On February 10, 2021, the Council of the European Union (EU) agreed on its version of the draft ePrivacy Regulation (Council Position). The long-awaited ePrivacy Regulation, which will repeal the existing ePrivacy Directive, overhauls the rules on cookies and regulates the use of and access to electronic communications data.
Continue Reading Council of the EU Adopts Its Text on the ePrivacy Regulation
Virginia is poised to become the second U.S. state to enact broad consumer privacy legislation. While the legislation draws some parallels with the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) introduces new requirements that go beyond these laws, such as opt-ins to collect sensitive data, opt-outs for targeted advertising, the creation of data protection assessments, and new provisions that must be included in service provider agreements.
Continue Reading Virginia Legislature Sends Novel Privacy Law to Governor’s Desk
On February 2, 2021, the European Data Protection Board (EDPB) issued guidance on the processing of personal data for research purposes in response to questions posed by the European Commission (Document). The Document aims to provide clarity on the application of the General Data Protection Regulation (GDPR) to scientific health research. In particular, the Document provides high-level guidance on pertinent issues such as consent for scientific research purposes, appropriate legal bases, and data repurposing.
Continue Reading EDPB Clarifies Key Health Research Data Protection Rules
On January 18, 2021, the European Data Protection Board (EDPB), comprised of all national supervisory authorities (SAs) of the European Union, published draft guidelines for data breach notification1 (the Guidelines).
The Guidelines provide useful insight into how regulators apply the General Data Protection Regulation (GDPR) personal data breach notifications rules. Specifically, they describe six common types of personal data breaches (i.e., ransomware, data exfiltration attacks, internal human risk, lost or stolen device and paper documents, misposted data, and social engineering attacks), and offer 18 case studies. Through these case studies, the EDPB seeks to clarify organizations’ notification and remediation obligations.
Continue Reading EDPB Publishes New Guidance for Data Breach Notification
On January 12, 2021, the District Court of the District of Columbia was the latest court to grant a motion to compel production of a forensic report prepared by an external security-consulting firm in data breach litigation.1 This case involved a cyberattack on a law firm that led to the public dissemination of the confidential information of the plaintiff, who was a former client of the firm. The plaintiff moved to compel his former law firm to produce “all reports of its forensic investigation into the cyberattack.”2 The defendant asserted that it had produced all relevant materials, including materials related to a second-track investigation conducted by its usual cybersecurity vendor, eSentire, for business continuity purposes. However, the plaintiff also sought a report prepared by Duff & Phelps, who was retained by the defendant’s outside litigation counsel. The defendant argued the Duff & Phelps report was protected by the work-product and attorney-client privileges. The court rejected the defendant’s arguments and ordered production of the Duff & Phelps report and associated materials.
Continue Reading Court Orders Production of a Data Breach Forensic Report, Rejecting Arguments That Attorney-Client Privilege and Work Product Protection Apply
Justices Considered Whether Certain Court-Imposed Monetary Remedies Are Legal
On Wednesday, January 13, 2021, the U.S. Supreme Court heard arguments in the much-anticipated case of AMG v. FTC, which challenges the Federal Trade Commission’s (FTC’s) authority to obtain monetary relief in court under Section 13(b) of the FTC Act. The Court’s decision is likely to have a significant impact on the relief the FTC is able to obtain in federal court proceedings.
Continue Reading U.S. Supreme Court May End Key FTC Consumer Protection Enforcement Practice