Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

EDPB Joins the Dots of ePrivacy and GDPR

On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive (“ePD”) and the General Data Protection Regulation (“GDPR”). The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities (“DPAs”). The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs. Continue Reading

Posted in International/EU Privacy

Dutch Data Protection Authority Sets GDPR Fines Structure

On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act). Continue Reading

Posted in International/EU Privacy

A Global Approach to IoT Cybersecurity?

The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work with ETSI to develop it into a global standard. Continue Reading

Posted in Financial Privacy

FTC Seeks Comment on Proposed Changes to GLBA Implementing Rules

The Federal Trade Commission (“FTC”) issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act (“GLBA”), commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade. Continue Reading

Posted in International/EU Privacy

Dutch Data Protection Authority States Cookie Walls Violate GDPR

On 7 March 2019, the Dutch Data Protection Authority published guidance (in Dutch) that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies.

Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website. In view of the Dutch DPA, websites should offer users a real choice to accept or reject cookies. Users who decide not to consent to the placing of tracking cookies should still be granted access to the website (e.g., in exchange for payment). Continue Reading

Posted in International/EU Privacy

Vietnam Quick to Enforce New Cybersecurity Law

Vietnam’s new Law on Cybersecurity has garnered much attention due to its sweeping attempt to regulate online content available to internet users in Vietnam. Among its more controversial provisions are the requirements that both foreign and domestic online service providers store personal data of Vietnamese end-users in Vietnam, surrender such data to Vietnamese government authorities upon request, and supervise user posts to remove “prohibited” content (defined to include content viewed as disparaging of the Vietnamese government and/or government officials or state agencies). The law also requires offshore service providers to open branches or representative offices in Vietnam, presumably to facilitate enforcement of the Cybersecurity Law against them. Continue Reading

Posted in International/EU Privacy

Dark Side of the Moon: Extraterritorial Applicability of the UK Data Protection Act 2018 After Brexit

Subject to the deadlock in parliament being broken, or an extension of the Article 50 Brexit process, the UK’s 46-year European Union membership will cease in a matter of days. In the privacy world, the primary focus for most companies to date has, quite rightly, been on ensuring that data flows in and out of the UK (particularly data flows from the EU27 to the UK) can continue lawfully after that date. For more information on this and other requirements, see our Brexit Data Protection Action Plan.

But for companies operating across Europe, and indeed across the world, with establishments or customers in the UK, Brexit also has implications in terms of the applicability of the UK data protection framework to their operations. The UK government has published its catchily-titled draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DP Exit Regs), which amend the territorial applicability provisions of the UK’s Data Protection Act 2018 (DPA 2018) to ensure the law applies appropriately after the exit day. Continue Reading

Posted in Consumer Privacy

FTC Obtains Record COPPA Settlement

On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law. Continue Reading

Posted in News & Events

Privacy and Cybersecurity March 2019 Events

Please join us for our March 2019 events.

March 6
Telephone Consumer Protection Act
Mark Brennan will discuss TCPA issues on the panel, “Financial Services and Litigation Trends,” at the American Financial Services Association (AFSA) Law and Compliance Symposium 2019.
Location: Fort Lauderdale, Florida


March 12-13
California Consumer Privacy Act
The groundbreaking California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, and many key questions are still unresolved. Join the Privacy and Cybersecurity team as they host two events on the CCPA, one on March 12 in Los Angeles and another on March 13 in San Francisco. In San Francisco, they will be joined by special guest speaker, Stacey Schesser, Supervising Deputy Attorney General at California Department of Justice. To register, click here.
Location: Los Angeles and San Francisco


March 13
Keeping Up with Transparency Under GDPR
Nicola Fulford will discuss the latest regulatory decisions on transparency and evolving industry approaches to the GDPR on the panel, “Clear as Mud: Keeping Up with Transparency Under GDPR,” at the IAPP Data Protection Intensive: UK 2019.
Location: London


March 14
Brexit is Coming – Are You Ready?
Eduardo Ustaran will lead a discussion on the possible outcomes after Brexit and their impact for data protection and privacy professionals during the session, “Brexit is Coming – Are You Ready?” at the IAPP Data Protection Intensive: UK 2019
Location: London


March 14
Artificial Intelligence: Industry Perspectives and Impacts Forum
Mark Brennan will present at the Artificial Intelligence: Industry Perspectives and Impacts Forum in Baltimore, MD.
Location: Baltimore, Maryland


March 22
CCPA and SB 327
Tim Tobin will speak on the panel, “California Privacy Law: CCPA and SB 327 (connected devices),” at the 2019 Annual Berkeley Center for Law & Technology Privacy Law Forum.
Location: Silicon Valley


Posted in Consumer Privacy

CCPA Update: CA AG Backs Bill to Expand Private Right of Action and Remove Cure Period

A bill introduced to amend the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”) could greatly expand the risks to businesses that collect the personal information of California consumers. Senate Bill 561 (“SB 561”) would expand the CCPA’s private right of action to any violation of a consumer’s CCPA rights, remove the existing 30-day cure period, and eliminate businesses’ right to consult the AG’s office regarding compliance. SB 561 would not impact the CCPA’s current effective date of January 1, 2020. Continue Reading