Ed. Note: Thank you to Summer Associate Nicole Onderdonk for her significant contributions to this post.
On July 10, 2023, the European Commission (EC) adopted its adequacy decision for the EU-U.S. Data Privacy Framework (EU-U.S. DPF, or “Privacy Framework”), which establishes the Privacy Framework as an authorized mechanism under the General Data Protection Regulation (GDPR) for personal data to be transferred freely from the European Union (EU) to United States (U.S.) companies,… More
As we’ve written about before, the question of anonymization can be tricky. When is something “anonymized” or merely “de-identified” or “pseudonymous” — and when does it matter? This is a particularly fraught issue under the GDPR, where the text of the regulation creates practical compliance complications under various scenarios.
But in an important recent decision, the European General Court (or EGC, which hears actions against EU institutions,… More
2023 is turning out to be the year of the state privacy law, including new laws in five states with the possibility of more to come. Indeed, in recent days both Indiana and Iowa have likewise passed new statutes, which we will detail in a forthcoming blog. These new laws, which are largely inspired by the California Consumer Privacy Act (“CCPA”) and the European Union’s General Data Protection Regulation (“GDPR”),… More
When it comes to website privacy compliance, cookies have consistently presented the most fraught issues for U.S. businesses. This is especially true for those businesses that find themselves in a sometimes new or often uncertain relationship with the EU or UK GDPR. Do I need a cookie banner? Where does it go? How big does it have to be? Will a privacy policy alone do? Can’t users just be directed to the appropriate place to disable their browser’s cookie collection? … More
As we wrote in July 2020, the European Court of Justice issued a landmark decision that invalidated the Privacy Shield as untenable under the European General Data Protection Regulation (GDPR). The decision sparked negotiations between the United States and the European Union on a workable data privacy framework. And after a two-year long hiatus, the U.S. and the EU agreed on a replacement for the Privacy Shield.… More
On June 10, 2021, China adopted a new Data Security Law that will impact every business operating in or doing business with China. The law, which will take effect in less than a month (September 1, 2021), is sweeping in scope, imposes extensive data processing obligations, and establishes potentially severe penalties for violations. Although many of the details surrounding implementation remain unclear, given the law’s extensive requirements and severe penalties for noncompliance,… More
Editors’ Note: This is the third in our fifth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Read our previous posts on Energy and Cannabis.
A year ago, transferring data from Europe to the United States was inconvenient but manageable. Thousands of companies participated in the Privacy Shield, an agreement between the United States Department of Commerce and the European Commission where data importers certified that protected Europeans’ data at European levels.… More
The French Conseil d’Etat handed down an important decision October, 13th regarding privacy and personal data protection. This decision comes in the wake of the “Schrems II” ruling of the Court of Justice of the European Union (CJEU), which ruled that the protection of data transferred to the United States by the “Privacy Shield” was insufficient under European law.
A platform managing health data (named “Health Data Hub”) was created in 2019 to facilitate the share of these data in order to promote research.… More
Companies that have already done the work to become GDPR-compliant are a step ahead, but all companies that collect California users’ personal information or just do business in California should check to see whether they are obligated to comply with the CCPA. Foley Hoag’s Privacy & Data Security practice group has more than a decade of experience and deep knowledge in domestic and international privacy law. Our CCPA team, with lawyers admitted to practice in California,… More
Terms of service and privacy policies form the primary legal agreement between your organization and anyone who visits your website, downloads your app, or subscribes to your platform. These agreements are ubiquitous, yet often overlooked by start-ups and established companies alike. And with new privacy laws like GDPR and CCPA affecting businesses globally, understanding how these laws affect your policies and terms is crucial for doing business.
Foley Hoag attorneys Christopher Hart and Jessica Turko present a webinar discussing how companies can mitigate risk when drafting terms of service and privacy policies.… More
That sixth sense you have that someone is listening – could it be your smart speaker? There’s a chance the answer is yes, even when you don’t ask it to. A new study from Northeastern University finds that smart speakers often accidentally activate and record conversations, although just how often (sometimes as often as 19 times a day) and for how long (sometimes recording for 43 seconds) depends on the device. … More
Editors’ Note: This is the sixth in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Our previous entry discussed the CCPA, energy, Brexit, health care regulation, and state enforcement trends.
