Privacy & Data Security

The New York Times newly established Privacy Project, recently highlighted the extent to which our society has created a “facial recognition machine” – cameras are everywhere, even in doorbells. Segments of society have accepted widespread surveillance on public streets, shopping malls, and in common areas of office buildings, apartment complexes, schools and similar places. But there are limits. Early this month, 131 patients (and counting) of a women’s hospital in San Diego, California filed…
Despite support from the technology industry and almost unanimous support in the state Senate, the Washington Privacy Act (SB 5367) appears to dead after it failed to pass the Washington House before the April 17 deadline for the current legislative session. The bill—assumed by many to be a sure thing in light of the complete Democratic control of the Washington state government—hit a roadblock after significant amendments aimed at increasing consumer privacy, including…
On October 22, 2018, the UK Court of Appeal upheld the High Court’s decision that VM Morrison Supermarkets PLC (“Morrisons”) was vicariously liable for a data breach caused by a disgruntled former employee, despite Morrisons being cleared of any wrongdoing (VM Morrison Supermarkets PLC v Various Claimants). The case is important, given its potential “floodgate” effect on data breach class action claims in the UK. The Supreme Court has granted Morrisons permission to…
On 19 March 2019, the Dutch Senate approved legislation introducing collective damages actions in the Netherlands (the “Legislation”) which will broaden the regime even further. The Legislation introduces an option to claim monetary damages in a “US style” class action, including for violations of the GDPR. This Legislation together with the mechanisms already available under Dutch law put the Netherlands at the forefront of collective redress in Europe. The Legislation is expected to enter into…
Proposed Bill Makes Dramatic Changes To North Carolina Security Breach Notification Law Some of the proposed changes include: Businesses would have to “[i]implement and maintain reasonable security procedures and practices, appropriate to the nature of the personal information and the size, complexity, and capabilities of the business.”; Businesses would be required to offer at least two years of free credit monitoring; and Replacing the current “without unreasonable delay” standard for breach notification to “as soon…
The GDPR that stole communion… Some schools in Ireland have been banning photographs at communion, citing GDPR. The Irish Data Protection Commission clarified in a guidance titled “Taking Photos at School Events: Where Common Sense Comes Into Play” that this is not mandated by GDPR. Taking a photo in public is generally fine; it’s what you do with that photo that can potentially become a data protection issue. If a school is seeks consent from…
The “data lemon,” a company you acquire without sufficient data protection due diligence that turns out to be rife with issues, is really more like “data lemon ice cream.” Once it melts, and you uncover a serious breach, it will not return to its original state again. Read the Harvard Business Review’s take on the importance of thorough data security due diligence in mergers and acquisitions.…
The much-discussed Washington Privacy Act, Senate Bill 5376 (“SB 5376”), appears to have died after failing to receive a House vote by an April 17, 2019 deadline for action on non-budget policy bills. Though the bill could be revived before the regular session ends on April 28, 2019, Washington lawmakers expressed doubt.…
The Denmark Data Protection Authority (DPA) ruled on April 11, 2019 that affirmative consent is required when companies record customer telephone calls. Because voice recordings constitute personal data under the European Union’s (EU) General Data Protection Regulation (GDPR), international companies that communicate via telephone with EU customers will need to take steps to ensure GDPR compliance. In this case, Denmark’s largest telecommunications company, TDC A/S, provided disclosures to its customers that calls may be recorded…
Senators Warner, D-Va., and Fischer, R-Neb., introduced the “Deceptive Experiences to Online Users Reduction,” or DETOUR Act, on April 9, 2019. The bill covers “large online operators” (those with more than 100 million authenticated users), and addresses three main issues: Behavioral or psychological experiments on users; User interfaces (UIs) that are designed to (or in actual operation) obscure, subvert, or impair user autonomy regarding consent to privacy policies or to the provision and use of…