Virginia Legislature Sends Novel Privacy Law to Governor’s Desk

Photo of Tracy ShapiroPhoto of Edward HolmanPhoto of Amanda IrwinBy Tracy Shapiro, Edward Holman and Amanda Irwin on Posted in Privacy

Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect sensitive data, opt-outs for targeted advertising, the creation of data protection assessments, and new provisions that must be included in service provider agreements. Continue Reading

EDPB Clarifies Key Health Research Data Protection Rules

Photo of Jan DhontPhoto of Nikolaos TheodorakisPhoto of Sam MeijerBy Jan Dhont, Nikolaos Theodorakis and Sam Meijer on Posted in Privacy, Regulatory

On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document provides high-level guidance on pertinent issues such as consent for scientific research purposes, appropriate legal bases, and data repurposing. Continue Reading

EDPB Publishes New Guidance for Data Breach Notification

Photo of Laura De BoelPhoto of Cédric BurtonPhoto of Christopher FooBy Laura De Boel, Cédric Burton, Christopher Foo and Maximin Orsero on Posted in Privacy, Regulatory

On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).

The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations. Continue Reading

Court Orders Production of a Data Breach Forensic Report, Rejecting Arguments That Attorney-Client Privilege and Work Product Protection Apply

Photo of Beth GeorgePhoto of Allison BenderPhoto of Megan KayoBy Beth George, Allison Bender and Megan Kayo on Posted in Cybersecurity, Privacy

On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information of the plaintiff, who was a former client of the firm. The plaintiff moved to compel his former law firm to produce “all reports of its forensic investigation into the cyberattack.”2 The defendant asserted that it had produced all relevant materials, including materials related to a second-track investigation conducted by its usual cybersecurity vendor, eSentire, for business continuity purposes. However, the plaintiff also sought a report prepared by Duff & Phelps, who was retained by the defendant’s outside litigation counsel. The defendant argued the Duff & Phelps report was protected by the work-product and attorney-client privileges. The court rejected the defendant’s arguments and ordered production of the Duff & Phelps report and associated materials. Continue Reading

U.S. Supreme Court May End Key FTC Consumer Protection Enforcement Practice

Photo of Christopher OlsenPhoto of Lydia ParnesBy Christopher Olsen, Lydia Parnes and Stephen Schultze on Posted in Privacy

Justices Considered Whether Certain Court-Imposed Monetary Remedies Are Legal

On Wednesday, January 13, 2021, the U.S. Supreme Court heard arguments in the much-anticipated case of AMG v. FTC, which challenges the Federal Trade Commission’s (FTC’s) authority to obtain monetary relief in court under Section 13(b) of the FTC Act. The Court’s decision is likely to have a significant impact on the relief the FTC is able to obtain in federal court proceedings. Continue Reading

European Commission Proposes New Rules for Digital Platforms

Photo of Cédric BurtonPhoto of Jan DhontPhoto of Gorka NaveaPhoto of Nikolaos TheodorakisPhoto of Roberto Yunquera SehwaniPhoto of Deirdre CarrollPhoto of Carol EvrardPhoto of Thomas Martin PflockBy Cédric Burton, Jan Dhont, Gorka Navea, Nikolaos Theodorakis, Roberto Yunquera Sehwani, Deirdre Carroll, Carol Evrard, Thomas Martin Pflock and Maximin Orsero on Posted in Cybersecurity, European Union, Privacy, Regulatory

On December 15, 2020, the European Commission (EC) unveiled a set of proposals to regulate digital platforms. The draft laws include antitrust-related requirements, addressed by the Digital Markets Act (DMA) and more general regulatory requirements, addressed in the Digital Services Act (DSA). The DMA/DSA package will apply to all digital services, including social media, online marketplaces, and other online platforms, meaning tech companies active in Europe will have a new set of rules to follow. Continue Reading

LexBlog

We use cookies on our site to analyze traffic, enhance your experience, and provide you with tailored content. For more information or to opt-out, visit our privacy policy.

I agree