On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the information is not acquired; and requiring consumer reporting agencies who suffer breaches of social security numbers to offer up to 5 years of identity theft services. Businesses maintaining the private information of New York residents also will now be required to proactively develop “reasonable safeguards” within their organization as part of a new “reasonable security requirement.” Continue Reading
On 9 July 2019 the UK data protection authority (ICO) updated its Data Sharing Code of Practice (first published in 2011) (Code). On the same day, the ICO also announced its intention to fine Marriott International just over £99m for infringements of the General Data Protection Regulation (GDPR), highlighting the importance of due diligence in the context of data sharing.
The Code, made under section 121 of the UK’s Data Protection Act (DPA), is publicly available for consultation until 9 September 2019. Once finalised, the Code will become a statutory code of practice under the DPA. Non-compliance with the code will likely be considered non-compliance with data protection laws. Continue Reading
Please join us for our August events.
On July 16, 2019, Nathan Salminen, Allison Holt, and Paul Otto from the Hogan Lovells Privacy and Cybersecurity and Litigation teams presented a webinar, “Cyberthreats in the Internet of Things” where they explored some techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective. Continue Reading
On 19 July the French Data Protection Authority (the “CNIL”) published new guidelines on cookies and trackers. These replace the existing Recommendation No. 2013-378 of 5 December 2013, are intended to be in line with relevant GDPR provisions and have been produced in anticipation of the future ePrivacy Regulation. The guidelines will be supplemented, at a later stage, with sectoral recommendations setting out practical methods for obtaining consent. These sectoral recommendations will be included in a final version of the guidelines on cookies and trackers open for public consultation, which will then be subject to final adoption by the CNIL (expected early 2020). Continue Reading
The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Melissa Bianchi, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws. As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation. Continue Reading
Join us on Thursday 19 September for the Hogan Lovells Privacy and Cybersecurity KnowledgeShare in London.
We will share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops. Continue Reading
Hogan Lovells announced today that Peter Marta, the former global head of Cybersecurity and Global Security and Investigations Legal for JPMorgan Chase and Co., has joined our Privacy and Cybersecurity practice as a partner. He will be based in our firm’s New York office.
Pete is an established leader in the banking and financial services sectors. At JPMorgan Chase, he advised across the organization, from security operations center initiatives to boardroom level issues. He started his legal career as a corporate lawyer at another large international firm. And prior to joining JPMorgan Chase in 2013, Pete was a member of the U.S. intelligence community. Continue Reading
In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use. Continue Reading
As companies continue to grapple with interpreting how the GDPR’s principles apply to their own businesses, in particular contexts, there is a growing need for data protection regulators to provide clarity on the practical application of the regulation.
In the UK, the Information Commissioner has recently taken steps to address these concerns through the announcement of a ‘Regulatory Sandbox’. Sandboxes offer a formal structure for constructive engagement between a regulator and the parties being regulated; allowing for collaboration and the exchange of ideas. Continue Reading