The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act. We thus focus here on discussing some of the CCPA’s key definitional terms.
On September 4, the Legislative Decree no. 101 of August 10, 2018 for the national implementation of General Data Protection Regulation (EU) 2016/679 was published in the Official Journal. The Decree integrates the provisions of the GDPR, that were previously left to the autonomy of the Member States and will enter into force on September 19, 2018.
The Department for Digital, Culture, Media and Sport (‘DDCMS’) has today released guidance on “Data protection if there’s no Brexit deal”, which is part of its preparations for if there is a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit. However, the Commission has made it clear that they would not make a decision on adequacy until the UK is a third country (that is, after 29 March 2018), and its procedure for reaching a decision typically lasts several months.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called many things since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy. We will explore the ramifications for businesses of this seminal legislation in this multi-part series, “The Challenge Ahead” authored by members of Hogan Lovells’ CCPA team. In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Join us in September as we contribute key events that explore the future of privacy, text messaging privacy, and what you need to know about the One Stop Shop under the GDPR.
At the Privacy Laws and Business’ International Conference, Eduardo Ustaran evaluated the sorts of activities likely to prompt regulators into exercising their increased fining powers under the GDPR. In this post, we provide links to both a video of his presentation at the conference as well as a detailed report about his presentation.
Don’t miss out on key events from our Privacy and Cybersecurity team in March 2018. This month, our team will be discussing a variety of privacy and cybersecurity issues ranging from autonomous vehicle privacy to GDPR compliance. We hope you can join us!
Aetna will pay almost $17.2 million to settle a federal class action lawsuit stemming from a 2017 mailing that disclosed the HIV status of health plan members. Aetna also agreed last week to pay a $1.15 million fine to the state of New York after the Attorney General Eric Schneiderman’s investigation into Aetna’s alleged violations of federal and state privacy laws. Both settlements require compliance monitoring and record keeping obligations.
Hogan Lovells announced today that Edith Ramirez, the former Chairwoman of the US Federal Trade Commission, has joined the firm as a partner and will play an active role in Hogan Lovells’ Privacy and Cybersecurity practice. She will also co-head the firm’s Antitrust, Competition and Economic Regulation practice.
“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”. This is today’s strong statement by Her Majesty The Queen reflecting the level of priority given by the UK government to privacy and data protection. Aside from the political controversies surrounding the recent general Election and the prospect of Brexit, the Queen has confirmed that during this Parliament the government intends to pass a new Data Protection Act replacing the existing one.
As previously reported, on Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. This is the second of two entries on the March 9th FinTech Forum and focuses on the discussions surrounding blockchain technologies, in which panelists reflected on the nascent stage of the technology, industry representatives expressed confusion over the applicability of current regulation, and regulators expressed a lack of clarity over jurisdictional questions.
On Thursday, March 9th, the Federal Trade Commission (FTC) hosted a forum on the consumer implications of recent developments in artificial intelligence (AI) and blockchain technologies. The FTC acknowledged the benefits of technological developments in AI and blockchain technologies, but stressed that advancements in these technologies must be coupled with an awareness of and active engagement in identifying and minimizing associated risks. This blog post focuses on the AI discussion, which addressed how the values of privacy, autonomy, and fairness are affected by the advent of AI systems as well as how to ensure safety and security in the development and deployment of individual and connected AI systems.
500 German companies will be asked in the coming weeks by 10 German data protection authorities to complete an extensive and detailed questionnaire about their transfers of personal data to third countries. Companies must indicate how they ensure an adequate level of data protection for such data transfers. The questionnaire also covers the use of cloud services provided by U.S. entities. The enquiry and the questionnaire (but not the list of targeted companies) were published by the German DPAs on 3 November 2016.
Please join us for our November 2016 Privacy and Cybersecurity Events.
We are proud to announce that the Hogan Lovells Chronicle of Data Protection blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for the award of Best AmLaw Blog of 2016. Our editors at The Chronicle strive to provide you with the most relevant and timely legal news, practical legal analysis, and business insights relating to privacy and cybersecurity. We appreciate the recognition for this work and your continued readership.
On August 29, 2016, the Federal Aviation Administration’s long-awaited small unmanned aircraft systems rule went into effect, for the first time broadly authorizing commercial drone operations. This is a positive step, as drones have great safety and efficiency benefits for the public. Nevertheless, the American public remains concerned about drone privacy issues.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Department of Health and Human Services released guidance on July 11, 2016, intended to help the healthcare industry prepare for and respond to ransomware attacks. Specifically, this guidance clarifies: (1) that a ransomware attack is considered a “security incident” under HIPAA, and (2) that a ransomware attack will typically be considered a “breach” by HHS unless entities are able to demonstrate that there is a “low probability of compromise.” The guidance also clarifies that covered entities must implement the same risk assessment processes as they would with other types of cyber threats, including malware. At a time when ransomware attacks are on the rise, this guidance heightens the potential regulatory enforcement consequences of these events.
The U.S. Department of Education and Department of Justice recently weighed in on the obligations of school districts, colleges, and universities to provide civil rights protections for transgender students. On May 13, 2016, the Departments issued a Dear Colleague Letter that summarizes the responsibilities of school districts, colleges, and universities that receive federal financial assistance under the Departments’ interpretation of federal law, including Title IX of the Education Amendments of 1972 and the Family Education Rights and Privacy Act. Here, we focus on the DCL’s guidance pertinent to compliance with FERPA.
The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.
As reported in The New York Times, Hogan Lovells represented a diverse group of 15 major technology companies, such as Google, Facebook, Microsoft, Snapchat, and Cisco in filing last week an amicus brief in In re Search of an Apple iPhone.
To what extent are the personal communications sent by an employee from their employer’s computer private? In Europe it has been accepted for some years that employees do not lose their right to privacy in the workplace. However a recent decision from the European Court of Human Rights confirms the rights of the employer to restrict employees from any personal use of the employer’s computer equipment and, consequently, rely on a contravention of the restriction (which is revealed through monitoring) as grounds for dismissal.
One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.