Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: privacy

Posted in Consumer Privacy

Ill-Suited: Private Rights of Action and Privacy Claims

The U.S. Chamber of Commerce Institute for Legal Reform has published “Ill-Suited: Private Rights of Action and Privacy Claims,” a white paper authored by Hogan Lovells’ Mark W. Brennan, Alicia Paller, Adam Cooke, and Joseph Cavanaugh explaining why private litigation is a poor enforcement tool for privacy laws. As detailed in the paper, when it comes to privacy interests, “harms” are largely inchoate and intangible, and the wrongdoers are often unknown or unidentifiable. Even where class members may have suffered a concrete injury, the data indicates that they are unlikely to receive material compensatory or injunctive relief through private litigation. Meanwhile, plaintiffs’ counsel often walks away with millions of dollars, court dockets are unduly cluttered, and companies are forced to expend resources on baseless litigation.

Posted in News & Events

All-Day Workshop: Privacy and Cybersecurity KnowledgeShare

Join us on Thursday 19 September for the Hogan Lovells Privacy and Cybersecurity KnowledgeShare in London. We will share our latest thinking on the key privacy and cybersecurity issues faced by those with data protection responsibilities within organisations. Our all-day event will cover a lot of ground through incisive quick-fire presentations, Q&A panels and hands-on workshops.

Posted in International/EU Privacy

Dutch DPA: Banks May Not Use Payment Data for Marketing Purposes

In the wake of a recent announcement by a major Dutch bank that it would start providing its customers with personalized advertisements based on their spending patterns, the Dutch Data Protection Authority (DPA) has sent a letter to all Dutch banks urging them to thoroughly review their direct marketing practices. The DPA specifically asked any bank contemplating the use of transaction data for direct marketing to reconsider. In its analysis, the DPA may have introduced a very onerous obligation to re-collect personal data for every single use.

Posted in International/EU Privacy

The UK ICO’s Regulatory Sandbox Points to a Future of Pro-Active Engagement

As companies continue to grapple with interpreting how the GDPR’s principles apply to their own businesses, in particular contexts, there is a growing need for data protection regulators to provide clarity on the practical application of the regulation. In the UK, the Information Commissioner has recently taken steps to address these concerns through the announcement of a ‘Regulatory Sandbox’.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Time to Take Notice: ICO to Impose Record Fine for Data Security Breach

On 8 July 2019, the UK data protection authority issued a notice of its intention to fine British Airways GBP 183.39 million (approx. USD 229.46 million) for infringements of the General Data Protection Regulation. The proposed fine relates to a data breach in which personal data of approximately 500,000 customers were compromised.

Posted in International/EU Privacy

The French Data Protection Authority Gets Ahead of the Game With New Rules on Cookie Consent Before the ePrivacy Regulation Reaches its Final Draft

The French Data Protection Authority has made targeted online advertising a priority topic in its 2019-2020 agenda and has changed its position on cookie consent. Although the ePrivacy Regulation is still being debated by EU legislators and is far from being finalised, the CNIL has withdrawn its 2013 cookie recommendation and announced that it will publish new guidelines (announcements are available in English on the CNIL’s website here and here). These explicitly rule out the use of implied or “soft” consent to place cookies on users’ devices.

Posted in News & Events

Privacy and Cybersecurity July 2019 Events

Join us in July as we explore the meaning of privacy, what a federal privacy law in the U.S. might include, cyberthreats in the Internet of Things, medical device cybersecurity in Europe, and more. We hope you can join us.

Posted in News & Events

Amsterdam Seminar: Protect Your Data! (English)

On 2 July 2019, Hogan Lovells’ Amsterdam office will host the in-person seminar “Protect Your Data!” This English-language seminar follows a popular Dutch-language edition of the seminar. Joke Bodewits and Ruud van der Velden will discuss recent EU legislation, and focus on “lessons learned” for companies with respect to privacy, cybersecurity, and trade secrets. The in-person seminar is of interest to in-house counsel, in-house patent attorneys, privacy officers, CISO’s and IT managers.

Posted in International/EU Privacy

The Cathay Pacific Breach: Is Data Protection and Cyber Security Law in Hong Kong About to Receive an Upgrade?

On 6 June, 2019, the Privacy Commissioner for Personal Data issued an enforcement notice against Cathay Pacific Airways (and its affiliate Hong Kong Dragon Airlines) (together, “Cathay Pacific”) in respect of a data breach concerning unauthorized access to the personal data of some 9.4 million Cathay Pacific customers.

Posted in International/EU Privacy

China’s First Data Protection Measures Lifting Its Veils

On May 28, 2019, the Cyberspace Administration of China released the draft Measures on the Administration of Data Security for public consultation. This Data Security Measures will be a great leap forward in China’s current data protection landscape, which mainly consists of scattered provisions contained in various pieces of legislations and standards, such as the Cyber Security Law, the E-Commerce Law, the Consumer Rights Protection Law as well as the Personal Information Security Specification, the most comprehensive yet non-binding national standard with respect to data protection. The Data Security Measures, once officially promulgated, will be the first binding administrative regulation in China to specifically and systematically set out explicit protection for personal data and important data collected and processed through the use of cyber technologies, following the effectiveness of the Cyber Security Law in 2017.

