Category Archives: GDPR

Anonymization and the GDPR – Clarity from the European Courts? Not so Fast!

As we’ve written about before, the question of anonymization can be tricky.  When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter?  This is a particularly fraught issue under the GDPR, where the text of the regulation creates practical compliance complications under various scenarios.

But in an important recent decision, the European General Court (or EGC, which hears actions against EU institutions,… More

State Data Privacy Law Development Proceeds Apace

2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come.  Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog.  These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”),… More

Time to Update Your Cookie Banners? Helpful Guidance from the European Data Protection Board on Bad Cookie Banner Practices

When it comes to website privacy compliance, cookies have consistently presented the most fraught issues for U.S. businesses.  This is especially true for those businesses that find themselves in a sometimes new or often uncertain relationship with the EU or UK GDPR.  Do I need a cookie banner?  Where does it go?  How big does it have to be?  Will a privacy policy alone do?  Can’t users just be directed to the appropriate place to disable their browser’s cookie collection? … More

Looking to a New EU-US Data Privacy Framework

As we wrote in July 2020, the European Court of Justice issued a landmark decision that invalidated the Privacy Shield as untenable under the European General Data Protection Regulation (GDPR). The decision sparked negotiations between the United States and the European Union on a workable data privacy framework. And after a two-year long hiatus, the U.S. and the EU agreed on a replacement for the Privacy Shield.… More

China Adopts New Data Security Law

On June 10, 2021, China adopted a new Data Security Law that will impact every business operating in or doing business with China. The law, which will take effect in less than a month (September 1, 2021), is sweeping in scope, imposes extensive data processing obligations, and establishes potentially severe penalties for violations. Although many of the details surrounding implementation remain unclear, given the law’s extensive requirements and severe penalties for noncompliance,… More

Cybersecurity 2021 – The Year in Preview: The GDPR’s New Transfer Landmines

Editors’ Note:  This is the third in our fifth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year.  Read our previous posts on Energy and Cannabis.

A year ago, transferring data from Europe to the United States was inconvenient but manageable. Thousands of companies participated in the Privacy Shield, an agreement between the United States Department of Commerce and the European Commission where data importers certified that protected Europeans’ data at European levels.… More

French Data Protection Authority Rules on Transfers of Health Data

The French Conseil d’Etat handed down an important decision October, 13th regarding privacy and personal data protection. This decision comes in the wake of the “Schrems II” ruling of the Court of Justice of the European Union (CJEU), which ruled that the protection of data transferred to the United States by the “Privacy Shield” was insufficient under European law.

A platform managing health data (named “Health Data Hub”) was created in 2019 to facilitate the share of these data in order to promote research.… More

Countdown to CCPA: Foley Hoag Podcast Series Number 3

Companies that have already done the work to become GDPR-compliant are a step ahead, but all companies that collect California users’ personal information or just do business in California should check to see whether they are obligated to comply with the CCPA. Foley Hoag’s Privacy & Data Security practice group has more than a decade of experience and deep knowledge in domestic and international privacy law. Our CCPA team, with lawyers admitted to practice in California,… More

Watch – Best Practices: Terms of Service and Privacy Policies

Terms of service and privacy policies form the primary legal agreement between your organization and anyone who visits your website, downloads your app, or subscribes to your platform. These agreements are ubiquitous, yet often overlooked by start-ups and established companies alike. And with new privacy laws like GDPR and CCPA affecting businesses globally, understanding how these laws affect your policies and terms is crucial for doing business.

Foley Hoag attorneys Christopher Hart and Jessica Turko present a webinar discussing how companies can mitigate risk when drafting terms of service and privacy policies.… More

Does Accidental Listening by Smart Speakers Raise Compliance Concerns?

