Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in News & Events

Our Blog is Moving!

To our valued readers of the Chronicle of Data Protection blog: we are changing how we deliver our content. As of today, we have moved the blog to a new technology platform: Hogan Lovells Engage.

We are working to make this transition as seamless as possible. For starters, Chronicle of Data Protection content will be made publicly available, at our new location on Hogan Lovells Engage. We are working on migrating old posts from the Chronicle, but until we do, they will continue to be available at https://www.hldataprotection.com.

Also, we will continue to send emails about new blog posts to current email subscribers of the blog. If you are signed up to receive emails from us, you’ll soon receive an email with details on how to use Engage to continue to stay up-to-date on the latest developments in privacy and cybersecurity, as well as on different topics published by the firm if you’d like. We also will continue to publish posts on our Twitter feed, @HLPrivacy.

We look forward to seeing you on Engage and Twitter!

Posted in International/EU Privacy

Dutch DPA Issues Record Fine for Violating GDPR Data Subject Rights

The Dutch Data Protection Authority (DPA) issued a EUR 830,000 (approximately USD 937,000) fine against the Dutch Credit Registration Bureau (BKR) for violating data subject rights. The fine stems from BKR’s practice of charging fees and discouraging individuals who wanted to access their personal data. Continue Reading

Posted in Consumer Privacy

California Privacy Rights Act to Appear on November 2020 Ballot

It’s official. The California Privacy Rights Act (CPRA) has received enough valid signatures to appear on the November 2020 ballot. And if polling from late last year remains accurate, California voters are likely to approve it. If voters approve the initiative, the CPRA would significantly expand the CCPA, establish the California Privacy Protection Agency, remove the CCPA’s cure period, and impose a number of GDPR-styled obligations on businesses, among other requirements. The substantive provisions of the CPRA would take effect January 1, 2023. Continue Reading

Posted in International/EU Privacy

Belgian DPA Issues Guidance on Temperature Measurements in the Context of COVID-19

In the context of their return-to-work policies companies are seeking solutions to detect individuals with fever at the entrance of their premises with the aim of preventing further contamination within the buildings. This can be achieved by means of conventional thermometers, digital fever scanners directed at the forehead of the person, or sophisticated thermal camera systems. The Belgian Data Protection Authority has issued a guidance in which it adopts a strict position regarding the implications of temperature screenings for individuals’ data privacy rights. More specifically, it provides that the simple act of taking a temperature falls within the scope of the GDPR even if the temperature measurement itself has not been recorded. The guidance also provides that in light of Article 4, paragraph 2 of the GDPR, measuring temperature by means of an advanced digital process is subject to the requirements of the Regulation. Continue Reading

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

Cyber Investigations and Privilege: Court Finds Forensic Report not Covered by Work Product Doctrine

Last week, the U.S. District Court for the Eastern District of Virginia ordered Capital One to produce a forensic investigation report in multidistrict litigation arising out of the cyber incident Capital One announced in July 2019. The court found that the report was not protected by the work product doctrine because Capital One had not shown that “but for” the litigation the report would not have been prepared in substantially the same form. The opinion offers some lessons for companies entering into arrangements with forensic experts in advance of cyber events. Continue Reading

Posted in Consumer Privacy

California AG Submits CCPA Regulations for Approval – Requests Expedited Review Ahead of July 1 Enforcement Deadline

On June 1, The California Attorney General (CA AG) submitted the final text of the CCPA regulations to the California Office of Administrative Law (OAL) for approval. Though regulations submitted to the OAL in June ordinarily would not become effective—if approved—until October 1, the CA AG has requested an expedited review. According to the CA AG, the expedited review would allow the regulations to become effective by July 1, which still is the date his office plans to begin enforcing the CCPA according to a public statement. Continue Reading

Posted in International/EU Privacy

Facial Recognition Challenged by French Administrative Court

In a decision (French only) dated 27 February 2020, the French Administrative Court of Marseille invalidated the deliberation of the Provence-Alpes-Côte d’Azur Regional Council which allowed to set up, on an experimental basis, a facial recognition mechanism in two high schools in order to (i) better control and speed up entry of students into the high schools and (ii) control access to premises of occasional visitors. Continue Reading

Posted in International/EU Privacy

EDPB Signals Efforts on International Data Transfers as CJEU Review of Current Tools Draws Near

The European Court of Justice (CJEU) recently published plans to issue its much awaited decision in CJEU case C-311/18 (also referred to as “Schrems II”) on July 16. The ruling will impact how organizations lawfully transfer personal data from the EEA to jurisdictions not providing an “adequate” level of data protection in accordance with the GDPR. The ruling will specifically address the validity of the European Commission’s standard contractual clauses (SCCs) and it may also affect operation of the EU-US Privacy Shield. On May 18, the European Data Protection Board (EDPB) published a report on its 2019 activities that may signal whether it plans to influence further development of this area. Continue Reading

Posted in International/EU Privacy

Brazil Update: Congress Sends Bill Delaying LGPD Sanctions but not Effective Date to President

As previously reported, Brazilian lawmakers have been debating a delay to the LGPD, which was scheduled to come into effect August 15, 2020, in response to COVID-19. The Brazilian Senate first passed Bill 1,179/2020, and Brazil’s President later enacted Provisional Measure 959 (PM 959).

On May 19, 2020, the Brazilian Congress sent to the President’s desk an amended Bill 1,179/2020 (Final Bill) that would maintain the LGPD’s August 15, 2020 effective date but would delay administrative sanctions until August 1, 2021. However, if approved, the Final Bill would still allow the LGPD’s requirements to be enforced through other means. Continue Reading

Posted in Consumer Privacy

California Privacy Compliance Obligations May Soon Change Under CPRA Ballot Initiative

The California Privacy Rights Act (CPRA) is progressing through California’s elections process for inclusion on the November 2020 ballot. Businesses may want to begin considering how their data privacy obligations in California may change if voters enact CPRA. The purpose of this post is to summarize some of the most impactful CPRA provisions.

As we recently covered, the CPRA is a ballot measure created by Californians for Consumer Privacy, led by co-founders Celine Mactaggart and Alastair Mactaggart—chief architect of the California Consumer Privacy Act (CCPA)—to amend the CCPA and create new data privacy obligations, including some measures that appeared in a 2018 ballot initiative but did not survive the CCPA’s legislative process.

The CPRA would significantly amend the CCPA. Substantive provisions of the CPRA would become effective on January 1, 2023. Below is a summary of key additions and modifications to the CCPA’s existing obligations: Continue Reading