Booking.com Fined EUR 475,000 for Failure to Timely Notify Dutch Supervisory Authority of Data Breach

Photo of Jan DhontPhoto of Laura BrodahlPhoto of Sam MeijerBy Jan Dhont, Laura Brodahl and Sam Meijer on Posted in Cybersecurity, European Union, Privacy

The Dutch supervisory authority (the Autoriteit Persoonsgegevens or AP) sanctioned the online travel booking platform, Booking.com BV (Booking), with a EUR 475,000 fine for failing to notify a data breach to the AP within 72 hours after becoming aware of it, as required by the EU General Data Protection Regulation (GDPR). The decision is available in Dutch here. Continue Reading

Council of the EU Adopts Its Text on the ePrivacy Regulation

Photo of Cédric BurtonPhoto of Jan DhontPhoto of Lydia ParnesPhoto of Nikolaos TheodorakisPhoto of Carol EvrardPhoto of Alexandre LépinePhoto of Roberto Yunquera SehwaniBy Cédric Burton, Jan Dhont, Lydia Parnes, Nikolaos Theodorakis, Carol Evrard, Alexandre Lépine and Roberto Yunquera Sehwani on Posted in European Union, Privacy, Regulatory

On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data. Continue Reading

Virginia Legislature Sends Novel Privacy Law to Governor’s Desk

Photo of Tracy ShapiroPhoto of Edward HolmanPhoto of Amanda IrwinBy Tracy Shapiro, Edward Holman and Amanda Irwin on Posted in Privacy

Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect sensitive data, opt-outs for targeted advertising, the creation of data protection assessments, and new provisions that must be included in service provider agreements. Continue Reading

EDPB Clarifies Key Health Research Data Protection Rules

Photo of Jan DhontPhoto of Nikolaos TheodorakisPhoto of Sam MeijerBy Jan Dhont, Nikolaos Theodorakis and Sam Meijer on Posted in Privacy, Regulatory

On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document provides high-level guidance on pertinent issues such as consent for scientific research purposes, appropriate legal bases, and data repurposing. Continue Reading

EDPB Publishes New Guidance for Data Breach Notification

Photo of Laura De BoelPhoto of Cédric BurtonPhoto of Christopher FooBy Laura De Boel, Cédric Burton, Christopher Foo and Maximin Orsero on Posted in Privacy, Regulatory

On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).

The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations. Continue Reading

Court Orders Production of a Data Breach Forensic Report, Rejecting Arguments That Attorney-Client Privilege and Work Product Protection Apply

Photo of Beth GeorgePhoto of Allison BenderPhoto of Megan KayoBy Beth George, Allison Bender and Megan Kayo on Posted in Cybersecurity, Privacy

On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information of the plaintiff, who was a former client of the firm. The plaintiff moved to compel his former law firm to produce “all reports of its forensic investigation into the cyberattack.”2 The defendant asserted that it had produced all relevant materials, including materials related to a second-track investigation conducted by its usual cybersecurity vendor, eSentire, for business continuity purposes. However, the plaintiff also sought a report prepared by Duff & Phelps, who was retained by the defendant’s outside litigation counsel. The defendant argued the Duff & Phelps report was protected by the work-product and attorney-client privileges. The court rejected the defendant’s arguments and ordered production of the Duff & Phelps report and associated materials. Continue Reading

LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree