FTC Seeks to Move Beyond Notice and Consent to Restrict Data Collection and Use

The FTC indicated that it will use its rulemaking authority under the FTC Act’s Section 18 to create a new rule that will likely seek to rein in broad data collection and use.

In October 2021, FTC Commissioner Rebecca Kelly Slaughter made two speeches in which she expressed a desire to move beyond the FTC’s “notice-and-consent” framework to address broader surveillance practices that underlie the digital advertising economy, specifically by applying “bright-line purpose and use restrictions that minimize the data that can be collected and how it can be deployed.”

Tags: consumer data, consumer protection, data breaches, data collection, data minimization, data privacy, Data Privacy Laws, Federal Trade Comission, FTC, FTC enforcement, ISPs

“Log4Shell” Vulnerability Has Potential to Compromise Millions of Devices

By Ryan P. Blaney, Will S. Chuchawat and Vincent J. Tennant on December 13, 2021 Posted in Cybersecurity, Data Privacy Laws, Invasion of Privacy, Privacy Law

Cybersecurity experts around the world are scrambling to sound the alarm about a newly discovered security vulnerability that could be used by attackers to easily infiltrate computer systems. Continue Reading

Tags: “Log4Shell” Vulnerability, cloud computing, cloud service vendors, cyber attack, cybersecurity, logging, privacy law, technology, Vendor Supply Chain Attack

UK Supreme Court Landmark Decision Limits Data Privacy Class Actions in the UK

By Steven Baker, Alexis L. Namdar, Kelly McMullon and Julia Bihary on November 10, 2021 Posted in Data Privacy Laws, European Union, GDPR, Privacy Law, Privacy Litigation

The UK Supreme Court handed down its much-anticipated decision in the Lloyd v Google LLC [2021] UKSC 50 case on 10 November 2021 restricting claimants’ ability to bring data privacy class actions in the UK under the (now repealed) Data Protection Act 1998 (DPA 1998). This decision will be persuasive (though not binding) with respect to similar class actions brought under the (in-force) UK General Data Protection Regulation and the Data Protection Act 2018 (collectively, the UK GDPR). This decision will not directly impact litigation brought under the EU General Data Protection Regulation in EU member states. Continue Reading

Tags: Data Privacy Laws, Data Protection Act 1998, General Data Protection Regulation (GDPR), Lloyd v Google LLC, privacy litigation, UK GDPR, UK General Data Protection Regulation, UK Supreme Court

Litigation Update on Illinois’ Biometric Information Privacy Act

By Brooke Gottlieb on October 4, 2021 Posted in Biometrics, Privacy Law, Privacy Litigation

Earlier this year, we reported on the potential breeding ground for litigation under Illinois’ Biometric Information Privacy Act (“BIPA”). A recent decision from an Illinois state appellate panel on the different limitations periods that apply to BIPA provides guidance for companies faced with a BIPA lawsuit and the arguments they can make on a motion to dismiss.

Read the full post on Proskauer’s Minding Your Business blog.

Tags: biometric identifier, Biometric Information Privacy Act, BIPA, BIPA Violations, CLASS ACTION LAWSUIT, ILLINOIS CODE OF CIVIL PROCEDURE, privacy, privacy law

English High Court Clarifies Appropriate Causes of Action in Data Claim Where Defendant Was a Victim of Third-Party Cyber-Attack

By Steven Baker, Vishnu V. Shankar and Julia Bihary on October 4, 2021 Posted in Cybersecurity, Data Breaches, Data Privacy Laws

In the recent and significant Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) decision the High Court in England clarified the limited circumstances in which claims for breach of confidence, misuse of private information and the tort of negligence might be advanced by individuals for compensation for distress relating to a cyber-security breach where the proposed defendant was itself a victim of a third-party cyber-attack. The decision has made it harder to bring free standing/non-statutory cyber-security breach claims in England and Wales where the proposed defendant has not positively caused the breach, and has also brought into question how such claims may be funded going forward (particularly, via “After-the-Event insurance” (“ATE insurance”)).

Tags: After-the-Event insurance (ATE Insurance), Breach of confidence, Breach of statutory duty, Common law negligence, cyber attack, data breach, data breach litigation, Data Protection Act, Information Commissioner's Office, misuse of private information, third-party cyber attack

INDEPTH: Data Protection & Privacy Laws 2021

By Ryan P. Blaney and Margaret A. Dale on August 12, 2021 Posted in Cybersecurity, Data Privacy Laws, Privacy Law

A heightened risk for cyberattacks and data breaches calls for companies to remain diligent as they navigate a patchwork of federal, state, local and sector-specific privacy and data protection laws, regulations and guidance. For Financier Worldwide, Margaret A. Dale and Ryan P. Blaney deliver commentary on the evolving landscape and offer considerations for companies looking to enhance their controls and risk management processes.

Read the Q&A here.

Tags: cyber attack, cybersecurity, data breach, Data Privacy Laws, data protection, data secuity, privacy law

Navigating the New Standard Contractual Clauses for International Data Transfers under the GDPR

By Ryan P. Blaney, Vishnu V. Shankar and Kelly McMullon on June 7, 2021 Posted in Cybersecurity, Data Privacy Laws, GDPR, International, Privacy Law

The final version of the new standard contractual clauses (“SCCs”) were published by the European Commission on June 4, 2021. Many organizations that transfer or receive personal data originating in the European Economic Area (“EEA”) outside the EEA will be required to implement these SCCs with their customers, suppliers and affiliates by December 2022 to comply with the EU General Data Protection Regulation (“GDPR”). This is perhaps the most significant GDPR development since the passage of the GDPR. We had foreshadowed this impending development last week. Continue Reading

Tags: Controller-to-Controller, cybersecurity, European Commission, European Data Protection Board (EDPB), European Union (EU), General Data Protection Regulation (GDPR), international privacy, personal data, Processor-to-Processor, Schrems privacy impact assessments, standard contractual clauses, third party beneficiaries, transfer diligence, transfer impact assessment (TIA), UK data protection law, UK GDPR

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.