Header graphic for print
Privacy Law Blog

Category Archives: Data Privacy Laws

Subscribe to Data Privacy Laws RSS Feed

A Primer on Russia’s New Data Localization Law

Posted in Data Privacy Laws, International

Privacy and data security professionals worldwide should circle September 1 on their calendars, as it’s the day Russia’s new data localization law goes into effect – and possibly generates major waves far beyond Russian shores.  That’s because the law has significant implications for companies that collect personal information from Russian citizens, even if those companies… Continue Reading

Google Declares “Non!” to French Privacy Regulator’s Demands that Google Apply the “Right to be Forgotten” Worldwide

Posted in Data Privacy Laws, European Union, Online Privacy, Right to be Forgotten

In an expected but controversial move, Google has rejected a demand by the French Data Privacy authority CNIL to apply the European “Right to be Forgotten” worldwide. We have covered the E.U.’s Right to be Forgotten before, but here is a quick recap: under the E.U. rule, individuals have the right to require organizations that… Continue Reading

Connecticut Joins States That Protect Personal Online Accounts of Employees

Posted in Data Privacy Laws, Electronic Communications, Online Privacy, Workplace Privacy

Connecticut has joined a list of twenty-one states with a statute designed to preserve the privacy of personal online accounts of employees and limit the use of information related to such accounts in employment decision-making. Legislation directed to online privacy of employees has also passed this year in Montana, Virginia, and Oregon, and such legislation… Continue Reading

Washington State Amends Breach Notification Law to Expand Notification Requirements

Posted in Data Breaches, Data Privacy Laws, HIPAA, Legislation

On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law: Under the current law, businesses and agencies that own or… Continue Reading

AT&T Pays $25 Million in FCC Settlement

Posted in Data Breaches, Data Privacy Laws, Electronic Communications, Mobile Privacy

In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’… Continue Reading

How Safe? – The Future of the US-EU Safe Harbor

Posted in Data Privacy Laws, European Union, International

The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe… Continue Reading

FTC Issues Report and Privacy Best Practices for the Internet of Things

Posted in Data Privacy Laws, FTC Enforcement

On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices…. Continue Reading

From the Right to be Forgotten to the Right to an “e-Reputation’’: First Enforceability Ordered by French Court under Penalty

Posted in Data Privacy Laws, International, Online Privacy, Privacy Litigation

A few months after the European Court of Justice ruled on May 13, 2014 that search engines are considered personal data controllers under the EU Data Protection Directive of 1995 and, as such, should provide data subjects with a right to be forgotten, a French Tribunal enforced this principle in X & Y v. Google… Continue Reading

European DPA’s Give Privacy Recommendations to Stakeholders Regarding the “Internet of Things”

Posted in Data Privacy Laws

The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it… Continue Reading

FCC: The New Data Security Sheriff In Town

Posted in Cyber Security, Data Breaches, Data Privacy Laws, Security Breach Notification Laws

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly –… Continue Reading

California Breaks New Ground in Education Privacy Law with K-12 Student Data Privacy Bill

Posted in California, Children's Online Privacy Protection Act, Cloud Computing, Data Privacy Laws

A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers.  Unfortunately, with these advances come… Continue Reading

Microsoft Ordered to Hand Over Data to the U.S. Government

Posted in Cloud Computing, Data Privacy Laws, International, Invasion of Privacy, Uncategorized

In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software… Continue Reading

Massachusetts Enforces Data Security Regulations Against Out-of-State Entity

Posted in Data Breaches, Data Privacy Laws, HIPAA, Privacy Litigation

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient… Continue Reading

France Facilitates Implementation of Whistleblowing Systems

Posted in Data Privacy Laws

In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL). There are two possible ways to notify the CNIL of a whistleblowing system: request a formal authorization from the CNIL (this is quite burdensome and difficult to… Continue Reading

No Class: Hulu Users Lose Certification Motion

Posted in Data Privacy Laws, Online Privacy, Privacy Litigation, Uncategorized

After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice). The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a… Continue Reading

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

Posted in Data Privacy Laws, European Union, Online Privacy

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of €… Continue Reading

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

Posted in Data Privacy Laws, European Union, Legislation, Online Privacy

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law,… Continue Reading

California Amends Data Breach Notification Law

Posted in California, Data Privacy Laws

On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82).  Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question… Continue Reading

White House Posts Preliminary Cybersecurity Incentives

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infrastructure Systems such as the electric grid, drinking water,… Continue Reading

In France, Are Employers Entitled to Access Their Employees’ Personal Emails?

Posted in Data Privacy Laws, Online Privacy, Workplace Privacy

In France, the guiding principle is that emails received or sent by an employee through the employer’s company email account are considered “professional”, which means that the employer can access and read them.  However, French employers must be cautious before accessing their employees’ professional emails because they are not permitted to access emails that have… Continue Reading

California Court of Appeal Says Chevron Can Collect ZIP Code Information for Pay-at-the-Pump Transactions

Posted in California, Data Privacy Laws, Identity Theft, Privacy Litigation

On June 20, 2013, the California Court of Appeal affirmed the dismissal of a putative class action which alleged that Chevron violated California’s Song-Beverly Credit Card Act (“Song-Beverly”) by requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud. Flores v. Chevron U.S.A. Inc., No…. Continue Reading

Navigating the Patchwork: When Is European Data Privacy Law Applicable to US Companies?

Posted in Data Privacy Laws, European Union, International, Online Privacy

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal… Continue Reading