On March 8, 2018, the Ninth Circuit issued its highly anticipated decision in In re Zappos.com, Inc., finding that allegations of future risk of identity theft from a data breach are sufficient to confer standing. This decision fuels an ongoing circuit split, pitting the D.C., Sixth, Seventh and now Ninth Circuits against the Second, Fourth, and Eighth Circuits over whether the mere exposure of personal information – without actual identity theft or credit/debit card fraud – establishes Article III standing. Continue reading
On March 16, 2018, the U.S. Court of Appeals for the District of Columbia Circuit issued its decision on the Federal Communications Commission (FCC) omnibus order of 2015, relating to challenges to four of the FCC’s determinations relating to cell phones. The appellate court upheld the FCC’s determinations that consumers can revoke consent to receive marketing calls by “any reasonable means” that clearly expresses the desire to receive no further messages from the caller, and an exception for certain “emergency” healthcare-related calls. On the other hand, the court set aside the FCC’s decision regarding the definition of an “automatic telephone dialing system” (ATDS), and how callers can deal with reassigned numbers where the previous owner had consented to receive marketing calls. Continue reading
On 1 February 2018, Singapore Personal Data Protection Commission (PDPC) released its response to feedback on its public consultation on approaches to managing personal data in the digital economy, which took place in Q3 2017 (the Public Consultation). The purpose of the Public Consultation, was to seek public feedback on proposed changes to Singapore’s data protection regime, the Personal Data Protection Act (PDPA). The key proposed changes to the PDPA include the relaxation of the consent requirement to collect, use and disclose personal data in Singapore and the introduction of a mandatory data breach notification regime.
We set out below a summary of the key points that you should know about the public feedback and PDPC’s response.
Uber recently announced the launch of Uber Health, a non-emergency ride service that allows healthcare providers to schedule and pay for transportation for their patients. The stated purpose of the service is to expand medical transportation to traditionally underserved areas. Roughly 3.6 million Americans miss medical appointments each year due to lack of reliable transportation, contributing to the roughly $150 billion per year the healthcare industry loses due to missed appointments. Continue reading
The German Data Protection Authorities (DPAs, acting as the German Data Privacy Conference, Konferenz der unabhängigen Datenschutzbehörden des Bundes und der Länder) recently published templates for the records of processing activities for controllers (Art. 30 para. 1 GDPR) and processors (Art. 30 para. 2 GDPR) together with a corresponding guidance document. This guidance was expected to be released earlier as the EU General Data Protection Regulation (GDPR) will take effect in less than a hundred days and organisations must meet its requirements from 25 May 2018. However, the guidance does not contain significant new information and mainly confirms previous understanding.
- The guidance describes the register as being the core element for GDPR compliance, i.e., core for a comprehensive data privacy and information security management system. It is described as the most important document to demonstrate data privacy compliance with regard to the principle of accountability.
- Unsurprisingly, the guidance expects a register to be submitted to a German DPA upon request in German language. Although, the register may be kept in different languages as long as the organisation is able to swiftly present a German translation upon request.
- What is a little more unexpected is the DPAs’ recommendation that organisations list not only the recipients of data transfers outside the organisation but also the details of the internal groups or persons having access to the processing’s data. This may require a greater level of detail than some organisations have included in their registers to date.
- The guidance also elaborates on the threshold of 250 employees above which the GDPR requires a register to be maintained. In practice, the DPAs say this threshold is more or less irrelevant as even with one employee a company would be processing sensitive data – in which case a register is required.
- Finally, the guidance suggests linking further data privacy documents (e.g. general privacy policies, data security information or documents on PIA procedures) from the register as reference documents.
This guidance has been released less than 100 days before the GDPR enters into force. This is very late, given that the registers are a logical first step of a GDPR preparation project. It would seem unreasonable for DPAs to expect that organisations which have finished their registers to go back and rework them to be in line with this guidance (at least in the short term).
However, in terms of content, the guidance generally confirms current views. It is interesting to see the emphasis put on the importance of data mapping to comply with the accountability requirements of the GDPR.
On February 12, 2018, the Article 29 Working Party (WP29) published guidance regarding Article 49 of the General Data Protection Regulation (GDPR) for public comment. The deadline for submitting comments on the draft is March 26, 2018, and responses should be emailed to JUST-ARTICLE29WP-SEC@ec.europa.eu.
Like the current EU Data Protection Directive, the GDPR prohibits the onward transfer of Personal Data to: (1) a country that has not been deemed to provide an adequate level of protection (e.g. the U.S.); and (2) where the entity therein has committed to handle the Personal Data of European data subjects applying appropriate safeguards in accordance with Article 46 of the GDPR. For example, organizations comply with Article 46 by implementing Binding Corporate Rules (BCRs) or Standard Contractual Clauses or by participating in a recognized certification mechanism such as the EU-US Privacy Shield Framework. However, Article 49 of the GDPR provides for transfers to entities in a country without an adequate level of protection under a series of narrowly tailored exceptions called derogations. Continue reading
On February 6, 2018, the Article 29 Working Party (WP29) adopted updated guidelines on Binding Corporate Rules (“BCRs“), which replace the previous WP29 working documents 153 and 195 on BCRs and Processor BCRs.
As Data Protection Report posted on January 29, 2018, lawmakers in Colorado are considering legislation that, if enacted, would significantly strengthen Colorado’s data privacy protections. On Wednesday, February 14, 2018, an amended bill passed unanimously in Colorado’s House Committee on State, Veterans and Military Affairs. Continue reading
On February 13, 2018, in Forman v. Henkin, 2018 NY Slip Op 01015, New York’s highest state court unanimously ruled that “private” social media posts may be subject to discovery in civil lawsuits.
On January 16, 2018, in Byrne v. Avery, the Connecticut Supreme Court unilaterally created a new state law cause of action for violation of a patient’s health care privacy. (Byrne v. Avery Center for Obstetrics & Gynecology, P.C., 327 Conn. 540, __ A.3d __ (Jan. 16, 2018)). Particularly noteworthy is the new standard for a physician’s level of care: compliance with HIPAA. In other words, violation of HIPAA can lead to a state law claim in Connecticut, but the decision does NOT create a private right of action under HIPAA. Continue reading