Privacy

Subscribe to Privacy via RSS

On April 21, 2020, the European Data Protection Board (EDPB) published two sets of guidelines addressing data processing in the context of the COVID-19 pandemic. These guidelines address the use of location data and contact tracing tools to combat the spread of COVID-19 and the use of health data for the purposes of scientific research into COVID-19 (together, the guidelines).

Since March 2020, the EDPB and the European Commission (EC) have been active in addressing the use of data to combat the COVID-19 pandemic. The EC released its recommendation regarding contact tracing apps and the use of mobility data on April 8, while the EDPB issued a letter on April 14 addressing the same issue. The EC then published specific guidance regarding the use of COVID-19 mobile apps. In these most recent guidelines, the EDBP further elaborates on the signposts provided in its earlier letter and provides specific guidance on the deployment of contact tracing apps as well as the re-use of information for scientific research purposes.
Continue Reading EDPB Publishes Guidelines on COVID-19 Related Data Usage

On April 16, 2020, the European Commission (EC) published guidance (guidance) regarding mobile applications developed to combat the spread of the COVID-19 pandemic (COVID-19 mobile apps). As previously mentioned in our blog posts, the guidance follows the EC recommendation last week on the same topic, and takes into account a prior consultation with the European Data Protection Board (EDPB).

The guidance expands on the legal bases for data processing identified in the EC’s consultation with the EDPB and highlights key data protection requirements for certain COVID-19 mobile apps.
Continue Reading The European Commission Publishes Guidance on COVID-19 Mobile Apps

On April 14, 2020, the European Data Protection Board (the EDPB) published a letter in response to the European Commission’s call for consultation (the letter) regarding its recommendation on the use of mobile applications and location data to fight the COVID-19 outbreak.

As previously reported in our blog post, the European Commission’s recommendation sets out a “toolbox” of measures to be implemented across EU member states to address the use of technology in combating the spread of the COVID-19 pandemic. In its letter, the EDPB sets forth data privacy and information security measures that app developers should consider when developing mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps).
Continue Reading The EDPB Responds to the European Commission’s Recommendation on COVID-19 Mobile Apps

On April 8, 2020, the European Commission (the Commission) released its recommendation for a pan-EU approach on the use of technology and data to combat the COVID-19 pandemic (the Recommendation).

The Commission calls for the creation of a “toolbox” consisting of practical measures taken at the EU level to address the use of mobile applications to inform individuals or monitor infected persons (COVID-19 mobile apps) and address the use of anonymized population data to analyze the evolution of the pandemic in the EU. While the Recommendation does not specify the measures to be included in the toolbox, it provides a roadmap to promote the harmonization of these measures across all EU member states.
Continue Reading European Commission Calls for a Common Approach to COVID-19 Apps and Anonymized Data Use

The General Data Protection Regulation (GDPR) does not just impact companies located in the European Economic Area (EEA). It has a “long-arm” provision which may subject foreign companies to its jurisdiction. There is a fair amount of uncertainty regarding how this provision may be applied. The European Data Protection Board (EDPB) has recently issued updated guidelines that shed some light on how national Supervisory Authorities are expected to interpret the extra-territorial reach of the GDPR (guidelines).[1] This article focuses on one aspect of the guidelines that may negatively affect vendors located outside the EEA.
Continue Reading Non-EEA Based Vendors Caught by GDPR’s Long-Arm Provisions

On March 11, 2020, the California Attorney General issued further revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA).

For context, in passing the CCPA, the legislature directed the California Attorney General to solicit broad public participation and adopt regulations to further the purposes of the CCPA. On October 11, 2019, the California Attorney General issued the first draft of the proposed regulations, imposing obligations on businesses that arguably exceeded the statutory requirements of the CCPA, which were noticed for a 45-day public comment period. On February 10, 2020, after the CCPA had gone into effect and after receiving nearly 1,700 pages of written comments and additional oral comments, the California Attorney General issued a second draft of the proposed regulations, scaling back some of these obligations and adding some helpful clarification. During the subsequent 15-day written public comment period on these proposed changes, approximately 100 written comments spanning 782 pages were submitted.
Continue Reading Third Time’s the Charm? Newest Round of Modifications to Proposed CCPA Regulations Issued by the California Attorney General