German Federal Labor Court rules on the scope of the right to information under Art. 15 GDPR

In a legal dispute to be decided by the German Federal Labor Court, the court had the opportunity to rule on the highly controversial scope of the right to information under Art. 15 GDPR. Specifically, the issue was whether or to what extent Art. 15 GDPR grants a right to receive copies of e-mails. This question is controversially discussed, particularly in the employment context. A decision on the merits was not issued, however, because the court already considered the claim to be too vague and therefore dismissed it as inadmissible. This result, nevertheless, is disappointing only at first glance. Rather, the decision is likely to provide an important guidepost for dealing with information claims and will hopefully, at least in part, cause a rethink.

China: Navigating China episode 17: China’s Draft Privacy and Security Laws – second drafts clarify compliance steps for businesses

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Second drafts of the new overarching national personal data protection and data security laws have just been published, and give a clearer picture of the impending new national frameworks in China. 1. Draft Personal Information Protection Law The Draft Personal Information Protection Law (“Draft PIPL”) will – …

China: Navigating China episode 17: China’s Draft Privacy and Security Laws – second drafts clarify compliance steps for businesses Read More »

Deadline to file comments to the HIPAA NPRM is fast approaching

Authors: Emily Maus and Anna Spencer HIPAA covered entities and business associates should finalize their comments soon, before the comment period for the 2020 Health Insurance Portability and Accountability Act (HIPAA) Notice of Proposed Rulemaking (NPRM) closes on May 6.  The Office for Civil Rights (OCR), which is the federal agency within the US Department …

Deadline to file comments to the HIPAA NPRM is fast approaching Read More »

Second Circuit sets standing threshold for data-breach class actions

Authors: Keara M. Gordon, Isabelle Ord, Jeff DeGroot, and Haley Torrey This week, the Second Circuit in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, weighed in on whether data-breach plaintiffs can establish Article III standing based on the theory that the theft or disclosure of their data subjects the plaintiffs to an increased risk …

Second Circuit sets standing threshold for data-breach class actions Read More »

Portuguese CNPD suspends transfers of Census 2021 data to the U.S.

On yet another application of the principles contained in the Schrems II case, on the 27th of April 2021, the Portuguese Data Protection Authority (“CNPD”) issued a decision ordering the suspension, within 12 hours, of any transfer of personal data resulting from the Census 2021 to the US, or to other third countries outside the …

Portuguese CNPD suspends transfers of Census 2021 data to the U.S. Read More »

The Washington Privacy Act fails to pass for the third straight year

Click here to view an article about the 2021 Washington Privacy Act legislative developments. DLA Piper follows the evolving state privacy landscape more closely than any other law firm. As of the date of this post, the most likely states to pass an Omnibus privacy bill later this year are Florida, Colorado and Ohio. For …

The Washington Privacy Act fails to pass for the third straight year Read More »

The Supreme Court sharply curtails FTC’s authority to obtain restitution

In a significant decision issued on Thursday, April 22, 2021, the US Supreme Court unanimously ruled in an eagerly anticipated case that the Federal Trade Commission (FTC) does not have the legal authority under Section 13(b) of the FTC Act to obtain court-ordered monetary equitable relief (such as restitution or disgorgement). In AMG Capital Management, …

The Supreme Court sharply curtails FTC’s authority to obtain restitution Read More »

European Commission publishes long-awaited draft Regulation on Artificial Intelligence

Andrew Dyson, Ewa Kurowska-Tober, Heidi Waem On 21 April 2021, the European Commission published the long-awaited proposal for a Regulation on Artificial Intelligence[1](“AI Regulation”). The proposed AI Regulation introduces a first-of-its-kind, comprehensive, harmonized, regulatory framework for Artificial Intelligence. The ambition is to provide the legal certainty needed to facilitate investment and innovation in AI, whilst …

European Commission publishes long-awaited draft Regulation on Artificial Intelligence Read More »

China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced

Authors: Carolyn Bigg, Venus Cheung and Fangfang Song Important new guidelines outlining how personal and other types of financial information should be handled by financial institutions throughout the data lifecycle have just come into force in China, including a new data localisation obligation. The “Financial Data Lifecycle Guidelines” (金融数据生命周期安全规范) were published by the PBOC (the …

China: Navigating China episode 16: New data lifecycle guidelines for financial institutions in China – detailed assessments, additional security measures and some data localisation introduced Read More »

