Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: enforcement

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – The CCPA’s Anti-Discrimination Clause

One of the most controversial elements of the California Consumer Privacy Act (“CCPA”) is the establishment of an “anti-discrimination” right – businesses may not “discriminate” against consumers for exercising certain rights under the CCPA, and they will need to assess whether and how they can require consumers to accept certain data practices as a condition of service.  Compliance would be challenging even if the provision were articulated clearly, but as we have discussed in this blog series, the accelerated drafting process and passage of the CCPA earlier this year left little time for public comment and responsive amendments.  As a result, the law includes a series of ambiguities that complicate compliance, and nowhere is that more apparent than in the anti-discrimination provision.

This entry in Hogan Lovells’ ongoing series on the CCPA focuses on the law’s anti-discrimination clause, its ambiguities and potentially contradictory provisions, and impact on businesses.

Posted in International/EU Privacy

DP Impact Assessments: EDPB Differs Slightly from ICO Position

The European Data Protection Board (EDPB) has recently published its Opinion on the (United Kingdom) Information Commissioner’s list of processing activities which would require a Data Protection Impact Assessment under the GDPR. In its Opinion, the EDPB appears to be moving away from the idea that processing of genetic or location data, on its own, might be enough to trigger the mandatory DPIA requirements of the GDPR. This news will perhaps come as a relief to organi­sations currently struggling to come to grips with the “new” DPIA process and the resources and time that it demands. But, should we be surprised by the EDPB’s Opinion and will it have a significant impact in practice on the way organisations consider and conduct DPIAs?

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Data Protection Authority of Baden-Württemberg Issues First German Fine Under the GDPR

In the first fine issued by a German data protection authority under the GDPR, on 21 November 2018 the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for a violation of its data security obligations under Art. 32 of the GDPR. The company’s very good cooperation with the LfDI was key to avoiding a higher level of fines.

Posted in Health Privacy/HIPAA

Recap of the OCR/NIST Conference on Safeguarding Health Information

Regulators provided key insights into enforcement trends and potential changes to HIPAA regulations at the 11th Annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference in October co-hosted by the National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR).

Posted in International/EU Privacy

Busting the Myth: Compliance with the ‘Gold Standard’ of the GDPR Does Not Buy You a ‘Free Pass’ Under China’s New Personal Information Guidelines

On December 29, 2017, the Standardization Administration of China, jointly with the PRC General Administration of Quality Supervision, Inspection and Quarantine, issued the Information Security Technology – Personal Information Security Specification, which officially came into effect on May 1, 2018. The Specification has, in very practical terms, become an important point of reference in evaluating the complex overlay of data protection compliance requirements found in the Cyber Security Law, the Law on the Protection of Consumer Rights and Interests, the e-Commerce Law and other enactments and measures.

Posted in Employment Privacy

California Consumer Privacy Act: The Challenge Ahead – CCPA and Employee Data

The application of the California Consumer Protection Act of 2018 (“CCPA”) to employee data has been the subject of much debate since the first version of the bill was introduced on June 21, 2018 (just days prior to its enactment on June 28). Under a plain language reading of the CCPA, the law likely applies to employee data. However, it is unclear whether the California legislature intended that result. There is no clarity to be found in the general statutory structure, the legislative history, legislative responses to advocate letters, or the technical amendments signed into law on September 23. As part of our ongoing series on the CCPA, this post lays out why the issue of CCPA applicability to employees is controversial and nevertheless offers potential strategies to address CCPA compliance requirements as they may relate to personnel records.

Posted in Consumer Privacy

FTC’s Privacy Shield Enforcement Actions Show Broader Enforcement Lens

On September 27, the Federal Trade Commission (FTC) announced proposed settlement agreements with four companies it alleges violated Section 5 of the FTC Act by misrepresenting their certification status and compliance with the EU-U.S. Privacy Shield. This latest set of enforcement actions brings the FTC’s Privacy Shield related enforcement to settlements with eight defendants since the framework was adopted in July 2016 and it also introduced a couple of new FTC models of Privacy Shield enforcement.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead – A Comparison of 10 Key Aspects of The GDPR and The CCPA

As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the CCPA (and the ballot measure that spurred its passage) drew inspiration from the GDPR. However, the CCPA is not a carbon copy of the GDPR, and a GDPR compliance program will not automatically meet the requirements of the CCPA. As businesses begin their CCPA compliance efforts, awareness of these laws’ similarities and differences will be key to creating efficient and effective compliance programs that capitalize on prior GDPR compliance work but also address the unique nuances of the CCPA.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead — Data Mapping and the CCPA

The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead — Key Terms in the CCPA

Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act. We thus focus here on discussing some of the CCPA’s key definitional terms.

Posted in Consumer Privacy

California Consumer Privacy Act: The Challenge Ahead — Introduction to Hogan Lovells’ Blog Series

We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.

