001, No. 4164.
Following up on a public workshop held earlier this year, today the Federal Trade Commission (FTC) issued a set of truth-in-advertising and privacy guidelines for mobile device application (app) developers. Titled “Marketing Your Mobile App: Get it Right From the Start,” the guidelines provide an overview of key issues for all app developers to consider.