Posted in News & Events

Privacy and Cybersecurity June 2019 Events

Join us in June as we discuss the GDPR as it relates to colleges and universities; the CCPA, cybersecurity and data breaches, and industry-specific issues; as well as cyberthreats to the Internet of Things.

Posted in News & Events

Amsterdam Seminar: Protect Your Data!

On 23 May 2019, Hogan Lovells’ Amsterdam office will host the in-person seminar “Bescherm je data!” (“Protect Your Data!”). Joke Bodewits and Ruud van der Velden will discuss recent EU legislation, and focus on “lessons learned” for companies with respect to privacy, cybersecurity, and trade secrets.

Posted in News & Events

Privacy and Cybersecurity May 2019 Events

Join us in May as we will be speaking at the 2019 Global IAPP Summit, discussing hacking, privacy and cybersecurity and the TCPA. We hope you can join us.

Posted in Health Privacy/HIPAA

HIPAA Penalty Caps to Be Reduced and Tied to Culpability Level

In a dramatic turn, the US Department of Health and Human Services (HHS) has announced that effective immediately, penalties for many HIPAA violations will be subject to substantially reduced limits. After a record year of collecting high-dollar settlements, the agency has pulled back and tied its own hands through a Notification of Enforcement Discretion that will likely result in lower penalties and settlement agreement amounts.

Posted in Consumer Privacy

CCPA Amendments Advance through California Assembly

A number of legislative proposals seeking to amend the California Consumer Privacy Act are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved. The bills will now advance to the Assembly’s Appropriations Committee before being voted on by the full Assembly and potentially advancing to the California Senate for consideration.

Posted in Consumer Privacy

Consumer Horizons 2019: Hogan Lovells’ Cross-Practice Publication Highlights Key Privacy and Data Protection Considerations in the Consumer Industry

The consumer industry is evolving at lightning speed, and the way consumer businesses operate is shifting. In this year’s edition of Consumer Horizons, the Hogan Lovells global Consumer team identifies trends that will impact food and beverages companies, fashion and luxury goods producers, retailers, consumer electronics manufacturers, and other consumer businesses throughout 2019. Members of Hogan Lovells’ Privacy and Cybersecurity team contributed to Consumer Horizons 2019 to highlight some key privacy and data protection issues that businesses in the consumer industry should take note of.

Posted in International/EU Privacy

The EDPB’s Narrow View of Contractual Necessity

The European Data Protection Board has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, 2019) provide a detailed assessment of the regulator’s interpretation of the law.

Posted in Consumer Privacy

Efforts to Expand CCPA’s Private Right of Action Remain in Question

The California legislature is considering significant amendments to the California Consumer Privacy Act ahead of the law’s January 1, 2020 implementation date. Of particular note has been the potential for CCPA amendments to expand the private right of action beyond violations of businesses’ duty to implement and maintain reasonable security procedures to instead cover violations of any CCPA rights.

Posted in Consumer Privacy

Beyond FERPA: The California Consumer Privacy Act’s New Rules for Privacy in the Education Sector

In June of 2018, California passed the California Consumer Privacy Act, which seeks to give consumers additional safeguards regarding their personal information. The CCPA will become effective January of 2020 and may impact companies in the education sector, including the larger education technology companies. While the CCPA does not apply to nonprofit educational institutions, it may apply to certain for-profit educational institutions, third-party service providers, and others in the education space. If an educational entity meets the threshold requirements below or it processes information on behalf of such an entity, it should prepare for CCPA implementation by January 2020.

Posted in International/EU Privacy

Asia Pacific Data Protection and Cybersecurity Regulation: 2018 in Review and Looking Ahead to 2019

2018 was a momentous year for data protection and cyber security regulation globally – the implementation of the European Union’s General Data Protection Regulation (GDPR) was, of course, the main event.  The shockwaves of GDPR hit APAC with full force, coupled with the promulgation of an important GDPR-inspired national standard in China and the tabling of a draft data protection law in India that shares the same lineage.  Rising public awareness of data protection concerns, due to the ever increasing volume and scale of cyber incidents in APAC, means that these issues are front and centre for organizations in terms of brand values, effective risk management and stewardship of increasingly valuable data assets. Our Guide provides a practical toolkit for organizations seeking to create an effective data protection and cyber security compliance program.

Posted in News & Events

Privacy and Cybersecurity April 2019 Events

Join us this month as we address questions about the groundbreaking California Consumer Protection Act, consumer trust issues, TCPA, trends in global privacy enforcement, navigating ePrivacy requirements, and the GDPR as Brexit nears.

Posted in Financial Privacy

FTC Seeks Comment on Proposed Changes to GLBA Implementing Rules

The Federal Trade Commission issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act, commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade.

Posted in International/EU Privacy

Dutch Data Protection Authority States Cookie Walls Violate GDPR

On 7 March 2019 the Dutch Data Protection Authority published guidance that it considers “cookie walls” to violate the GDPR. A cookie wall is a pop-up on a website that blocks a user from access to the website until he or she consents to the placing of tracking cookies or similar technologies. Under current Dutch cookie law, functional and analytical cookies can be used without consent. Tracking cookies like those used for advertising may only be used if a visitor has given consent. According to the Dutch DPA, the use of a cookie wall results in a “take it or leave it” approach. The Dutch DPA explains that this practice is not compliant with the GDPR as consent resulting from a cookie wall is not freely given, because withholding consent has negative consequences for the user as the user is not allowed access to the website.