Posted in Consumer Privacy

Now Available: California Consumer Privacy Act: What you need to know now webinar recording and slides

On July 24, members of the Hogan Lovells global privacy team presented a webinar on the new California Consumer Privacy Act, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. In this post, we provide links to the recorded webinar and slide deck.

Posted in News & Events

Webinar Invitation — California Consumer Privacy Act: What You Need to Know Now

On June 28, 2018, California’s governor signed Assembly Bill 375, a ground-breaking new data privacy law that some are calling the United States’ answer to the European Union’s General Data Protection Regulation. Particularly in light of California’s status as the world’s 5th largest economy, many are wondering how the new California Consumer Privacy Act will affect them. Please join members of the Hogan Lovells global privacy team for a live webinar on July 24 to learn what you should be focusing on now.

Posted in News & Events

Upcoming Webinar: Worried about the GDPR? Don’t Panic!

With the GDPR about to come into effect, join our experts for a live webinar on May 23 to learn what you should be focusing on now. The GDPR becomes applicable on 25 May and will affect organisations worldwide. It is a complex and strict law with dozens of obligations which will be fiercely enforced. Getting it right will be essential for business success in the digital economy.

Posted in International/EU Privacy

Russia: Main Takeaways from Roskomnadzor’s Open Doors Day

Recently, the Russian Data Privacy Authority, Roskomnadzor, organized an Open Doors Day in honor of the International Data Privacy Day. During the occasion, Roskomnadzor officers presented on the authority’s 2017 enforcement activities. They followed this presentation with an open question and answer period, during which they responded to numerous questions raised by attendees. This post summarizes the key takeaways.

Posted in International/EU Privacy

UK’s Draft GDPR Implementation Law: The Starting Point

On September 13, the U.K. government introduced in Parliament the Data Protection Bill. The main aim of the bill is to implement the General Data Protection Regulation (EU) 2016/679 into U.K. domestic law. However, as perhaps reflected in the length and complexity of the bill, it is also intended to do several other things. This post outlines key observations on the structure and content of the bill.

Posted in Consumer Privacy, News & Events

Upcoming DC Program Explores Where We Are Headed with Section 5 of the FTC Act

Data privacy and security regulators don’t always agree. Take a look at the Federal Trade Commission for example. In recent years, FTC commissioners have disagreed about the role that cost-benefit analyses should play and the types of consumer harms that should be considered in the FTC’s data privacy and security enforcement actions. For organizations that rely on the collection and use of consumer information, understanding the different viewpoints at the FTC and how those viewpoints may influence future enforcement is vital to evaluating risk. On Thursday, November 5, 2015, the Future of Privacy Forum will look at those issues as it celebrates its new home and its new partnership with Washington & Lee University School Law by hosting a panel discussion addressing the Future of Section 5 of the FTC Act. Panelists David Vladeck (former FTC Consumer Bureau Director David Vladeck) and James Cooper (former Acting Director of the Office of Policy Planning) will look at key Section 5 issues.

Posted in International/EU Privacy

Recap on the ICO Stance on Data Security

The UK’s Information Commissioner’s Office is known to prefer an “engaging” rather than an enforcement approach with organisations. However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day. While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention. Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance.

Posted in Consumer Privacy

FTC Continues to Enforce Security Statements

The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.

Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

Settlement for Failure to Scrub Data from Photocopier: A $1.2 Million Lesson Learned

In a recently-announced settlement between the Department of Health and Human Services Office for Civil Rights and a New York health plan, the health plan agreed to pay $1.2 million for the breach of electronic patient records stored in the internal memory of digital photocopiers leased and improperly disposed by the plan.

Posted in Consumer Privacy

California AG Sends Enforcement Letter to Developers of Popular Mobile Apps

On Tuesday, October 30, the California Attorney General Kamala Harris announced that her office has begun “formally notifying” mobile device application (“app”) operators that they are out of compliance with the notice provisions of the California Online Privacy Protection Act of 2003 (“CalOPPA”). The letters are a reminder that app developers and their partners should review their app data privacy and security practices and ensure that any apps collecting PII comply with the CalOPPA requirements, as well as other applicable Federal and state laws.

Posted in Health Privacy/HIPAA

Alaska Medicaid Settles HIPAA Security Rule Violations for $1.7 Million

Following an extensive investigation by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR), the Alaska Department of Health and Social Services (DHSS), Alaska’s state Medicaid agency, agreed to pay $1.7 million in fines and to comply with a corrective action plan (CAP) to address gaps in its compliance with the HIPAA Privacy and Security Rules.

Posted in International/EU Privacy

Google’s Peter Fleischer: “A lot more privacy enforcement actions in 2012. And the sanctions are going to go through the roof.”

Today’s Guest Blog is from Peter Fleischer, who writes: “Since 2012 has now begun, here’s a prediction about the future: there’s going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it’s not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.” Read more in this entry.