On 12 March 2019 at its Eighth Plenary Session, the European Data Protection Board (“EDPB”) adopted its Opinion 5/2019 on the interplay between the ePrivacy Directive (“ePD”) and the General Data Protection Regulation (“GDPR”). The Belgian Data Protection Authority had, on 3 December 2018, requested that the EDPB examine the overlap between the two laws and in particular the competence, tasks, and powers of data protection authorities (“DPAs”). The EDPB adopted its Opinion in response to this request and in order to promote the consistent interpretation of the boundaries of the competences, tasks, and powers of DPAs. Continue Reading
On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act). Continue Reading
The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by Design report published by the Government in March 2018 and after consultation with industry, consumer associations, and academics. The UK Code is voluntary but the UK Government was keen to work with ETSI to develop it into a global standard. Continue Reading
The Federal Trade Commission (“FTC”) issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act (“GLBA”), commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade. Continue Reading
On 7 March 2019, the Dutch Data Protection Authority published guidance (in Dutch) that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies.
Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website. In view of the Dutch DPA, websites should offer users a real choice to accept or reject cookies. Users who decide not to consent to the placing of tracking cookies should still be granted access to the website (e.g., in exchange for payment). Continue Reading
Vietnam’s new Law on Cybersecurity has garnered much attention due to its sweeping attempt to regulate online content available to internet users in Vietnam. Among its more controversial provisions are the requirements that both foreign and domestic online service providers store personal data of Vietnamese end-users in Vietnam, surrender such data to Vietnamese government authorities upon request, and supervise user posts to remove “prohibited” content (defined to include content viewed as disparaging of the Vietnamese government and/or government officials or state agencies). The law also requires offshore service providers to open branches or representative offices in Vietnam, presumably to facilitate enforcement of the Cybersecurity Law against them. Continue Reading
Subject to the deadlock in parliament being broken, or an extension of the Article 50 Brexit process, the UK’s 46-year European Union membership will cease in a matter of days. In the privacy world, the primary focus for most companies to date has, quite rightly, been on ensuring that data flows in and out of the UK (particularly data flows from the EU27 to the UK) can continue lawfully after that date. For more information on this and other requirements, see our Brexit Data Protection Action Plan.
But for companies operating across Europe, and indeed across the world, with establishments or customers in the UK, Brexit also has implications in terms of the applicability of the UK data protection framework to their operations. The UK government has published its catchily-titled draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (DP Exit Regs), which amend the territorial applicability provisions of the UK’s Data Protection Act 2018 (DPA 2018) to ensure the law applies appropriately after the exit day. Continue Reading
On February 27, 2019, the Federal Trade Commission (“FTC”) announced that it settled with the operators of a video social networking app for a record civil penalty of $5.7 million under the Children’s Online Privacy Protection Act (“COPPA”). This FTC COPPA action was notable not just for the size of the penalty, but also because of the joint statement by the two Democratic Commissioners, Rebecca Slaughter and Rohit Chopra, that future FTC enforcement should seek to hold corporate officers and directors accountable for violations of consumer protection law. Continue Reading
Please join us for our March 2019 events.
A bill introduced to amend the California Consumer Privacy Act of 2018 (“CCPA” or the “Act”) could greatly expand the risks to businesses that collect the personal information of California consumers. Senate Bill 561 (“SB 561”) would expand the CCPA’s private right of action to any violation of a consumer’s CCPA rights, remove the existing 30-day cure period, and eliminate businesses’ right to consult the AG’s office regarding compliance. SB 561 would not impact the CCPA’s current effective date of January 1, 2020. Continue Reading