That sixth sense you have that someone is listening – could it be your smart speaker?  There’s a chance the answer is yes, even when you don’t ask it to.  A new study from Northeastern University finds that smart speakers often accidentally activate and record conversations, although just how often (sometimes as often as 19 times a day) and for how long (sometimes recording for 43 seconds) depends on the device. … More

A Spate of Legislative Action Portends a Busy Year in Privacy and Security

The new decade has barely begun, and the world of privacy already seems set to change quickly.  Here is a brief overview:

New Laws In Effect as of January 1

On January 1, 2020, new data breach notification requirements went into effect in three states:  Texas, Oregon, and Illinois.  Each law has a unique twist on privacy-related notifications (and thus places additional burdens on businesses):

  • Texas places a definite time limit on notifying individuals after a breach occurs:  60 days (and not “as quickly as possible”).…
  • More

Cybersecurity 2020 — The Year in Preview: Brexit, Data Flows and Cybersecurity

Editors’ Note:  This is the third in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year.  Our previous entries discussed the CCPA and threats to the energy grid.  Up next: changes in health care privacy.

On Thursday, December 12, voters in the United Kingdom went to the polls and delivered a decisive victory for the Conservative Party (aka the “Tories”),… More

Lessons Learned From The Greek Supervisory Authority’s PwC Decision on Employee Data Under GDPR

On 26 July 2019, the Greek Supervisory Authority (SA) found Pricewaterhouse Coopers (“PwC”) not compliant with General Data Protection Regulation (GDPR) in relation to the processing of its Greek employees’ personal data. The SA issued a €150,000 fine and an injunction requiring PwC to take measures to comply within three months (which is has apparently done). A summary of the decision in English is available on the Greek SA’s website.… More

Watch: Cybersecurity Regulation and Enforcement

As data breaches are seemingly reported on a daily basis, cybersecurity has emerged as a top enforcement priority for federal and state regulators and a key concern for companies of all sizes in a diverse range of industries. For example, compliance with federal cybersecurity regulations is required by nearly every government contract and the New York Division of Financial Services adopted a vast set of regulations that is applicable to all entities operating under NYDFS licensure.… More

Data Scraping, at Home and Abroad

Data scraping is a technique where information on one platform is exported onto another.  The practice is widespread and is used for all sort of reasons, like market analysis or advertising.  The kind of information located and extracted is as varied as the kind of information that exists on the internet–which is to say, anything and everything–but where it becomes particularly interesting is when personal information is being scraped.… More

Colin Zick and Chris Hart to Speak at MassTLC Policy and CyberMA Seminar

New Trends in Data Privacy: GDPR, CCPA and Beyond

Changes to data privacy laws and regulations continue to happen at a rapid clip. Join Foley Hoag’s Colin Zick and Chris Hart for a question and answer discussion about recent GDPR enforcement actions, the latest status on the California Consumer Privacy Act, recent changes to the Massachusetts data breach statute, and what other changes are in store nationally and internationally in the world of privacy and data security.… More

Happy Birthday, GDPR!

Dear GDPR,

Before you were born, you already attracted a lot of attention, after all, not everyone is born over two years after they are conceived and has 28 parents!  And your parents had to ‎resist an enormous pressure from people who predicted that once you were born, you would be a nightmare. Well, now that you have been in this world for one year,… More

Partner Colin Zick Speaks to Bloomberg Law on Why Companies Are Anxious for a Federal Move on Privacy

Bloomberg Law interviewed partner Colin Zick as part of a Special Report on how businesses are adjusting to recent data and privacy rules. Zick discusses why companies should be prepared to deal not only with GDPR requirements, but also a patchwork of state laws that may carry compliance requirements as well.

“We’re in the midst of a large public policy debate about what we’re going to do when it comes to data privacy laws,”… More

The Paris District Court Invalidates 38 Clauses of Google+ Terms of Use and Privacy Policy

It has been rough weather for Google in France. Three weeks after the French ‎Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court (“Tribunal de Grande Instance”) invalidated 38 clauses of Google’s Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google.  This decision was rendered on February 12,… More

Webinar on April 24 – GDPR: Lessons Learned from the First Year

It’s been nearly a year since the GDPR became enforceable. Now that the dust has settled, it is time to look back and see how and by whom these rules have been enforced. Foley Hoag will present a 60-minute webinar on Wednesday, April 24 at 11:00 am EDT that discusses the impact the rules have had on businesses.

In addition to learning the lessons of this past year,… More

Join us March 27: Legal and Technical Perspectives on Data Privacy and Security

Taking stock of the current privacy and security environment is critical. The legal world around data privacy continues to shift and the technical challenges to solving data security needs continue to increase in complexity.