Standard contractual clauses and data transfers after Schrems II: EDPB-EDPS’s Joint Opinion on Draft SCCs

Authors: Heidi Waem, Camille Vermosen Schrems II The CJEU’s long-awaited Schrems II decision of 16 July 2020, raised important questions on the validity of data processing activities involving the transfer of personal data outside the EEA. In its decision, the CJEU did not only invalidate the Privacy Shield, it also concluded that relying on the …

Standard contractual clauses and data transfers after Schrems II: EDPB-EDPS’s Joint Opinion on Draft SCCs Read More »

EDPB Opinion on UK Adequacy: Strong Alignment but Challenges Remain

During its 48th plenary session, the European Data Protection Board (EDPB) has adopted two opinions on the European Commission’s draft U.K. adequacy decision. Background The GDPR imposes restrictions on the transfer of personal data to a ‘third country’ unless that country benefits from (i) an adequacy decision; (ii) appropriate safeguards (e.g. standard contractual clauses (SCCs)); …

EDPB Opinion on UK Adequacy: Strong Alignment but Challenges Remain Read More »

The CNIL’s key priorities for upcoming dawn-raids in 2021

Every year, the French supervisory authority (the “CNIL”) publishes its key priorities for upcoming dawn-raids. In 2021, more than 50% of the CNIL’s dawn-raids will focus on: (i) websites cybersecurity, (ii) health data protection and (ii) cookies. 1. Websites cybersecurity Website security incidents are among the most common non-compliances identified by the CNIL during its …

The CNIL’s key priorities for upcoming dawn-raids in 2021 Read More »

CHINA: Navigating China Episode 15: Comprehensive New E-Commerce Rules Introduced

Authors: Carolyn Bigg, Venus Cheung Operators of e-commerce platforms, websites and apps in China, and those using third party e-commerce, social media or livestreaming platforms to sell their products and services in China, must update their operations, services and systems in advance of wide-ranging new rules. The Measures for the Supervision and Administration of Online …

CHINA: Navigating China Episode 15: Comprehensive New E-Commerce Rules Introduced Read More »

France : The cookies transition period will end in a few days – starting April 1st, organizations must comply with the CNIL’s revised guidelines on cookies and trackers!

What is the context? As described in more details in our previous post, the French supervisory authority (“CNIL”) has published on October 2020 a revised version of its guidelines (“Revised Guidelines”) and the final version of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers (“Recommendations”). As a reminder, the Revised …

France : The cookies transition period will end in a few days – starting April 1st, organizations must comply with the CNIL’s revised guidelines on cookies and trackers! Read More »

Trial Court Examines Stored Communications Act Applicability to Offline Mobile Phone

The Electronic Communications Privacy Act (ECPA) is a law noted for its complexity, and the second portion of it, the Stored Communications Act (SCA) is no exception.  In a recent case in the Seventh Circuit, the District Court for the Northern District of Illinois examined the scope of the SCA and what it was, and …

Trial Court Examines Stored Communications Act Applicability to Offline Mobile Phone Read More »

Out with the old, in with the new: Five members join California Privacy Protection Agency Board; California AG Xavier Becerra moves to HHS

The California Privacy Rights Act 2020 Initiative (CPRA) both amends the California Consumer Privacy Act (CCPA) and establishes the first administrative privacy agency in the US, the California Privacy Protection Agency (CPPA). The Agency is charged with protecting the fundamental privacy rights of Californians with respect to their personal information. It is responsible for issuing …

Out with the old, in with the new: Five members join California Privacy Protection Agency Board; California AG Xavier Becerra moves to HHS Read More »

US: Virginia passes comprehensive consumer data protection law

Author: Jim Halpert Virginia’s Governor signed the Virginia Consumer Data Protection Act (“VCDPA”) into law on March 2, 2021.  The VCDPA takes effect January 1, 2023 and is a broad, multi-rights privacy law that, in some ways, resembles the CCPA, GDPR, and other recently proposed state privacy legislation.  A study committee will review the VCDPA …

US: Virginia passes comprehensive consumer data protection law Read More »

US: CA AG announces approval of further amendments to CCPA Regs

Authors: Kate Lucente and Lea Lurquin On March 15, 2021, the California Attorney General (CA AG) announced the approval of additional CCPA regulations. According to the CA AG, the additional amendments are intended to clarify how businesses should implement the Do Not Sell requirements and the permissible methods for verifying CCPA requests submitted on behalf …

US: CA AG announces approval of further amendments to CCPA Regs Read More »