Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in News & Events

Privacy and Cybersecurity November 2019 Events

Please join us for our November 2019 events.

November 5
Your Body as Data
Mark Brennan will speak on the panel, “Your Body as Data: Facial Recognition, Biometrics, and the Future of Privacy,” at the Columbus School of Law at The Catholic University of America.
Location: Washington, D.C.

 

November 5
2019 Data Protection Leadership Forum
Eduardo Ustaran will speak during the session, “International Issues,” and will participate in a Q&A Session at the 2019 Data Protection Leadership Forum hosted by Arthur Cox.
Location: Dublin

 

Continue Reading

Posted in Consumer Privacy

IAB Soliciting Comments on Draft Compliance Framework for Programmatic Advertising under the CCPA

On October 22, the Interactive Advertising Bureau (IAB), a media and marketing industry trade group, released for public comment the California Consumer Privacy Act Compliance Framework for Publishers and Technology Companies (Framework) and accompanying technical specifications to implement the Framework. The draft Framework is designed to help Framework participants (including publishers and intermediaries) comply with the California Consumer Privacy Act (CCPA) by: (1) establishing a digital signal that Framework participants can use to communicate consumer requests to opt-out of “sales” of personal information associated with digital advertising; and (2) supporting that signal with a standard contract designed to create Service Provider relationships between publishers and advertising companies after a consumer registers an opt out. The IAB is requesting comments, which can be sent to privacy@iab.com, by November 5, 2019. Continue Reading

Posted in International/EU Privacy

EU-U.S. Privacy Shield Passes Its Third Annual Review

Following the joint press statement from Commissioner Věra Jourová and Secretary of Commerce Wilbur Ross of 13 September, on 23 October 2019 the European Commission published its report on the third annual review of the functioning of the EU-U.S. Privacy Shield. In a nutshell, the report of the third review found that the U.S. continues to provide an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S.

Background

On 12 July 2016, the European Commission issued its adequacy decision concerning the Privacy Shield framework for the transfer of personal data from the EU to the U.S. The Privacy Shield formally entered in operation on 1 August 2016 and to date, more than 5,000 companies have been certified and are committed to comply with the data protection requirements. This covers most U.S. for-profit businesses, but excludes a number of banks, financial services companies, telecoms, and other businesses that are not subject to the jurisdiction of the Federal Trade Commission or Department of Transportation. Continue Reading

Posted in Health Privacy/HIPAA

OCR Provides Insight into Enforcement Priorities and Breach Trends

 

Regulators, industry experts, and researchers provided insight into health privacy and security enforcement trends, emerging threats, and new tools at a recent conference focused on the Health Insurance Portability and Accountability (HIPAA) regulatory framework. Moving into 2020, organizations with health data should be aware of:

 

  • Shifting OCR enforcement priorities;
  • Regulators’ continued attention to key HIPAA compliance activities;
  • The changing threat landscape for health data; and
  • New guidance and frameworks for health data not regulated by HIPAA.

Continue Reading

Posted in Health Privacy/HIPAA, International/EU Privacy

Medical Research Council Advises on How to Anonymise Information for Research Purposes

Anonymisation has always been (and still is) a real challenge for those carrying out clinical research. To shed some light on this matter, the Medical Research Council (MCR) – which is part of UK Research and Innovation – has recently published guidance on Identifiability, anonymisation and pseudonymisation (the guidance). Although the guidance itself states that it has been developed with the participation of the Information Commissioner’s Office (ICO), it is not ICO-approved and so institutes and organisations should be cautious when relying on the criteria set out in the guidance. Continue Reading

Posted in News & Events

Webinar Invitation – CCPA Draft Regulations: What You Need to Know

Tim Tobin

Melissa Bianchi

Mark Brennan

Bret Cohen

Scott Loughlin

 

 

 

 

 

 

 

 

 

 

 

Please join Hogan Lovells on October 17 for a discussion of the much-anticipated proposed California Consumer Privacy Act (CCPA) regulations released recently by the California Attorney General.

