Privacy Law Blog

Indian Supreme Court Declares the Right to Privacy a Constitutionally-Protected Fundamental Right

In a landmark decision, a nine judge bench of the Supreme Court of India ruled today that privacy is a fundamental right protected by the Constitution of India.

Background

Due to the volume of cases brought before the Supreme Court of India, cases are generally heard by benches consisting of a subset of the ten justices of the Supreme Court. The question of whether there is a constitutionally protected right to privacy arose in a 2015 case brought before a three judge bench of the Indian Supreme Court challenging the legal validity of the Government of India’s Aadhaar program.  Under the Aadhaar program, the Unique Identification Authority of India (UIDAI), an Indian government authority, is charged to assign a twelve digit unique identification number (UID) to each of the over 1.3 billion residents of India.  Each resident’s UID is linked to certain biometric information of the resident including his/her photograph, fingerprints and iris scans.  The UIDs are used by the government for a variety of purposes including to eliminate fraud in connection with the dispensing of benefits under various government welfare programs.  The three judge bench in the Aadhaar case determined that to assess the case appropriately, a determination of whether the right to privacy is a fundamental right protected by the Constitution of India was required by a larger bench of Indian Supreme Court justices.  Given that the 1954 case of M.P. Sharma et al. v. Satish Chandra, District Magistrate, Delhi et al. holding that privacy is not a right guaranteed by the Indian Constitution was decided by an eight judge bench, a larger bench of nine Supreme Court justices was convened to determine whether the rationale of the M.P. Sharma judgment and others which similarly found that the Indian Constitution does not guarantee a right of privacy was based on “jurisprudential correctness.”  This bench of nine justices of the Indian Supreme Court listened to arguments presented over six long days spread over three weeks. Continue Reading

A Year in Review: FTC Data Privacy Actions and its Impacts on 2017 and Beyond

Whether it means taking a prominent role shaping data security for the Internet of Things, or addressing high profile breaches, the FTC has adopted an active position in policing data privacy and security. And, as data becomes increasingly digital in its form and protections, data security is of paramount importance for all types of intelligence—whether financial, medical, or otherwise sensitive.  The Commission’s emphasis on these areas has not slowed, even as the composition of the Bureau of Consumer Protection changes under a new administration.  The FTC’s actions over the past year reflect that Commission’s continued emphasis on data privacy and its recent data privacy settlements have provided companies with a trail of breadcrumbs from which they can extract lessons learned and help avoid potential FTC scrutiny.

Continue Reading

The Health Care Industry Cybersecurity Task Force Prompts HHS to Issue a Revised HIPAA Breach Reporting Tool

Congress established the Health Care Industry Cybersecurity Task Force (the “Task Force”) in the Cybersecurity Act of 2015 (the “Act”) to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents.  While all health care delivery organizations have a responsibility to secure their systems and patient data, many organizations face significant resource constraints, which hinders their ability to do so.  As a result, the public has seen an increase in ransomware attacks and large privacy breaches, which inevitably affects patient care.

Continue Reading

Update on FCC Privacy Rules

We previously reported on the FCC’s 2016 Privacy Order, “Protecting the Privacy of Customers of Broadband and Other Telecommunications Services” impacting Internet service providers’ data privacy practices and obligations and the corresponding timeline for compliance. Intervening events, however, have made the rules imposed by the 2016 Privacy Order moot. On June 26, 2017, the FCC adopted a new order providing guidance on reinstating the pre-2016 Privacy Order regulations. This order was issued pursuant to a joint resolution of Congress under the Congressional Review Act, signed by the President on April 3, 2017, disapproving the FCC’s 2016 Privacy Order. As a result, the 2016 Privacy Order has “no force or effect.” FCC Chairman, Ajit Pai, stated that the purpose of the new order is to “simply make clear that the privacy rules that were in effect prior to 2016 are once again effective.”

Continue Reading

What Employers Need to Know about Europe’s General Data Protection Regulation

Proskauer has released a white paper on “What Employers Need to Know about Europe’s General Data Protection Regulation.” As you may know, on April 14, 2016, the European Parliament approved the General Data Protection Regulation (“GDPR”), which will replace the EU’s current data privacy standard and begin to apply on May 25, 2018. This paper provides a broad overview of the ways in which the GDPR will change data protection regulations across the EU, focusing on employee data and how it is treated differently from consumer data. This paper also highlights key areas of change from the current state of the law and suggests proactive steps an employer may take to better prepare for May 25, 2018. This is meant as a guide to assist employers with planning for and achieving compliance before the May 25th deadline. EU data privacy is an enormous challenge for multi-national companies, and many U.S. based companies doing business in the EU are struggling with what they need to do in order to get into compliance with the GDPR with respect to collecting, processing and transferring employee data. To read Proskauer’s full white paper titled, “What Employers Need to Know about Europe’s General Data Protection Regulation” please click here.

GDPR Compliance Update: Which Government Authorities Have Issued Official GDPR Guidance?

This post provides an update as to the current status of official GDPR-related guidance. With a little under a year remaining until the European Union’s General Data Protection Regulation (GDPR) becomes enforceable, companies are on the lookout for any interpretive guidance from EU or member state authorities that will help them focus their compliance efforts. The EU’s Article 29 Working Party (WP29) thus far has adopted guidelines relating to data portability, the identification of lead supervisory authorities, and the role of data protection officers, and has issued draft guidelines on data protection impact assessments (DPIAs, also known as “Privacy Impact Assessments”). Additionally, EU member states – led by Germany –are beginning to pass laws meant to complement the GDPR and legislate in areas the GDPR leaves to the member states.  These laws also provide some clues as to how the GDPR will take effect on a country-by-country basis.

Continue Reading

A Primer on China’s New Cybersecurity Law: Privacy, Cross-Border Transfer Requirements, and Data Localization

China’s new Cybersecurity Law is one of the most important pieces of privacy and cybersecurity legislation we’ll see this year, and companies of all sizes need to be aware of its requirements – regardless of whether or not they have a physical presence in China. The new law goes into effect on June 1, 2017, meaning that companies have a few weeks left to familiarize themselves with the law and work on achieving compliance.  However, simply reviewing the law itself is not enough: in order to truly understand its requirements, it is important to step back and view the law in the context of the Chinese legal system more generally.  This post provides a breakdown of this complex new law and its implications for businesses, and provides additional context needed to understand the Chinese privacy law landscape from a more holistic perspective.

Continue Reading

LexBlog