Category

Data Privacy & Security

Category

Late last year the UK Information Commissioner’s Office issued its first formal monetary penalty notice under the GDPR. The ICO fined Doorstep Dispensaree £275,000 for, among other things, failing to keep sensitive data securely and providing an inadequate privacy notice to data subjects. This fine was based on a number of fundamental breaches by Doorstep Dispensaree: for example, most of its internal policies had not been updated since before the entry into force of the…

The European Commission’s New Deal for Consumers will apply to traders that target consumers in the EU from 28 May 2022. Organisations impacted by the New Deal have two years to get into shape – which is advisable, because the New Deal empowers regulators across the EU to impose GDPR-style fines for breaches of consumer legislation. Like the GDPR before it, the changes will affect most functions within businesses affected by the New Deal. Organisations…

The UK Government Department for Digital, Culture, Media & Sports (DCMS) has announced plans to introduce a new law aimed at ensuring that internet-connected products are secure by design, and protecting users from the threat of cyber-attacks. The proposed new law, announced by DCMS on 27 January 2020, will require that: all consumer internet-connected devices have unique passwords that are not resettable to any universal factory setting; manufacturers of consumer internet-connected devices provide a public point…

Multinational organizations subject to privacy laws, such as the EU General Data Protection Regulation, are sometimes also subject to seemingly conflicting trade law. One area of US trade law requires that before exporting certain products or technologies, companies screen against US sanctions lists to prevent the goods from being available to states or individuals deemed bad actors. The lists often contain sensitive information, including personal data relating to suspected or confirmed criminal liability. Click here…

In the United States, a significant legislative trend is on the horizon for insurers in 2020: a new breed of state privacy and cybersecurity laws. In the absence of federal intervention, a growing number of state legislatures are enacting laws and regulations modeling California’s Consumer Privacy Act for all businesses, and, in parallel, prescribing privacy and cybersecurity requirements directed at insurers. To help insurers stay ahead of the curve, we summarize below several cybersecurity measures…

Following our previous analysis of the consequences of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case, from the data exporter perspective (available here), we now focus on the implications of the same with respect to the position of the data importer. Indeed, in the following paragraphs, we will turn our attention to the content of the Controller to Processor Standard Contractual Clauses (SCC) and, in particular, to some…

On February 7, 2020, the California Attorney General released its revised draft implementing regulations for the California Consumer Privacy Act. The revised regulations are not yet final. The California AG will accept written comments regarding the updated regulations until 5:00 pm (PST) on Tuesday, February 25, 2020. The following is a high-level overview of the key new requirements under the updated regulations that are important for businesses to consider in connection with their CCPA compliance…

In this blog post we further analyse the impacts of the opinion of the advocate general Hendrik Saugmandsgaard Øe (a.g.) in the Schrems II case. We will focus, more specifically, on what it means for data exporters and what consequences there may be for them, if the decision of Court of Justice of the European Union (CJEU) on the case is consistent with the a.g’s opinion. Data importers will be the focus of another post,…

Along with changes brought by the CCPA, companies should be aware of other important privacy developments that went into effect in early 2020.  Notable changes to data breach notification laws in California, Illinois, Oregon, and Texas promise to have a significant impact on businesses experiencing security incidents and signal a movement towards stricter and more demanding requirements in this space.    California Amends Definition of Personal Information for Breach Notification         The definition of personal information…

In this episode of Connect On Tech, your host Brian Hengesbaugh is joined by Teresa Michaud, a partner in Baker McKenzie’s Los Angeles office. Together they will discuss the possible private litigation that may arise as a result of the California Consumer Privacy Act (CCPA). Tune in to learn: What clients are calling “the scariest aspect” of the CCPAHow class action plaintiffs might bring suit outside of the data breach contextTeresa’s practical tips for how…