The European Union’s General Data Protection Regulation is possibly the world’s most burdensome data protection scheme.… More
The new decade has barely begun, and the world of privacy already seems set to change quickly. Here is a brief overview:
New Laws In Effect as of January 1
On January 1, 2020, new data breach notification requirements went into effect in three states: Texas, Oregon, and Illinois. Each law has a unique twist on privacy-related notifications (and thus places additional burdens on businesses):
Foley Hoag partners Colin Zick and Janine Ladislaw joined Licata Risk Advisors for a discussion on how to improve awareness and understanding of a company’s key risk exposures and how to mitigate and insure them. Topics included privacy and data security law, cybersecurity risk threat vectors, preventing IP infringement claims, and more. Click here to download the materials. More
Editors’ Note: This is the third in our fourth-annual end-of-year series examining important trends in data privacy and cybersecurity in the coming year. Our previous entries discussed the CCPA and threats to the energy grid. Up next: changes in health care privacy.
On Thursday, December 12, voters in the United Kingdom went to the polls and delivered a decisive victory for the Conservative Party (aka the “Tories”),… More
Partner Colin Zick recently joined a Bloomberg Law webinar on GDPR and healthcare. Topics included: GPDR compliance requirements impacting the health care industry, the costs of data privacy and security failures and strategies for developing data privacy programs for GDPR compliance specific to health care. Click here to download the materials. More
On 26 July 2019, the Greek Supervisory Authority (SA) found Pricewaterhouse Coopers (“PwC”) not compliant with General Data Protection Regulation (GDPR) in relation to the processing of its Greek employees’ personal data. The SA issued a €150,000 fine and an injunction requiring PwC to take measures to comply within three months (which is has apparently done). A summary of the decision in English is available on the Greek SA’s website.… More
As data breaches are seemingly reported on a daily basis, cybersecurity has emerged as a top enforcement priority for federal and state regulators and a key concern for companies of all sizes in a diverse range of industries. For example, compliance with federal cybersecurity regulations is required by nearly every government contract and the New York Division of Financial Services adopted a vast set of regulations that is applicable to all entities operating under NYDFS licensure.… More
Attorneys Colin Zick and Chris Hart recently led a Q&A discussion for MassTLC members on new trends in data privacy. Click here to download the slides. Topics included: recent GDPR enforcement actions, the California Consumer Privacy Act, recent changes to the Massachusetts data breach statute and more. More
Data scraping is a technique where information on one platform is exported onto another. The practice is widespread and is used for all sort of reasons, like market analysis or advertising. The kind of information located and extracted is as varied as the kind of information that exists on the internet–which is to say, anything and everything–but where it becomes particularly interesting is when personal information is being scraped.… More
New Trends in Data Privacy: GDPR, CCPA and Beyond
Changes to data privacy laws and regulations continue to happen at a rapid clip. Join Foley Hoag’s Colin Zick and Chris Hart for a question and answer discussion about recent GDPR enforcement actions, the latest status on the California Consumer Privacy Act, recent changes to the Massachusetts data breach statute, and what other changes are in store nationally and internationally in the world of privacy and data security.… More
Dear GDPR,
Before you were born, you already attracted a lot of attention, after all, not everyone is born over two years after they are conceived and has 28 parents! And your parents had to resist an enormous pressure from people who predicted that once you were born, you would be a nightmare. Well, now that you have been in this world for one year,… More
Bloomberg Law interviewed partner Colin Zick as part of a Special Report on how businesses are adjusting to recent data and privacy rules. Zick discusses why companies should be prepared to deal not only with GDPR requirements, but also a patchwork of state laws that may carry compliance requirements as well.
“We’re in the midst of a large public policy debate about what we’re going to do when it comes to data privacy laws,”… More
It has been rough weather for Google in France. Three weeks after the French Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court (“Tribunal de Grande Instance”) invalidated 38 clauses of Google’s Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google. This decision was rendered on February 12,… More
It’s been nearly a year since the GDPR became enforceable. Now that the dust has settled, it is time to look back and see how and by whom these rules have been enforced. Foley Hoag will present a 60-minute webinar on Wednesday, April 24 at 11:00 am EDT that discusses the impact the rules have had on businesses.
