Anonymisation has always been (and still is) a real challenge for those carrying out clinical research. To shed some light on this matter, the Medical Research Council (MCR) – which is part of UK Research and Innovation – has recently published guidance on Identifiability, anonymisation and pseudonymisation (the guidance). Although the guidance itself states that it has been developed with the participation of the Information Commissioner’s Office (ICO), it is not ICO-approved and so institutes and organisations should be cautious when relying on the criteria set out in the guidance. Continue Reading
Please join Hogan Lovells on October 17 for a discussion of the much-anticipated proposed California Consumer Privacy Act (CCPA) regulations released recently by the California Attorney General.
While the proposed regulations may change, including based on public input, they provide valuable signals of how the California Attorney General may ultimately approach a wide array of CCPA requirements. Continue Reading
On October 10, California Attorney General Xavier Becerra (CA AG) released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons that provide drafting insights and outline considerations that likely will continue to guide the rulemaking process. The CA AG is accepting written comments from the public until 5:00pm (PST) on December 6, 2019.
The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized below: Continue Reading
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The DHS Cyber Hunt and Incident Response Act (H.R. 1158) responds to the recent spate of ransomware attacks against government agencies and private sector organizations¹. It would require the Department of Homeland Security (DHS) to form “cyber hunt” and incident response teams that could be called upon to assist federal, state, and local entities to respond to a ransomware or other type of cybersecurity incident or to identify vulnerabilities in their systems that may increase the likelihood and success of a future attack. While continued government attention to the availability of cybersecurity capabilities should be welcomed by the private sector, the extent to which businesses will directly benefit from this legislation is unclear given its focus.
On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a crucial decision impacting the way that consent is obtained on the internet. The judgment relates to Case C-673/17 (Planet49 – a previous post outlining the background can be found here).
In the Planet49 case, the German Federal Court referred a number of questions to the CJEU regarding the validity of consent to cookies placed by a website operating an online lottery. The questions before the CJEU amounted to the following:
1. Does a pre-checked box allow for valid consent to be obtained for the placement of cookies?
2. Does it matter whether information stored or accessed using cookies constitutes personal data?
3. Must users be provided with information concerning the duration of operation of the cookies and whether third parties are given access to them?
Despite the apparent simplicity of the questions, the CJEU’s decision needed to take into account the interaction of various pieces of legislation. The requirement for consent before cookies are placed originates from Directive 2002/58 (ePrivacy Directive), but the requirements for valid consent are now found in the General Data Protection Regulation 2016/679 (GDPR). To complicate matters, the facts and the initial hearing in this case occurred before the GDPR came into effect, when Directive 95/46 (Data Protection Directive) was the applicable law, so the considerations given by the CJEU to the concept of consent were primarily based on the provisions of the Data Protection Directive. However, somewhat surprisingly, the CJEU’s conclusion on what amounts to valid consent under the Data Protection Directive essentially matches the GDPR definition of consent. Continue Reading
Please join us for our October Events.
Since the California Consumer Privacy Act’s (CCPA) hasty passage in June last year and minor changes last September, the CCPA has vexed businesses working on compliance. Among many practical challenges, the CCPA often includes inconsistent or ambiguous requirements that have been an obstacle to implementing clear compliance strategies. Businesses, some academics, and various legislators thought that further amendments were needed to make the CCPA work effectively and accomplish its objectives. Over the past several months, the California legislature debated several amendments, eventually passing five bills, which now sit on the Governor’s desk. These bills collectively do not provide the sweeping changes sought by businesses. Instead amendments make minor tweaks and postpone for a year some of the more challenging requirements. Continue Reading
Join members from our award-winning Privacy and Cybersecurity (PaC) practice at this week’s IAPP Privacy. Security. Risk. 2019 conference in Las Vegas. We hope to see you at one of our sessions listed below.
We are proud to sponsor the LGBTQ After Hours Happy Hour. Refreshments will be provided. To register, click here.
Time: 6:30 p.m. – 8:30 p.m. Location: Condesa 9, Level 2 Continue Reading
Join us on Thursday 19 September for the Hogan Lovells Privacy and Cybersecurity KnowledgeShare in London.
We will share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops.
We are particularly excited to announce that we will be joined by guest speakers:
- James Dipple-Johnston; Deputy Commissioner (Operations) at the UK Information Commissioner’s Office
- Lien Ceulemans; Vice President and Associate General Counsel, Global Privacy at Salesforce
The Federal Trade Commission (“FTC”) is requesting public comments on the Children’s Online Privacy Protection Rule (“COPPA Rule”). In particular, the FTC is seeking feedback on the effectiveness of its 2013 amendments to the COPPA Rule and on whether additional changes are needed. Comments are due October 23, 2019. The FTC will also be hosting a COPPA workshop on October 7, 2019. Continue Reading