Join Foley Hoag’s Chris Hart and Rapid7’s Jeremiah Dewey for a conversation about understanding and meeting today’s data privacy and security challenges. They will discuss the following:

  • What does the current threat environment look like?…
  • More

Blockchain and Data Privacy (Lex Mundi Series)

Editors’ Note: The following article was originally published as part of Lex Mundi’s Blockchain Whitepaper Series, which you can find here.

What data privacy concerns should practitioners have relating to blockchain technology? Answering the question involves understanding first the personal information implicated by a specific blockchain application, and then analyzing the relevant legal regimes that govern the personal information.

Personal Information

Data privacy does not implicate all information,… More

Privacy and Data Security Strategies for Start-Up Companies

Start-up companies know that, when potential investors kick the tires, they will look carefully at the company’s business model and IP portfolio.  These days, investors are also likely to look at whether the company is in compliance with privacy and data security laws.  Cybersecurity has become increasingly important for business of all sizes.  While identity thieves may focus on the target rich environments of large-scale enterprises,… More

Basics for Sharing Direct Marketing Databases with Business Partners in the EU

Many companies share personal information they gather directly from individuals with “business partners” who use the information for their own direct marketing purposes. It is the case, for example, of companies that provide services on the internet free of charge but gather and sell the data related to their users to business partners. As the Washington Post recently learned, companies with this business model may find it challenging to comply with the European requirements,… More

Cybersecurity 2019 — The Year in Preview: COPPA, the GDPR, and Protecting Children’s Data

Editors’ Note:  This is the second in our third annual end-of-year series examining important trends in data privacy and cybersecurity during the coming year.  Our previous entry was on energy and security.  Up next:  trends in state data privacy enforcement.

Since the General Data Protection Regulation (GDPR) came into effect in May 2018, one of the most common questions for practitioners is what the GDPR means for children. … More

GDPR Creates Rugby Scrum

In a recent trip to Ireland, I was surprised to see two subjects that Ireland is known for — GDPR and rugby — coming into conflict.   As reported in the Sunday Business Post, World Rugby was lobbying the Irish government to create new data protection laws to address the interaction of anti-doping testing and the laws regarding transfer of data among and between different countries.  … More

Senator Warner’s White Paper Gives Congress Options for Regulating Social Media and Technology Companies

Senator Mark Warner of Virginia has released a white paper outlining policy proposals for regulating social media and technology companies. The paper has gained significance in recent weeks as pressure builds on Congress to pass federal data privacy legislation. In the wake of Europe’s GDPR and California’s Consumer Privacy Act, industry groups, tech companies, and privacy activists alike have urged Congress to act.… More

Three Things Not to be Forgotten about the GDPR’s “Right to be Forgotten”

Our experience in advising clients about GDPR and assisting them in the compliance process is that there are often misconceptions about the so-called “right to be forgotten”. The purpose of this post is to address some of these misconceptions.

  • The “right to be forgotten” was not created by the GDPR

The GDPR replaced the EU’s 1995 Directive which provided in Article 12(b) that “Member States must guarantee every data subject the right to obtain from the controller: (…),… More

Whither the Privacy Shield?

The EU-US Privacy Shield, a framework that allows companies to transfer personal data from the EU to the US in compliance with the GDPR, has been under fire for not providing adequate protection to EU citizens.  As Foley noted in 2017, the EU’s Article 29 Working Party (now the European Data Protection Board) identified “a number of significant concerns” with the Privacy Shield in the Working Party’s First Annual Joint Review,… More

June 14 – GDPR Panel at Foley Hoag’s Export Regulatory Compliance Update Conference

Foley Hoag, along with the Massachusetts Export Center, is hosting an Export Regulatory Compliance Update Conference on Thursday, June 14.  Among the panels will be one on “Navigating the GDPR & Cybersecurity Regulatory Environment.”  Here’s a description of the Panel:

On May 25, 2018, the General Data Protection Regulation (“the GDPR”) went into effect in all Member States of the European Union. However, the GDPR has a broad scope: it applies to organizations established outside the EU that offer goods or services to individuals in the EU and/or monitor the behavior of data subjects within the EU.… More