Header graphic for print
Privacy Law Blog

Category Archives: Data Privacy Laws

Subscribe to Data Privacy Laws RSS Feed

European DPA’s Give Privacy Recommendations to Stakeholders Regarding the “Internet of Things”

Posted in Data Privacy Laws

The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it… Continue Reading

FCC: The New Data Security Sheriff In Town

Posted in Cyber Security, Data Breaches, Data Privacy Laws, Security Breach Notification Laws

Data security seems to make headlines nearly every week, but last Friday, a new player entered the ring.  The Federal Communications Commission (“FCC”) took its first foray into the regulation of data security, an area that has been dominated by the Federal Trade Commission.  In its 3-2 vote, the FCC did not tread lightly –… Continue Reading

California Breaks New Ground in Education Privacy Law with K-12 Student Data Privacy Bill

Posted in California, Children's Online Privacy Protection Act, Cloud Computing, Data Privacy Laws

A substantial rise in schools’ use of online educational technology products has caused educators to become increasingly reliant on these products to develop their curricula, deliver materials to students in real time, and monitor students’ progress and learning habits through the collection of data by third-party cloud computing service providers.  Unfortunately, with these advances come… Continue Reading

Microsoft Ordered to Hand Over Data to the U.S. Government

Posted in Cloud Computing, Data Privacy Laws, International, Invasion of Privacy, Uncategorized

In April, Microsoft tried to quash a search warrant from law enforcement agents in the United States (U.S.) that asked the technology company to produce the contents of one of its customer’s emails stored on a server located in Dublin, Ireland. The magistrate court denied Microsoft’s challenge, and Microsoft appealed. On July 31st, the software… Continue Reading

Massachusetts Enforces Data Security Regulations Against Out-of-State Entity

Posted in Data Breaches, Data Privacy Laws, HIPAA, Privacy Litigation

On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island (“WIH” or the “Hospital”), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient… Continue Reading

France Facilitates Implementation of Whistleblowing Systems

Posted in Data Privacy Laws

In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL). There are two possible ways to notify the CNIL of a whistleblowing system: request a formal authorization from the CNIL (this is quite burdensome and difficult to… Continue Reading

No Class: Hulu Users Lose Certification Motion

Posted in Data Privacy Laws, Online Privacy, Privacy Litigation, Uncategorized

After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice). The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a… Continue Reading

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

Posted in Data Privacy Laws, European Union, Online Privacy

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of €… Continue Reading

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

Posted in Data Privacy Laws, European Union, Legislation, Online Privacy

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law,… Continue Reading

California Amends Data Breach Notification Law

Posted in California, Data Privacy Laws

On September 27, 2013, California Governor Jerry Brown signed into law an amendment to California’s breach notification law (Cal. Civ. Code § 1798.82).  Effective January 1, 2014, under the amended law, the definition of “Personal Information” will be expanded to include “a user name or email address, in combination with a password or security question… Continue Reading

White House Posts Preliminary Cybersecurity Incentives

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

In February of 2013, President Obama signed an executive order with the purpose of creating a cybersecurity framework (or set of voluntary standards and procedures) to encourage private companies that operate critical infrastructure to take steps to reduce their cyber risk (see our blog here). Critical Infastructure Systems such as the electric grid, drinking water,… Continue Reading

In France, Are Employers Entitled to Access Their Employees’ Personal Emails?

Posted in Data Privacy Laws, Online Privacy, Workplace Privacy

In France, the guiding principle is that emails received or sent by an employee through the employer’s company email account are considered “professional”, which means that the employer can access and read them.  However, French employers must be cautious before accessing their employees’ professional emails because they are not permitted to access emails that have… Continue Reading

California Court of Appeal Says Chevron Can Collect ZIP Code Information for Pay-at-the-Pump Transactions

Posted in California, Data Privacy Laws, Identity Theft, Privacy Litigation

On June 20, 2013, the California Court of Appeal affirmed the dismissal of a putative class action which alleged that Chevron violated California’s Song-Beverly Credit Card Act (“Song-Beverly”) by requiring California customers to enter ZIP codes in pay-at-the-pump gas station transactions in locations with a high risk of fraud. Flores v. Chevron U.S.A. Inc., No…. Continue Reading

Navigating the Patchwork: When Is European Data Privacy Law Applicable to US Companies?

Posted in Data Privacy Laws, European Union, International, Online Privacy

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal… Continue Reading

Shine the Light a Little Brighter – Changes Resulting in Increased Customer Access Proposed to California’s “Shine the Light” Act

Posted in California, Data Privacy Laws, Online Privacy

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a… Continue Reading

Six European Data Protection Authorities Will Launch Legal Actions against Google Stemming from its Privacy Policy

Posted in Behavioral Marketing, Data Privacy Laws, European Union, International, Online Privacy, Privacy Litigation

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

Massachusetts Supreme Court Rules ZIP Codes Are Definitely “Personal Identification Information”

Posted in Data Privacy Laws

In a recent ruling arising from certain certified questions in Tyler v. Michaels Stores, Inc., Civ. No. 11-10920-WGY (D. Mass. Jan. 6, 2012, the Massachusetts Supreme Court interpreted “personal identification information” under Mass. Gen. Laws, ch. 93, § 105(a) Section 105(a) to include a consumer’s ZIP code and determined that collecting such personal information is… Continue Reading

President Obama Signs Executive Order on Cybersecurity

Posted in Data Breaches, Data Privacy Laws, National Security, Online Privacy

As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity.  The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing… Continue Reading

China Introduces New Data Privacy Law

Posted in Data Privacy Laws, Online Privacy

On December 28, 2012, the Standing Committee of China’s National People’s Congress, China’s legislative body, passed the “Decision on Strengthening Network Information Protection” (the “Decision”), which contains various principles for protecting, collecting and using electronic personal information in China.  According to the Decision, these principles were passed in order to protect network information security, protect… Continue Reading

California Supreme Court Holds Online Retailers of Downloadable Products May Require Personally Identifying Information For Credit Card Transactions

Posted in California, Data Privacy Laws, Financial Privacy, Online Privacy

The California Supreme Court held on February 4, 2013 that the provision of the Song-Beverly Credit Card Act of 1971 (the “Act”) prohibiting retailers from requesting personally identifying information as a condition to processing credit card transactions does not apply to online purchases of electronically downloadable items. (Apple v. Super. Ct., S199384, Case No. B238097,… Continue Reading

Massachusetts AGO Enters Into Another Settlement For Data Security Violations

Posted in Data Breaches, Data Privacy Laws, HIPAA, Medical Privacy

For the fourth time since the Massachusetts data security regulations took effect in March 2010, the Massachusetts Attorney General’s Office (“AGO”) has settled allegations that Massachusetts-based entities violated the regulations.  On January 7, 2013, Suffolk Superior Court approved consent judgments pursuant to which five entities agreed to collectively pay $140,000 to settle allegations that they… Continue Reading

The UK Information Commissioner’s Office Seeks Views on Privacy Seals

Posted in Data Privacy Laws

The European Commission’s revised data protection framework proposals include provisions intended to encourage the use of data protection privacy seals, certification mechanisms and trust marks.  These provisions would allow data subjects to instantly assess the privacy standards applied by data controllers and processors, thereby providing the comfort that data subjects often seek.  The UK Information… Continue Reading

Alternative Trading System Agrees to Pay $800K for Failure to Protect Confidential Information

Posted in Data Privacy Laws, Financial Privacy

Earlier this month, the Securities and Exchange Commission (“SEC”) instituted public administrative and cease and desist proceedings against eBX, LLC (“eBX”), a broker-dealer registered with the SEC.  eBX operates LeveL ATS, an alternative trading system (“ATS”) known as a “black pool,” which is a proprietary market where traders may exchange large blocks of stock with… Continue Reading