SECURITY & PRIVACY // BYTES

Global updates from our Data Privacy & Cybersecurity team

In today’s globalised world, there are many cross-border transfers of personal data, which are sometimes stored on servers in different countries. Chapter V of the General Data Protection Regulation (GDPR), “Transfers of personal data to third countries or international organisations”, provides different tools to frame data transfers from the EU to a “third country” (i.e. a country that is not a member of the European Economic Area). These include the following:…
A hospital became one of the first organisations to face GDPR enforcement in Portugal in July 2018. The hospital received a €400,000 fine from the Portuguese regulator, Comissão Nacional de Protecção de Dados (“CNPD”) for various breaches of the GDPR. The hospital was fined for the following three violations of the GDPR: Breach of the data minimisation principle; Breach of the integrity and confidentiality principle; and The failure to ensure the ongoing security of processing…
On January 25, 2019, the Illinois Supreme Court ruled that a consumer need not demonstrate an adverse effect or specific harm, such as evidence that personal information was stolen or misused, to have standing to sue under the state’s Biometric Identity Protection Act (BIPA). The court held that a procedural violation of the law itself is sufficient to support a private right of action under BIPA. The court’s decision will give real teeth to the…
The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here. Japan’s data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to…
Cybersecurity awareness recently took center stage in the healthcare industry when the Department of Health and Human Services (HHS) issued comprehensive risk-prioritized cybersecurity best practices to combat top threats.  HHS mapped this guidance to the National Institute of Standards and Technology (NIST) Cybersecurity Framework, cross-referencing 88 individual sub-practices for healthcare organizations of all sizes. The HHS guidance focuses on ten top-level cybersecurity best practices, coupled with a series of recommended procedure-strengthening “Threat Quick Tips,” to…
Google recently defeated claims that it violated Illinois’s Biometric Identification Privacy Act (“BIPA”) by collecting and retaining facial scans created from photographs uploaded by Google Photos users without obtaining consent and complying with other statutory requirements. The federal court ultimately held that plaintiffs failed to allege a concrete injury sufficient for Article III standing. Finding in Google’s favor, the court distinguished cases finding standing in BIPA cases because, unlike those cases, Google had not shared…
The UK Parliament has today, 15th January 2019, rejected the Government’s Brexit withdrawal agreement with the EU. This turn of events, which was widely anticipated, increases the prospect of a no deal Brexit, i.e. a break-up without a divorce settlement. According to law, the UK will leave the EU on 29th March 2019 with no deal unless Parliament has accepted the withdrawal agreement, or a modified version of it, or a new agreement has been…
The ICO has published a draft Regulatory Action Policy (“Policy”) on 28 June 2018 available here, supplementing its Information Rights Strategic Plan for 2017-2021 (here) and International Strategy for 2017-2021 (here). This Policy provides an overview of how and to what extent the ICO will use its newly expanded regulatory enforcement powers provided by the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (“DPA”).…
As users increasingly use nontraditional modes of communication, such as social media and instant messaging applications, email and VoIP, in place of traditional telephone and data services, so too must privacy laws evolve. The European Electronic Communications Code, proposed on December 4, 2018, expands the definition of electronic communications services to include these “over-the-top services.” As a result, these services become subject to data processing regulations under the existing ePrivacy Directive. In an article written…
California’s Consumer Privacy Act of 2018 (“CCPA”) which was signed into law in June 2018 will take effect on January 1, 2020. California Attorney General Xavier Becerra has announced that the California Department of Justice has organized six public forums throughout the State that will provide those impacted by the new law an opportunity to comment on the rulemaking process.…