Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

European Commission and Article 29 Working Party Urge Respect for International Law in Data Cases

Territoriality will continue to be one of the most vexing problems for data regulation in 2018.  One aspect of this debate relates to whether a U.S. judge can compel the disclosure of personal data located in Europe without using international treaty mechanisms.  This issue is currently being considered by the United States Supreme Court in the case United States v. Microsoft.  The case involves the question of whether a U.S. statute relating to search warrants can be interpreted as extending to a search for data located outside the United States; in this case, the data is located in Ireland.  The U.S. Court of Appeals found that, in the absence of express wording in the statute relating to extraterritorial application, the statute should be interpreted as being limited to searches conducted within the territory of the United States.  The Supreme Court is currently reviewing the case.  In December, 2017, the European Commission filed an amicus brief urging the Supreme Court to give due consideration to the principles of international comity and territoriality when interpreting the U.S. statute.

Continue Reading

Posted in International/EU Privacy

Misunderstandings, Panic and Priorities in the Year of the GDPR

It is finally here. This is the year of the GDPR. A journey that started with an ambitious policy paper about modernising data protection almost a decade ago – a decade! – is about to reach flying altitude. No more ‘in May next year this, in May next year that’. Our time has come. Given the amount of attention that the GDPR has received in recent times, data protection professionals are in high demand but we are ready. We knew this was coming and we have had years to prepare. However, even the most seasoned practitioners are at risk of being engulfed by the frantic fire-fighting mood out there. The hamster wheel of GDPR compliance is spinning faster and faster, but it is precisely now when we must look up, see the bigger picture and focus on getting the important things right.

Continue Reading

Posted in News & Events

Privacy and Cybersecurity Upcoming 2018 Events

Please join us for our Upcoming 2018 Privacy and Cybersecurity Events.

February 1
Challenges for GDPR Implementation
Mark Brennan will moderate a panel on GDPR issues at the FCBA CLE: International Privacy: U.S. Perspectives on EU Privacy Frameworks.
Location: Washington, D.C.

 

February 21
Privacy, What Does That Look Like?
Joke Bodewits will participate in a speaking engagement on accountability at the Institute for International Research on GDPR countdown congress.
Location: Amsterdam

 

February 27
GDPR Challenges for Artificial Intelligence and Machine Learning
Eduardo Ustaran will speak on artificial intelligence, machine learning, and the GDPR at the International Privacy+Security Forum.
Location: Washington, D.C.

 

March 6
Standing Post Spokeo
Hogan Lovells will host a webinar aimed at highlighting strategies companies can employ to defend against consumer, privacy, or data breach suits. The speakers include, Michelle Kisloff, Mark Brennan, Adam Cooke, and Alicia Paller.
Location: Washington, D.C.

 

March 6
Infosecurity Leadership Summit 2018
Eduardo Ustaran will make a presentation entitled, “Lightening Talk Last Chance Saloon: Are You Ready & Prepared for EU GDPR?,” at the 5th Infosecurity Leadership Summit at the Savoy Hotel.
Location: London

 

March 27
Keeping up with EU Privacy
Eduardo Ustaran will be a panelist at the IAPP Global Privacy Summit 2018. He will discuss key pieces of regulation to watch for in the EU, how guidance affects interpretation of law, and the latest with Brexit.
Location: Washington, D.C.

 

March 28
Supporting D&I Through Your Privacy Program
Mark Brennan  will be a panelist at the IAPP Global Privacy Summit 2018. He will discuss the business case for directly supporting diversity and inclusion as part of privacy/compliance programs.
Location: Washington, D.C.

 

March 28
How to Monitor Your Workforce Legally
James Denvil will be a panelist at the IAPP Global Privacy Summit 2018. He will discuss the legal issues associated with workforce monitoring programs and summarizing the legal frameworks.
Location: Washington, D.C.

 

March 28
GDPR Compliance and Your Cloud Services Provider
Stefan Schuppert will be a panelist at the IAPP Global Privacy Summit 2018. He will discuss practical implementation strategies to ensure that cloud products are ready for customers concerned about GDPR compliance.
Location: Washington, D.C.

