Privacy

Subscribe to Privacy via RSS

On April 15, 2019, the French Data Protection Authority (CNIL) published its 2018 activity report and announced its 2019 enforcement agenda. The CNIL’s message is clear: if some leniency was tolerated in 2018, this transitional period for GDPR enforcement is now over. Going forward, the CNIL will adopt a stricter approach when investigating companies’ GDPR compliance and make full use of its enforcement powers, including the power to fine.

Background

As of May 25, 2018, the EU General Data Protection Regulation (GDPR) imposes new and strict obligations on companies processing personal data. Most EU privacy regulators adopted a somewhat lenient approach when enforcing the new rules. Beside the €50 million fine against Google in early 2019, the CNIL has not made broad use of its enforcement powers since the GDPR became effective. All in all, 2018 was a transition year to allow companies to bring their practices into compliance.Continue Reading The French Data Protection Authority Announces Stricter Enforcement

On March 21, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued an opinion (opinion) in the Planet49 case[1] on what constitutes valid consent for cookies under the Data Protection Directive, the GDPR, and the e-Privacy Directive.

In particular, the AG opines that: 1) a pre-ticked checkbox that users must untick to refuse consent does not constitute valid consent; 2) consent for cookies should not be bundled with other consents; and 3) users must be informed about the cookies’ lifespan and the third parties accessing the cookies. AG opinions are not binding on the CJEU, but are often influential. If the CJEU follows the AG Opinion, it will likely impact widely-adopted cookie consent practices in the EU and underlying business models that rely on such consent.
Continue Reading CJEU Advocate General Opinion Calls for Active and Separate Cookie Consents

On January 23, 2019, the European Data Protection Board (EDPB) issued an opinion (Opinion) on the interplay between the Clinical Trial Regulation (CTR) and the General Data Protection Regulation (GDPR), an issue which has been the subject of intense debate and that resulted in a draft, and still non-public, FAQ prepared by the EU Commission. The Opinion comments on the draft FAQ and provides some insight on data protection regulators’ view on how the GDPR applies to patient data collected as a part of a clinical trial.

In short, the EDPB takes the position that consent under the GDPR, and informed consent under the CTR, are different concepts, and that various legal grounds, including consent, are available under the GDPR to process patient personal data in the clinical trial context. Practically speaking, organizations will have to conduct a case-by-case assessment of the various options available.
Continue Reading EDPB Opinion on Consent and Legal Basis in Clinical Trials

On September 23, 2018, Governor Jerry Brown signed into law SB-1121, a bill that makes several amendments to the California Consumer Privacy Act (CCPA or the Act). The controversial privacy law, which is set to take effect in 2020, recently sparked a war of words among industry, privacy advocates, and the California Attorney General, each of whom sent letters to the California legislature urging amendments to the legislation. The California Chamber of Commerce, along with 36 business coalitions (Industry), submitted a letter to California Senator Bill Dodd in August, calling the Act “unworkable,” urging both technical and substantive cleanup of the Act, and introducing 21 proposed amendments. A coalition of 20 consumer privacy advocate groups (Advocates) responded with their own letter, highlighting the negative consequences Industry’s proposed changes would have on consumer rights.

The Industry and Consumer Advocates did not wholly disagree. Both coalitions urge the legislature to make technical fixes, such as clarification that businesses do not have to collect extra information to comply with the Act, as well as clarification of the definition of de-identified information. The California Attorney General also weighed in with comments, requesting specific amendments and additional time to issue regulations. In response to the input from these various stakeholders, the legislature amended the Act on August 31, 2018 and sent it to the Governor’s desk. This article sets forth the principal issues discussed in the letters and the legislature’s response.
Continue Reading California Consumer Privacy Act: Industry, Advocate, and Enforcement Concerns and Legislative Amendments

Recently, Vermont became the first state to enact legislation that regulates data brokers who buy and sell personal information. Under the new law, data brokers in Vermont will now have to register with the state, adopt standard security measures, and provide information to the state regarding their data collection practices. The law was passed in response to reported risks associated with the widespread aggregation and sale of data about consumers, and is intended to provide consumers with more information about data brokers and their data collection practices.
Continue Reading Vermont Enacts Groundbreaking Data Broker Regulation