As with anything Brexit-related, the UK government is facing a dilemma in relation to data protection law. Shall we follow the direction of travel of the past 25 years and opt for the continuity and certainty provided by the GDPR or shall we use the departure from the EU to make radical changes to the regulation of data uses and privacy? On the one hand, it would be reassuring to know that despite Brexit’s uncertainties, the current framework is here to stay and it will develop in a familiar way. On the other hand, it must be tempting to use this opportunity to completely re-think what is in the best national interest. For an area of law and policy that is so closely related to technological development and prosperity, it would be foolish not to consider whether a different formulation would lead to better outcomes. A dilemma indeed. Continue Reading
On January 15, the Court of Justice of the European Union’s (CJEU) Advocate General (AG) Manuel Campos Sánchez-Bordona delivered his Opinion on four references for preliminary rulings on the topic of retention of and access to communications data.
Of the four references, two originated from France, one from Belgium, and one from the Investigatory Powers Tribunal (IPT) in the United Kingdom. The latter arose from a challenge by Privacy International to the UK Security and Intelligence Agencies’ (SIAs) powers under the Telecommunications Act 2014 and the Data Retention and Investigatory Powers Act 2014. SIAs have the power to compel providers of electronic communications services, such as internet service providers, to retain and hand over bulk communications data. Communications data does not include the content of communications but does reveal traffic and location data, as well as information on users’ social, business and financial activities, communications, and travel. Continue Reading
The French Data Protection Authority (CNIL) published new Guidelines (French only) on December 10, 2019 applicable to whistleblowing schemes, following a public consultation process. The Guidelines replace the former Single Authorization AU-004, which has not applied since arrival of the General Data Protection Regulation (GDPR). The CNIL has also published a useful Frequently Asked Questions webpage regarding the Guidelines. Continue Reading
Washington State is already shaping up as a center of state privacy legislation for 2020.
Last year, SB 5376 (also known as the Washington Privacy Act, or WPA) gained significant traction in the legislature, passing the state Senate almost unanimously but ultimately failing in the House due to discussions around facial recognition and compliance challenges. State Senator Reuven Carlyle (D), chair of the state’s Senate Energy, Climate & Technology Committee, has now released a revised draft of the WPA for 2020. If enacted as drafted, this new version of the WPA would come into effect on July 31, 2021. Continue Reading
It was a very busy year on the robocall front and, on 30 December 2019, President Trump signed into law the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence (TRACED) Act (S. 151), which the House and Senate passed by wide, bipartisan margins earlier this year. Continue Reading
Does the GDPR really apply to my company? From a data protection standpoint, this is the first thing that comes to mind within non-EU companies. In many cases, the GDPR seems like an issue of the Old Continent, so some assume it should not affect non-EU companies. In others, companies apply the GDPR to all their processing activities just to avoid the possibility of being addressed by EU authorities. Neither approach is per se correct. Continue Reading
We recently published Getting Cookie Consent Right, describing how various approaches to cookie consent fare against the European Court of Justices’ (CJEU) Planet49 decision. In this blog post, we further help navigate through the EU cookie landscape by focusing on how European DPAs are approaching cookie consent and transparency in light of the Planet49 decision. Continue Reading
With the California Consumer Privacy Act’s (CCPA) effective date fast approaching on January 1, 2020 and the California Attorney General’s CCPA rule-making still pending, covered businesses have important decisions to make in the very near future. In this webinar discussion from November 14, Hogan Lovells Privacy and Cybersecurity partners Mark Brennan and Tim Tobin discussed how the CCPA changes enacted over the past year and the proposed regulations may impact your compliance efforts.
Update: On 3 December 2019 the law imposing multi-million Ruble (RUB) fines for infringing Russian data localization and information security laws has come into force. We have retained below our earlier update about the law for informational purposes and to provide context. Since the law has already come into force, new fines may be imposed on companies based on results of the Russian DPA’s (Roskomnadzor) inspections in 2020. Roskomnadzor has already identified the entities it plans to inspect in 2020 but may initiate unplanned inspections as well based, for example, on data subject complaints or its online monitoring of company activity.
On 21 November 2019 a bill imposing multi-million Ruble (RUB) fines for infringing Russian data localization and information security laws passed the last hearing at the State Duma. This likely means that the bill will become the law soon, once it passes the higher chamber of Russia’s Parliament and is singed by the Russian President. The process may take about two weeks. Continue Reading