The EU’s Data Act: Capstone of the EU Data Strategy

On 23 February 2022 the EU Commission published its long-awaited Data Act, the last major building block of the Commission’s February 2020 Data Strategy. The Data Act: Is an ambitious piece of legislation with implications for consumers and businesses across the economy, not limited to the technology sector. Aims to facilitate access to data by … Continue reading

Proposed cybersecurity rules for SEC registered advisers and funds

US banking regulators propose a rule for 36-hour notice of breachOn February 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) released a proposal aimed at enhancing cybersecurity risk management programs, including cybersecurity preparedness and response, for registered investment advisers (“advisers”), investment companies and business development companies (“funds”).  Overall, the proposal addresses the following rule amendments and additions: 1. Cybersecurity Policies and Procedures Under the … Continue reading

CPRA Rulemaking Delayed – California Privacy Protection Agency Meets and Previews CPRA Rulemaking Timeline

On February 17, 2022 the California Privacy Protection Agency’s Board (“Board”) met to discuss their progress launching the new agency.  They also shared their projected timeline for rulemaking.  The California Privacy Protection Agency (CPPA) is the new agency charged with enforcing the California Privacy Rights Act (CPRA).   The big news is that the Board … Continue reading

European rulings on the use of Google Analytics and how it may affect your business

European rulings on the use of Google Analytics and how it may affect your businessRecent decisions out of the EU will impact the use of Google Analytics and similar non-European analytics services when targeting EU individuals, with the potential to put many organizations at risk of receiving GDPR fines. At issue was the transfer of personal data from the EU to the US through the use of Google Analytics. … Continue reading

Rejecting cookies should be as easy as accepting cookies: new sanctions by the French authority (CNIL)

The French Data Protection Authority (the “CNIL”) continues its campaign against companies that do not respect the rules relating to cookies and other trackers, which the CNIL has previously reminded the market about in multiple communications and decisions. The CNIL has already issued four sets of formal notices to over 90 organizations of various sizes … Continue reading

Belgian DPA fines IAB Europe over its consent framework’s GDPR violations

innovation circuit boardOn 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework. Background The Interactive Advertising Bureau Europe’s (IAB) … Continue reading

Illinois Supreme Court Rules that Compensation Act is not a bar to BIPA Damages

Cyber authorities sound the alarmIllinois’ Biometric Information Privacy Act (“BIPA”) is considered the most comprehensive law governing the processing of biometric data. Passed in 2008, BIPA sets out requirements for private entities, including employers, that collect, use, store, and share biometric information.  It’s also one of the most popular class action suits today – hundreds, if not thousands of … Continue reading

New York SHIELD Act $600,000 settlement

On January 24, 2022, the New York Attorney General (AG) announced a settlement with vision-benefits-provider EyeMed Vision Care, Inc., relating to a 2020 security incident where a threat actor obtained access to an email account that enabled the threat actor to get access to personal information of consumers including, but not limited to, , dates … Continue reading

UK finally publishes revised standard form international data transfer agreements and conversion addendum for the use of revised EU SCCs

The UK government has finally published the UK’s own standard form international data transfer agreement (UK IDTA) for transferring personal data outside the UK to countries not deemed to have adequate data protection regimes. It has also published a standard form international data transfer addendum to the revised EU SCCs (EU SCC UK Conversion Addendum) … Continue reading
LexBlog