While the proposed regulations may change, including based on public input, they provide valuable signals of how the California Attorney General may ultimately approach a wide array of CCPA requirements. Continue Reading

Posted in Consumer Privacy

California AG Releases Proposed CCPA Regulations

On October 10, California Attorney General Xavier Becerra (CA AG) released proposed regulations to implement certain provisions of the California Consumer Privacy Act (CCPA). The CA AG also released a Notice of Proposed Rulemaking and Initial Statement of Reasons that provide drafting insights and outline considerations that likely will continue to guide the rulemaking process. The CA AG is accepting written comments from the public until 5:00pm (PST) on December 6, 2019.

The proposed regulations would create many new requirements. They provide clarifications to businesses and consumers in five key CCPA areas as summarized below: Continue Reading

Posted in Cybersecurity & Data Breaches

“Cyber Hunt” Legislation Passes U.S. Senate: Any Implications for Business?

In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The DHS Cyber Hunt and Incident Response Act (H.R. 1158) responds to the recent spate of ransomware attacks against government agencies and private sector organizations¹. It would require the Department of Homeland Security (DHS) to form “cyber hunt” and incident response teams that could be called upon to assist federal, state, and local entities to respond to a ransomware or other type of cybersecurity incident or to identify vulnerabilities in their systems that may increase the likelihood and success of a future attack. While continued government attention to the availability of cybersecurity capabilities should be welcomed by the private sector, the extent to which businesses will directly benefit from this legislation is unclear given its focus.

Continue Reading

Posted in International/EU Privacy

CJEU: Consent on the Internet Means ‘Opt-In’

On 1 October 2019, the Court of Justice of the European Union (CJEU) handed down a crucial decision impacting the way that consent is obtained on the internet. The judgment relates to Case C-673/17 (Planet49 – a previous post outlining the background can be found here).

In the Planet49 case, the German Federal Court referred a number of questions to the CJEU regarding the validity of consent to cookies placed by a website operating an online lottery. The questions before the CJEU amounted to the following:

1.  Does a pre-checked box allow for valid consent to be obtained for the placement of cookies?

2.  Does it matter whether information stored or accessed using cookies constitutes personal data?

3.  Must users be provided with information concerning the duration of operation of the cookies and whether third parties are given access to them?

Despite the apparent simplicity of the questions, the CJEU’s decision needed to take into account the interaction of various pieces of legislation. The requirement for consent before cookies are placed originates from Directive 2002/58 (ePrivacy Directive), but the requirements for valid consent are now found in the General Data Protection Regulation 2016/679 (GDPR). To complicate matters, the facts and the initial hearing in this case occurred before the GDPR came into effect, when Directive 95/46 (Data Protection Directive) was the applicable law, so the considerations given by the CJEU to the concept of consent were primarily based on the provisions of the Data Protection Directive. However, somewhat surprisingly, the CJEU’s conclusion on what amounts to valid consent under the Data Protection Directive essentially matches the GDPR definition of consent. Continue Reading

Posted in News & Events

Privacy and Cybersecurity October 2019 Events

Please join us for our October Events.

October 15
Privacy + Security Forum
Bret Cohen is a speaker on the panel “The Notice Trap: When and How to ‘Inform,’ Provide ‘Explicit Notice,’ and ‘Disclose’ Under the CCPA” at the Privacy + Security Academy’s Privacy + Security Forum.
Location: Washington, D.C.

 

October 15
Privacy + Security Forum
Pete Marta is a speaker on the panel, “Best Practices for Preparing a Ransomware-Related Cyber Incident Response Plan,” at the Privacy + Security Academy’s Privacy + Security Forum.
Location: Washington, D.C.

 

October 15
Privacy + Security Forum
Tim Tobin is a speaker on the panel, “A Path to Anonymization: Through the Telecom and Health Lenses” at the Privacy + Security Academy’s Privacy + Security Forum.
Location: Washington, D.C.

 

Continue Reading