In addition to learning the lessons of this past year,… More
Taking stock of the current privacy and security environment is critical. The legal world around data privacy continues to shift and the technical challenges to solving data security needs continue to increase in complexity.
Join Foley Hoag’s Chris Hart and Rapid7’s Jeremiah Dewey for a conversation about understanding and meeting today’s data privacy and security challenges. They will discuss the following:
Editors’ Note: The following article was originally published as part of Lex Mundi’s Blockchain Whitepaper Series, which you can find here.
What data privacy concerns should practitioners have relating to blockchain technology? Answering the question involves understanding first the personal information implicated by a specific blockchain application, and then analyzing the relevant legal regimes that govern the personal information.
Personal Information
Data privacy does not implicate all information,… More
Start-up companies know that, when potential investors kick the tires, they will look carefully at the company’s business model and IP portfolio. These days, investors are also likely to look at whether the company is in compliance with privacy and data security laws. Cybersecurity has become increasingly important for business of all sizes. While identity thieves may focus on the target rich environments of large-scale enterprises,… More
Many companies share personal information they gather directly from individuals with “business partners” who use the information for their own direct marketing purposes. It is the case, for example, of companies that provide services on the internet free of charge but gather and sell the data related to their users to business partners. As the Washington Post recently learned, companies with this business model may find it challenging to comply with the European requirements,… More
Editors’ Note: This is the second in our third annual end-of-year series examining important trends in data privacy and cybersecurity during the coming year. Our previous entry was on energy and security. Up next: trends in state data privacy enforcement.
Since the General Data Protection Regulation (GDPR) came into effect in May 2018, one of the most common questions for practitioners is what the GDPR means for children. … More
In a recent trip to Ireland, I was surprised to see two subjects that Ireland is known for — GDPR and rugby — coming into conflict. As reported in the Sunday Business Post, World Rugby was lobbying the Irish government to create new data protection laws to address the interaction of anti-doping testing and the laws regarding transfer of data among and between different countries. … More
Senator Mark Warner of Virginia has released a white paper outlining policy proposals for regulating social media and technology companies. The paper has gained significance in recent weeks as pressure builds on Congress to pass federal data privacy legislation. In the wake of Europe’s GDPR and California’s Consumer Privacy Act, industry groups, tech companies, and privacy activists alike have urged Congress to act.… More
Four months after the GDPR came into effect, the French Data Protection Authority (“CNIL“) published a first assessment with some impressive figures:
Our experience in advising clients about GDPR and assisting them in the compliance process is that there are often misconceptions about the so-called “right to be forgotten”. The purpose of this post is to address some of these misconceptions.
The GDPR replaced the EU’s 1995 Directive which provided in Article 12(b) that “Member States must guarantee every data subject the right to obtain from the controller: (…),… More
Partner Colin Zick will join Naomi Leach, Senior Associate, Data Protection at Stephenson Harwood, and Lana Gladstein, Vice President and General Counsel at Brammer Bio, for a MassBio program on July 31 entitled The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy?
Details
The GDPR Data Privacy Law has been in effect since May 25,… More
The EU-US Privacy Shield, a framework that allows companies to transfer personal data from the EU to the US in compliance with the GDPR, has been under fire for not providing adequate protection to EU citizens. As Foley noted in 2017, the EU’s Article 29 Working Party (now the European Data Protection Board) identified “a number of significant concerns” with the Privacy Shield in the Working Party’s First Annual Joint Review,… More
Foley Hoag, along with the Massachusetts Export Center, is hosting an Export Regulatory Compliance Update Conference on Thursday, June 14. Among the panels will be one on “Navigating the GDPR & Cybersecurity Regulatory Environment.” Here’s a description of the Panel:
On May 25, 2018, the General Data Protection Regulation (“the GDPR”) went into effect in all Member States of the European Union. However, the GDPR has a broad scope: it applies to organizations established outside the EU that offer goods or services to individuals in the EU and/or monitor the behavior of data subjects within the EU.… More
Cross-posted from our sister blog, Trademark and Copyright Law.
By now, our readers are likely familiar with the General Data Protection Regulation (“GDPR”), the sweeping, European Union-wide legal and regulatory regime that provides enhanced protections for personal data. The GDPR, which goes in effect on May 25, 2018, is expected to reshape the digital data landscape in the EU and beyond. … More