Proskauer on Privacy

EU-U.S. and UK-U.S. Data Transfer Deals Advance with White House Executive Order

A new legal mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The new mechanism is referred to as the EU-U.S. Data Privacy Framework (the “Framework”) and is intended to replace the now-defunct EU-U.S. Privacy Shield mechanism. Specifically, the Executive Order provides data protections that enables the potential creation of the Framework, which first debuted in a joint press conference in March 2022. Similar progress has also been made on an equivalent data transfer arrangement between the UK and U.S. governments. If realized and implemented, the Framework has the potential to lower legal barriers for personal data transfers between the EU and the UK, and the U.S. Continue Reading

Held to Ransom: How Cyberattacks Can Become a Legal and Regulatory Odyssey for a Private Investment Fund

Where business-critical information or platforms are at stake, many commercial parties will seriously consider immediately paying the ransom hoping to regain control of operations, secure client data and avoid continued business disruption and negative publicity. However, businesses may wish to pause. Cyberattacks, by their very nature, know no borders and nor therefore should a private fund’s response.

In the first of this two-part series for Cybersecurity Law Report, Proskauer outlines immediate incident response steps and analyses whether to pay a ransom, from U.S., U.K. and E.U. perspectives.

Read the full article here.

Happy “Labor …” More Privacy Rights for Employees: California Legislature Closes Session Without Extending Employee and B2B Data Exemptions Under the CCPA

As summer nears its end, uncertainty and complexity lie ahead for many companies as they evaluate how to operationalize compliance with the California Privacy Rights Act (CPRA), existing California employment laws and potentially the passage of a federal privacy law, the American Data Protection and Privacy Act, H.R. 8152 (ADPPA), that may preempt some but not all rights under the CCPA and the CPRA.  To increase the headache for companies doing business in California, two business friendly exemptions are set to expire at the end of the year.

On August 31, 2022, the final day of the 2022 California legislative session, the legislature failed to extend exemptions that would have excluded certain employee and human resource (HR) related personal information collected within the business context from the scope of the California Consumer Privacy Act (CCPA) when the CRPA amendments to the CCPA go into effect on January 1, 2023.  It should also be noted that similar CCPA exemptions for personal information collected in the course of certain business-to-business (B2B) transactions or communications were not extended. Thus, on January 1, 2023, the current CCPA exemptions for HR and B2B information will sunset and the CPRA will go into effect without such exemptions that businesses have relied upon for the last several years, making California the first state to have a comprehensive data privacy law covering HR data. In short, beginning next year, employers will have to honor the host of data privacy rights under the CCPA not only for consumer data, but also for HR data concerning employees, job applicants and independent contractors (unless another exception within the CCPA applies).

Continue Reading

Message Sent! California Attorney General Announces $1.2 Million CCPA Settlement with Retailer and Its Focus on the Sale of Customer Information

On August 24, 2022, California Attorney General (AG) Rob Bonta announced a settlement with beauty products retailer, Sephora USA, Inc. (“Sephora”), resolving claims that Sephora violated the California Consumer Privacy Act (CCPA) for, among other things, failing to disclose to consumers that it was selling their personal information (including precise location data) and failing to honor opt-out requests via global privacy controls (GPC) broadcasted from users’ web browsers. The proposed settlement has been submitted to a California state court for approval. Continue Reading

Businesses That Use Consumer Data or Data Products (Everyone?) Take Heed: FTC Moves Ahead with Rulemaking Process on “Commercial Surveillance” Practices

On August 11, 2022, the Federal Trade Commission (FTC) issued an Advance Notice of Proposed Rulemaking (ANPR) and announced it was exploring a rulemaking process to “crack down on harmful commercial surveillance” and lax data security.  The agency defines commercial surveillance as “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information.”

Read the full post on Proskauer’s New Media and Technology Law Blog.

DOJ’s Civil Cyber-Fraud Initiative Secures More Than $9 Million in Two False Claims Act Settlements for Alleged Cybersecurity Violations

Last fall, the United States Department of Justice (“DOJ”) launched its Civil Cyber-Fraud Initiative (“CCFI”) as part of its effort to “combat new and emerging cyber threats to the security of sensitive information and critical systems.” Led by the Civil Fraud Section of DOJ’s Commercial Litigation Branch, the CCFI leverages the False Claims Act (“FCA”) to prosecute, in part, government contractors and federal grant recipients for cybersecurity-related fraud. Continue Reading

“A Full Plate”: FTC’s Open Meeting on PBMs, AI, Privacy and Online Harms

During a much anticipated Open Commission Meeting announced by Commission Chair Lina M. Khan, the Federal Trade Commission (“FTC”) voted in favor of issuing one new policy statement and one new report to Congress. Continue Reading


This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.