On October 2, 2018, Hogan Lovells hosted the most recent installment in its Internet of Things Webinar (IoT) Series. Two of our experienced litigation partners, Christine Gateau in Paris and Michelle Kisloff in Washington DC, discussed current regulatory actions and cutting-edge IoT litigation debates in the U.S. and Europe, as well as litigation risks to keep in mind when designing IoT products. To hear more on this topic, please access the full webinar recording using this link.
Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, use, modification, or disclosure.” This legislation was prompted by what the bill’s sponsor viewed as a “lack of security features on internet connected devices undermin[ing] the privacy and security of California’s consumers.”
The new law regulates manufacturers of “connected device(s),” defined as devices that can directly or indirectly connect to the Internet and are assigned an Internet Protocol (IP) or Bluetooth address. The law likely applies primarily to manufacturers of consumer-facing connected devices, given the legislative history and text, although the language is quite broad. Continue Reading
The French Data Protection Authority (the CNIL) published its assessment of the first four months of GDPR and several guidelines, including one on how to make a GDPR compliant blockchain.
The CNIL just published its latest newsletter (n°14, dated 25 September 2018) with:
- initial results of its factual assessment of the implementation of the EU General Data Protection Regulation (GDPR) in France and in Europe; and
- interesting developments about its latest series of guidelines on social network posts, blockchain, personal data access requests, and consent:
- Guidelines on responsibility using blockchain and personal data: in these guidelines, the CNIL proposes concrete solutions to use blockchain with appropriate data protection safeguards;
- Helping tool on how to delete embarrassing posts on social networks: the CNIL provides links to help individuals report embarrassing publications on social networks and delete them;
- Guidelines for controllers on answering personal data access requests from data subjects: the CNIL provides advice to companies on how to respond to a data subject access request and underlines that data subjects need not always provide a copy of their identification card;
- Guidelines for controllers on obtaining consent from individuals: the CNIL recaps the key principles for valid consent and the strengthening of the data subject rights under the GDPR.
The IAPP conference in Munich on 19 September 2018 provided important insights into the work and views of the European Data Protection Board (EDPB). Isabelle Vereecken (Head of the EDPB Secretariat) and Bas Van Bockel (Head of Department of International, Policy and Strategy, Dutch Data Protection Authority) addressed key topics such as data protection impact assessments (DPIA), international data transfers and the one-stop-shop principle.
Ms. Vereecken explained that the EDPB has received twenty-two black lists from the national data protection supervisory authorities (DPAs) with 260 different types of processing overall, which, in the view of the DPAs, require a DPIA. In its third plenary session on 26 September, the EDPB has reached an agreement on and adopted twenty-two opinions establishing common criteria for DPIA lists based on the lists submitted to the EDPB by the DPAs (available here).
Given that the GDPR requires DPAs to take utmost account of the EDPB’s opinions, it is expected that each DPA will then re-issue the public version of their lists amended to the corresponding EDPB’s opinion.
This is the sixth installment in Hogan Lovells’ series on the California Consumer Privacy Act.
The California Consumer Privacy Act of 2018 (CCPA) adds another set of privacy requirements for health and life sciences companies. Managing the interaction of these new requirements with existing obligations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), California’s Confidentiality of Medical Information Act (CMIA), and other health privacy laws will continue to be an area of focus in the health privacy community for years to come.
We describe below these issues and outline four important steps health and life sciences companies may consider to assess the CCPA’s operational impact. Continue Reading
On September 27, the Federal Trade Commission (FTC) announced proposed settlement agreements with four companies it alleges violated Section 5 of the FTC Act by misrepresenting their certification status and compliance with the EU-U.S. Privacy Shield. This latest set of enforcement actions brings the FTC’s Privacy Shield related enforcement to settlements with eight defendants since the framework was adopted in July 2016.
The FTC brought its first set of separate Privacy Shield related enforcement actions against three companies in September 2017 for allegedly misrepresenting to customers the companies’ current participation in the Privacy Shield framework. According to the FTC complaints, merely implying participation in the Privacy Shield framework is enough to draw a misrepresentation charge. In those cases, the companies included statements in their privacy policies that they complied with the Privacy Shield principles though the companies had never completed the certification process with the Department of Commerce. Continue Reading
The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR Part 500) came into effect March 1, 2017 (see our previous publications: “New York Department of Financial Services Cybersecurity rules revised and delayed,” “The ‘Final Final’ Is Here: NYDFS Cybersecurity Regulations,” and “A guide to NYDFS Cybersecurity Regulation’s March 1 implementation deadline”). Various provisions under the regulations have been implemented on a staggered implementation timeline since that date.
As of Tuesday, September 4, 2018, covered entities are required to be in compliance with additional requirements relating to:
- Audit Trail (Section 500.06);
- Application Security (Section 500.08);
- Limitations on Data Retention (Section 500.13);
- Monitoring of Authorized Users (Section 500.14(a)); and
- Encryption of Non-public Information (Section 500.15).
As you finalize your organization’s preparations for compliance, we have highlighted below key aspects of these obligations that come into effect on September 4. In addition to this overview, you may also find the NYDFS’s Frequently Asked Questions a helpful resource in your preparation for this next implementation deadline. Continue Reading
This is the fifth installment in Hogan Lovells’ series on the California Consumer Privacy Act.
As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA. This post compares the CCPA and the GDPR in ten key areas: (1) geographic scope, (2) entities subject to the law, (3) the definition of personal data/information, (4) notice requirements, (5) access and portability rights, (6) deletion rights, (7) rights to object or opt out, (8) relationships with processors/service providers, (9) anti-discrimination / compelled consent provisions, and (10) enforcement. Continue Reading
Please join us for our October 2018 Privacy and Cybersecurity Events.
This is the fourth installment in Hogan Lovells’ series on the California Consumer Privacy Act
This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA).
For several years, the plaintiffs’ bar increasingly has relied on statutes like the Confidentiality of Medical Information Act, Cal. Civ. Code § 56 et seq., and the Customer Records Act, Cal. Civ. Code § 1798.81, et seq., to support individual and classwide actions for purported data security and privacy violations.
The CCPA creates a limited private right of action for suits arising out of data breaches. At the same time, it also precludes individuals from using it as a basis for a private right of action under any other statute. Both features of the law have potentially far-reaching implications and will garner the attention of an already relentless plaintiffs’ bar when it goes into effect January 1, 2020.