UAE bans exporting health data and restricts domestic use

Norton Rose Fulbright - Data Protection Report blog

UAE bans exporting health data and restricts domestic use.  In March of this year, the UAE issued Law No. 2 of 2019 Concerning the Use of Information and Communication Technology in the Area of Health (the Healthcare Data Law), which governs the use of health data and information generated in the UAE.  The law takes effect three months after issuance. Continue reading

ICO blog post on AI and solely automated decision-making

Data Protection Report - Norton Rose Fulbright

The ICO has published a blog post on the role of “meaningful” human reviews in AI systems to prevent them from being categorised as “solely automated decision-making” under Article 22 of the GDPR. That Article imposes strict conditions on making decisions with legal or similarly significant effects based on personal data where there is no human input, or where there is limited human input (e.g. a decision is merely “rubber-stamped”). Continue reading

Parenting support club Bounty fined in ‘unprecedented’ data breach

Norton Rose Fulbright - Data Protection Report blog

On 12 April, the Information Commissioners Office (ICO) fined Bounty, a pregnancy and parent support club, £400,000 for illegally sharing personal data belonging to more than 14 million people. As the contravention took place just before the General Data Protection Regulation (GDPR) came into force, the fine was issued under the Data Protection Act 1998 (DPA). Continue reading

UK Supreme Court grant Morrisons permission to appeal vicarious liability finding

The Supreme Court has confirmed that permission has been granted to Morrisons for it to appeal against the judgment of the Court of Appeal in Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2338. Continue reading

French court issues decision on legality of Privacy Rules and Terms of Use under data protection and consumer law

Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations. Continue reading

EU Advocate General issues opinion on consent for cookies and intersection between ePrivacy-Directive and GDPR

Norton Rose Fulbright - Data Protection Report blog

On March 21, 2019, Advocate General Szpunar released his opinion on the use of consent for the processing of personal data and for the use of cookies pursuant to the ePrivacy-Directive and the General Data Protection Regulation (GDPR).

The opinion includes several key points on whether consent is ‘freely given’ pursuant to the ePrivacy-Directive and the GDPR and also gives insight on what constitutes ‘informed consent.’ Continue reading

German court ruled that protection of the whistle-blower confidentiality does not generally override the data subject access right

Data Protection Report - Norton Rose Fulbright

A mid-level German employment court recently had to consider the scope of subject access requests under the EU General Data Protection Regulation (GDPR) in the context of compliance and whistle-blowing regimes. The Regional Labour Court (Landesarbeitsgericht) of Stuttgart decided that an employer was required not only to provide an employee with the records containing performance and behavioural data, but also to disclose information regarding internal investigations. This is the first reported successful enforcement of a data subject access right under Article 15 GDPR before a regional labour court in Germany. (The judgment was handed down on 20 December 2018 but has just been published in full text.) Continue reading

GDPR, CCPA and beyond: Changes in data privacy laws and enforcement risks to monitor in 2019

Norton Rose Fulbright - Data Protection Report blog

With significant enforcement activity and new laws being enacted or proposed since the start of the year, regulators in the EU and the US, several US states, and the US Congress are showing they mean business in terms of data privacy.

To help companies best protect consumer data and remediate enforcement risks, we provide below an overview of the following:

  1. two noteworthy recent EU and US regulator enforcement actions;
  2. changes in the US state data privacy law landscape, including the proposal from the California Attorney General’s Office to expand enforcement authority and class action litigation under the California Consumer Privacy Act; and
  3. US Congress’ consideration of a first-ever comprehensive US federal privacy law.

Continue reading

EDPB issues new opinion on interplay between Clinical Trials Regulation and the GDPR

Norton Rose Fulbright - Data Protection Report blog

On January 23, 2019, the European Data Protection Board (“EDPB”) issued an opinion on the interplay between the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”). See our previous blog posts on the GDPR here and here. The opinion also addresses GDPR requirements regarding (1) the legal basis for processing personal data in the course of a clinical trial protocol (primary use) and (2) the further use of clinical trial data for other scientific purposes (secondary use).

Even though the CTR already entered into force on June 16, 2014, the regulation’s application depends on the development of a fully functional EU clinical trials portal and database which is projected to be operational in 2020. In anticipation of the CTR’s applicability, the EDPB’s Opinion 3/2019 provides much needed clarification on the interplay between the GDPR and the CTR[1] and allows companies to update their processes and agreements to conduct clinical trials that comply with both regulations. Continue reading

Companies’ right to privacy

Data Protection Report - Norton Rose Fulbright

On January 3, 2019, the federal trial court in Manhattan issued a preliminary injunction, temporarily halting a new local law aimed at required disclosures by home-sharing platforms, such as Airbnb and HomeAway, to the city. The court granted the preliminary injunction on the basis that the city’s broad requirement that the services turn over detailed customer information on a monthly basis likely violated the Fourth Amendment to the U.S. Constitution—infringing the privacy rights of the companies, rather than the users. In contrast, the court ruled that the companies’ Stored Communications Act claim did not meet the standard for a preliminary injunction. (Airbnb, Inc. v. City of New York, Case 1:18-cv-07712-PAE (S.D.N.Y. Jan. 3, 2019)). Continue reading

LexBlog