 

Posted in International/EU Privacy

Thinking Strategically About Brexit and Data Protection

To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.

Continue Reading

Posted in Health Privacy/HIPAA, Privacy & Security Litigation

Aetna $17.2 Million Breach Settlement Brings Lessons for Handling Health Data

Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s (NY AG) investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.

Continue Reading

Posted in Consumer Privacy

Navigating the Road Ahead: Auto Industry Stakeholders and Regulators Convene to Discuss Connected Vehicle Privacy

In the same week that the automotive industry gathers in Washington, D.C. for the 2018 Washington Auto Show, a cross-section of automotive stakeholders, government officials, and consumer and privacy advocates came together at Hogan Lovells’ Washington office to discuss privacy issues facing connected vehicles. The half-day conference, co-hosted by Hogan Lovells and the Future of Privacy Forum, convened on January 23, with the theme of “Privacy and the Connected Vehicle: Navigating the Road Ahead.”

Panels focused on the privacy landscape surrounding automobiles and connectivity generally, regulatory developments and areas of government interest, and the effect of emerging technologies on business models and privacy practices in the automotive space.  With lively discussion throughout and a wide array of perspectives, several key themes emerged.

Continue Reading

Posted in International/EU Privacy

Council e-Privacy Regulation Negotiations Critical for the Future of IoT and AdTech

Following the European Commission and European Parliament’s proposed versions of the EU Regulation on Privacy and Electronic Communications (the ePR), we are now waiting for the Council of the European Union to agree their position before discussions between the three bodies can begin. A discussion paper from the Bulgarian Presidency of the Council dated 11 January 2018 (the Paper) shows that the Council is still considering multiple options in relation to several critical issues. In particular:

Continue Reading

Posted in International/EU Privacy

Why Companies in Mexico Should Reassess Their Compliance with Data Privacy Protocols—and Their Risk of a Data Breach

According to the Constitution of Mexico, the protection of personal data is a fundamental right of all Mexican citizens. Under federal law, individuals also have a right to access, change, oppose, or suppress their personal data. Although all private companies process data, some are not sufficiently familiar with Mexico’s data privacy principles and regulations, and many may not have an up-to-date assessment of their own risk of a data breach. In addition, they may not be aware that the Mexican Supreme Court’s recent shift in perspective regarding personal injury cases may herald a change in the way data privacy breaches are handled in the future.

Continue Reading

Posted in International/EU Privacy

Privacy in 2018: Expect the Unexpected

Making predictions for the year ahead is possibly as desirable as unreliable. In a world of unlimited data and advanced science, it would be tempting to think that the future is already written. Algorithms and artificial intelligence will show us what lies ahead with immaculate accuracy. Or perhaps not. At least not yet. To say that the world is in turmoil is an understatement and the same is true of the world of privacy and data protection, which makes predicting the future particularly tricky. But since the urge to plan, budget and prepare for what is likely to happen next is so real, now is a good time to pause, reflect about what’s going on, and make some predictions for 2018.

Continue Reading

Posted in International/EU Privacy

Article 29 Working Party Sets Deadline to Address Privacy Shield Concerns

Hot on the heels of the European Commission’s official review of the functioning of the EU-U.S. Privacy Shield framework, the Article 29 Working Party (Working Party) of EU data protection regulators has issued its own report on the matter. The summary of findings by the Working Party, which draws from both written submissions and oral contributions, begins by commending U.S. authorities for their efforts in establishing a procedural framework to support the operation of Privacy Shield but quickly shifts to the Working Party’s concerns. Should the concerns not be addressed by the time of the second joint review, the Working Party notes that its members will “take appropriate action,” including bringing a Privacy Shield adequacy decision to national courts for reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

While the precise importance and role of Privacy Shield in a post-GDPR world where contractual mechanisms and BCR seem to be given prominence remains to be seen, approximately 2,500 organizations currently rely on the framework for the transfer of personal data from the European Union to the U.S. The referral of Privacy Shield to the CJEU would cast the validity of such transfers into doubt, so the next few months will be critical in this respect.

Continue Reading