Privacy Law Blog

Category Archives: Data Privacy Laws

Subscribe to Data Privacy Laws RSS Feed

Delaware Enacts Comprehensive Online Privacy Protection Law

On January 1, 2016, the Delaware Online Privacy and Protection Act (“DOPPA”) will go into force, a law that provides strong online privacy protection for its residents.  The new law targets three areas of compliance: (1) advertising to children; (2) conspicuous posting of a compliant privacy policy; and (3) enhancing the privacy protections of users … Continue Reading

California Gives the Fourth Amendment a 21st Century Makeover

The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in … Continue Reading

The European Commission Issues Guidance on Alternative Cross-Border Data Transfer Tools

Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States.  The Commission also stated its objective to conclude negotiations with … Continue Reading

German DPAs Announce Policy Severely Limiting Mechanisms for Lawful Germany-to-U.S. Data Transfers

Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations. News out of Germany, however, indicates that a one-size-fits all approach … Continue Reading

SEC Cybersecurity Update

Results from the SEC’s First Round of Cybersecurity Examinations. On February 3, 2015, the OCIE published a risk alert summarizing its findings from its examinations of over 100 registered investment advisers and broker-dealers. The examinations were conducted as part of the OCIE’s cybersecurity examination initiative, announced in April 2014, to assess cybersecurity preparedness in the … Continue Reading

Article 29 Working Party Issues Statement Following Landmark CJEU Safe Harbor Ruling

Since the Article 29 Working Party on the Protection of Individuals (“WP29”) announced last week that it would it shortly issue a statement on the landmark CJEU ruling invalidating the Safe Harbor Decision (Schrems v. Data Protection Commissioner (C-362- 14)), we have been awaiting their guidance.  Today, the WP29 issued an important statement offering some … Continue Reading

A German DPA Questions the Validity of the Use of Consent and Model Contractual Clauses to Transfer Personal Data to the U.S.

Just one week after the milestone decision rendered by the CJEU ( to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) issued a position paper where it states that, … Continue Reading

Uncertainty for the U.S.-EU Safe Harbor Intensified by Non-Binding Recommendation for EU High Court

In a non-binding opinion issued on September 23, 2015, an Advocate General for the European Court of Justice (“ECJ”) recommended that the ECJ suspend the U.S.-EU Safe Harbor program (“Safe Harbor”) and reexamine whether the Safe Harbor provides adequate protection for personal data of EU citizens.  In light of its non-binding nature, the opinion did … Continue Reading

A Primer on Russia’s New Data Localization Law

Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores.  That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies … Continue Reading

Google Declares “Non!” to French Privacy Regulator’s Demands that Google Apply the “Right to be Forgotten” Worldwide

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide. We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that … Continue Reading

Connecticut Joins States That Protect Personal Online Accounts of Employees

Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation … Continue Reading

Washington State Amends Breach Notification Law to Expand Notification Requirements

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law: Under the current law, businesses and agencies that own or … Continue Reading

AT&T Pays $25 Million in FCC Settlement

In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ … Continue Reading

FTC Issues Report and Privacy Best Practices for the Internet of Things

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. … Continue Reading

From the Right to be Forgotten to the Right to an “e-Reputation’’: First Enforceability Ordered by French Court under Penalty

A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google … Continue Reading

European DPA’s Give Privacy Recommendations to Stakeholders Regarding the “Internet of Things”

The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion ( ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it … Continue Reading

FCC: The New Data Security Sheriff In Town

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly – … Continue Reading

California Breaks New Ground in Education Privacy Law with K-12 Student Data Privacy Bill

A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers.  Unfortunately, with these advances come … Continue Reading

Microsoft Ordered to Hand Over Data to the U.S. Government

In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software … Continue Reading

Massachusetts Enforces Data Security Regulations Against Out-of-State Entity

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient … Continue Reading