Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Will Widened Class Actions Regime Boost Data Litigation in the Netherlands?

On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under Dutch law put the Netherlands at the forefront of collective redress in Europe. The Legislation is expected to enter into force in July 2019 and will apply to events which took place on or after 15 November 2016. Continue Reading

Posted in Consumer Privacy

Consumer Horizons 2019: Hogan Lovells’ Cross-Practice Publication Highlights Key Privacy and Data Protection Considerations in the Consumer Industry

The consumer industry is evolving at lightning speed, and the way consumer businesses operate is shifting. From issues in supply chain to the digitalization of the consumer experience, companies are rapidly changing to keep up with consumer demands. Businesses in the consumer industry have seen a wave of unprecedented disruption and transformation that have made privacy and data protection issues a mainstream topic in boardrooms, amongst legislators, and across the wider public. 2019 promises challenges of similar or greater magnitude.

In this year’s edition of Consumer Horizons, the Hogan Lovells global Consumer team identifies trends that will impact food and beverages companies, fashion and luxury goods producers, retailers, consumer electronics manufacturers, and other consumer businesses throughout 2019. Continue Reading

Posted in International/EU Privacy

The EDPB’s Narrow View of Contractual Necessity

The European Data Protection Board (EDPB) has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law. Continue Reading

Posted in Consumer Privacy

Efforts to Expand CCPA’s Private Right of Action Remain in Question

The California legislature is considering significant amendments to the California Consumer Privacy Act (CCPA) ahead of the law’s January 1, 2020 implementation date. Of particular note has been the potential for CCPA amendments to expand the private right of action beyond violations of businesses’ duty to implement and maintain reasonable security procedures to instead cover violations of any CCPA right. Continue Reading

Posted in International/EU Privacy

Eduardo Ustaran Discusses Brexit and ePrivacy on IAPP Podcast

Eduardo Ustaran was featured on the IAPP’s Privacy Advisor Podcast to discuss latest developments of Brexit—including various potential outcomes—and how companies doing business in the United Kingdom are looking ahead to prepare post-Brexit privacy and data protection compliance practices. Eduardo also outlined the state-of-legislation of the European Union’s ePrivacy update and discussed how the anticipated regulation may develop during Romania’s term in the Presidency of the Council of the European Union.

Continue Reading

Posted in Consumer Privacy

Beyond FERPA: The California Consumer Privacy Act’s New Rules for Privacy in the Education Sector

In June of 2018, California passed the California Consumer Privacy Act (CCPA), which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective January of 2020 and may impact companies in the education sector, including the larger education technology companies.

While the CCPA does not apply to nonprofit educational institutions, it may apply to certain for-profit educational institutions, third-party service providers, and others in the education space. If an educational entity meets the threshold requirements below or it processes information on behalf of such an entity, it should prepare for CCPA implementation by January 2020. Continue Reading

Posted in International/EU Privacy

Action Required: Privacy Shield Participants Must Update Privacy Policies for Brexit

With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.

The UK Information Commissioner’s Office (ICO) clarified this past December that existing EU adequacy decisions, including the Privacy Shield framework, would remain lawful mechanisms to export personal data outside of the UK. Since then, the U.S. Department of Commerce (DOC) has published Privacy Shield and the UK FAQs, which clarify that organizations certified to Privacy Shield will not only need to maintain their current Privacy Shield certification (including annual recertification) but also add to their public Privacy Shield commitment a separate reference to treat UK-based data transfers as subject to their Privacy Shield certification. Continue Reading

Posted in International/EU Privacy

Asia Pacific Data Protection and Cybersecurity Regulation: 2018 in Review and Looking Ahead to 2019

What is in store for data protection and cyber security regulation in Asia Pacific (APAC) in 2019?

2018 was a momentous year for data protection and cyber security regulation globally – the implementation of the European Union’s General Data Protection Regulation (GDPR) was, of course, the main event. The shockwaves of GDPR hit APAC with full force, coupled with the promulgation of an important GDPR-inspired national standard in China and the tabling of a draft data protection law in India that shares the same lineage. Rising public awareness of data protection concerns, due to the ever increasing volume and scale of cyber incidents in APAC, means that these issues are front and centre for organizations in terms of brand values, effective risk management and stewardship of increasingly valuable data assets. Continue Reading

Posted in International/EU Privacy

First Fine Imposed by the Polish DPA Under the GDPR

The President of the Personal Data Protection Office in Poland (Polish DPA) imposed a fine amounting to PLN 943,470 (approximately EUR 220,000; approximately USD 245,977) for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation (GDPR).

This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR. Continue Reading

Posted in News & Events

You’re Invited to an In-Person Event: CCPAnow: Understanding the Challenge Ahead and What You Should Be Doing Now

CCPAnow: Understanding the challenge ahead and what you should be doing now

The groundbreaking California Consumer Privacy Act (CCPA) takes effect on January 1, 2020, and companies are already working on compliance. Join members of the Hogan Lovells Privacy and Cybersecurity team for our CCPAnow program, a valuable opportunity to explore the questions that you need to address now in order to be ready.

We are hosting an event on the CCPA, on April 16 in New York.

CCPAnow will offer expert and practical guidance on how to navigate the CCPA, and help you benchmark against how other organizations are addressing the same issues.

Continue Reading