Ninth Circuit further entrenches circuit split over standing in data breach cases

Norton Rose Fulbright - Data Protection Report blog

On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. Continue reading

FCC TCPA order partially upheld and partially set aside

Data Protection Report - Norton Rose Fulbright

On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones.  The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive marketing calls by “any reasonable means” that clearly expresses the desire to receive no further messages from the caller, and an exception for certain “emergency” healthcare-related calls.  On the other hand, the court set aside the FCC’s decision regarding the definition of an “automatic telephone dialing system” (ATDS), and how callers can deal with reassigned numbers where the previous owner had consented to receive marketing calls. Continue reading

Singapore PDPC responds to feedback on public consultation on approaches to managing personal data

Data Protection Report - Norton Rose Fulbright

On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of  the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA).  The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.

We set out below a summary of the key points that you should know about the public feedback and PDPC’s response.

Continue reading

Uber as a HIPAA business associate

Norton Rose Fulbright - Data Protection Report blog

Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments.   Continue reading

German DPAs publish templates and guidance on records of processing activities pursuant to Art. 30 GDPR

Data Protection Report - Norton Rose Fulbright

The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier as the EU General Data Protection Regulation (GDPR) will take effect in less than a hundred days and organisations must meet its requirements from 25 May 2018. However, the guidance does not contain significant new information and mainly confirms previous understanding.

In detail:

  • The guidance describes the register as being the core element for GDPR compliance, i.e., core for a comprehensive data privacy and information security management system. It is described as the most important document to demonstrate data privacy compliance with regard to the principle of accountability.
  • Unsurprisingly, the guidance expects a register to be submitted to a German DPA upon request in German language. Although, the register may be kept in different languages as long as the organisation is able to swiftly present a German translation upon request.
  • What is a little more unexpected is the DPAs’ recommendation that organisations list not only the recipients of data transfers outside the organisation but also the details of the internal groups or persons having access to the processing’s data. This may require a greater level of detail than some organisations have included in their registers to date.
  • The guidance also elaborates on the threshold of 250 employees above which the GDPR requires a register to be maintained. In practice, the DPAs say this threshold is more or less irrelevant as even with one employee a company would be processing sensitive data – in which case a register is required.
  • Finally, the guidance suggests linking further data privacy documents (e.g. general privacy policies, data security information or documents on PIA procedures) from the register as reference documents.

Our take

This guidance has been released less than 100 days before the GDPR enters into force. This is very late, given that the registers are a logical first step of a GDPR preparation project. It would seem unreasonable for DPAs to expect that organisations which have finished their registers to go back and rework them to be in line with this guidance (at least in the short term).

However, in terms of content, the guidance generally confirms current views. It is interesting to see the emphasis put on the importance of data mapping to comply with the accountability requirements of the GDPR.

Working party publishes draft of GDPR guidelines for Article 49 (export derogations)

Data Protection Report - Norton Rose Fulbright

On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment.  The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to

Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR.  For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework.  However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations. Continue reading

WP29 brings Binding Corporate Rules in line with the GDPR

Norton Rose Fulbright - Data Protection Report blog

On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.

Continue reading

Amended Colorado bill aims to enhance data privacy laws

Data Protection Report - Norton Rose Fulbright

As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections.  On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs. Continue reading

Connecticut case finds health care privacy cause of action

Norton Rose Fulbright - Data Protection Report blog

On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy.  (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA.  In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA. Continue reading