Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in International/EU Privacy

Poland: Credit Scoring in Danger?

A draft act on adjusting the Polish legal system to the provisions of the GDPR is under way in the lower house of the Polish Parliament (Sejm).

The draft act (in Polish) contains, among others, provisions amending the rules for processing personal data by banks, credit institutions, loan companies and other entities regulated by Polish banking law.

Particular controversy has been caused by the government’s proposal to limit the scope of data on which the credit risk scoring may be based, to only those categories of data which are expressly indicated in the draft act. In its current version, the proposed data catalogue is limited solely to identification data, data concerning marital status and matrimonial regime, information about financial and work situation, as well as credit history.  Continue Reading

Posted in International/EU Privacy

EDPB Advises on Lawful Grounds for Processing Personal Data in Clinical Trials

With the coming into effect of the General Data Protection Regulation (GDPR), those conducting clinical trials in the EU face a complex set of rules ranging from lawful grounds for processing and transparency to restrictions on data transfers and secondary uses. To assist with this task the European Commission is in the process of adopting a Q&A document on which it has sought the advice from the European Data Protection Board (EDPB).

As the EDPB puts it, the information provided in the Q&A document will constitute a good basis for a GDPR compliant clinical trial. So, with that in mind, the EDPB has issued an influential opinion on the lawful grounds for the processing of personal data in the context of clinical trials. The opinion covers the justification for both the primary use of data for the clinical trial protocol itself and the secondary use of such data for other scientific purposes.

An added complexity of personal data processing for clinical trials is that this will necessarily involve the use of ‘data concerning health,’ which is regarded as a special category of personal data. In practice, this means that for the purposes of complying with the GDPR, it will be necessary to meet one of the grounds of Article 6 as well as one of the conditions of Article 9. Continue Reading

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement

This is the eleventh installment in Hogan Lovells’ series on the California Consumer Privacy Act.

Much of the focus on the California Consumer Protection Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and opt out of the sale of their personal information. But arguably the greatest risk to covered businesses involves data security, as the CCPA creates for the first time a private right of action with substantial statutory penalties for breaches involving California consumers’ personal information.

This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk. Continue Reading

Posted in International/EU Privacy

EU and Japan Create World’s Largest Area of Safe Data Transfers

On 23 January, the European Commission announced that it had adopted an adequacy decision in relation to Japan, to enter into force immediately. The mutual agreement, which covers Japan’s 127m citizens as well as the whole of the EU, allows personal data to be transferred between Japan and the EU without the need for additional safeguards such as Standard Contractual Clauses, and creates the largest area of safe data transfers in the world. Continue Reading

Posted in Consumer Privacy

California DoJ Sets March 8 Deadline for CCPA Pre-Rulemaking Comments

The California Department of Justice has announced a March 8, 2019 deadline for submitting written pre-rulemaking comments on the California Consumer Privacy Act (CCPA). The March 8 deadline is an extension from the previously set end-of-February deadline.

Pursuant to section 1798.185(a) of the CCPA, the California Attorney General (AG) is obligated to solicit broad public participation and adopt regulations to further the purposes of the CCPA. The CCPA sets out seven specific areas for AG rulemaking: Continue Reading

Posted in Consumer Privacy

Illinois Supreme Court Says Infringement of Rights Under Biometric Act Is Sufficient for a Claim, Even Absent Additional Harm

The Illinois Supreme Court ruled on January 25 in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff can allege a violation of rights under the state’s Biometric Information Protection Act (BIPA) even without alleging “injury or damage beyond infringement of the rights afforded them under the law.”  The court decided the issue solely as a matter of statutory construction under Illinois law.  This decision will have a major impact on a number of pending BIPA lawsuits and is likely to result in increased BIPA litigation given the availability of statutory damages and attorneys’ fees under the law. Continue Reading

Posted in International/EU Privacy

Brexit – A Data Protection Action Plan

“There is a cliff, whose high and bending head looks fearfully in the confined deep. Bring me but to the very brim of it” says the blinded Earl of Gloucester in Shakespeare’s King Lear, thinking that he is at the edge of the famous white cliffs of Dover.

Right now, the whole of the UK appears to be on the same spot looking over a precipice. However, this is not the moment to be blind. As politicians struggle to find a magic formula for a prosperous Brexit, businesses are stepping up their efforts to mitigate the damage of a possible “no-deal Brexit.” The data protection community is no different.

The proposed withdrawal agreement would have preserved the status quo in data protection terms, at least until the end of the transition period in December 2020. However, if the UK leaves the EU without a deal, the implications for international data flows and privacy compliance generally will be severe. Therefore, British pragmatism demands an urgent and thorough approach to preparing for the eventuality of a no-deal Brexit.

A comprehensive action plan in this situation should consider the following: Continue Reading

Posted in International/EU Privacy

Privacy, Cybersecurity, and the Internet of Things in Asia: What to Expect in 2019

Increasing numbers of initiatives, devices, and solutions related to the Internet of Things (IoT) are substantially impacting the development of cybersecurity and data privacy regulations throughout Asia. After the implementation of the General Data Protection Regulation (GDPR) in Europe, for example, Asian lawmakers are considering strengthening their own data protection laws. The region is also characterized by a push in a number of jurisdictions towards data localization requirements driven more by “cyber sovereignty,” national security considerations, and protectionist impulses than data protection considerations. Restrictions on the collection and free use of data may pose a challenge for IoT models, particularly if data is required to be kept onshore.

At the same time, it is clear that many Asian jurisdictions see IoT as a key driver for economic growth. A number of jurisdictions have “smart city” initiatives and interests in areas such as automotive telematics. Japan, South Korea, and China, in particular, have strong automotive sectors and are focused on maintaining technological leadership. Unmanned aerial vehicles (UAV) are also an area of focus, both in terms of the supply of vehicles and components and in terms of their deployment as part of these “smart” initiatives.

In this hoganlovells.com interview, Mark Parsons, a Hogan Lovells partner based in Hong Kong, summarizes the current status of IoT-related policies in the Asia-Pacific region and discusses changes anticipated in 2019. Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Hogan Lovells Publishes Demystifying the U.S. CLOUD Act

Hogan Lovells has published Demystifying the U.S. CLOUD Act, a detailed analysis of the impact of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) on non-U.S. businesses and individuals who use cloud storage solutions.

The report specifically focuses on language in the CLOUD Act that allows U.S. law enforcement agencies, under certain circumstances, to lawfully demand data stored in foreign countries from entities subject to U.S. jurisdiction. The report addresses concerns that this language in the CLOUD Act gives the U.S. government new powers to surveil and monitor the data of non-U.S. citizens or businesses using a cloud services provider with operations in the United States. The report concludes that such fears are overstated.
Continue Reading

Posted in International/EU Privacy

Brazil Creates a Data Protection Authority

On 14 August 2018 Brazil approved its new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) – a comprehensive law that closely mirrors the European Union’s General Data Privacy Regulation (“GDPR”). Although the LGPD significantly expands Brazil’s data protection framework and places the country among one of the few jurisdictions to provide similar data privacy protections as those offered in the European Union, the new law did not create a data protection authority.

Continue Reading