Privacy & Cybersecurity

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15. One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.

The EU has announced that the Commission, Parliament and Council have reached agreement on the final shape of the General Data Protection Regulation. The official version will be available early in 2016, but we will be reviewing the details that have been made available so far and providing further information here over the next couple of days.

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information.

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court. 

Industry groups representing a diverse range of companies in the retail, technology, financial, and utility industries filed eight amicus briefs last week in the D.C. Circuit supporting challenges to the Federal Communications Commission’s (“FCC”) recently adopted order that expanded the agency’s rules under the Telephone Consumer Protection Act (“TCPA”).

The negotiations between the EU and the US for a new data transfer agreement to replace the struck-down Safe Harbor program continue as the clock ticks down to the enforcement deadline of January 31, 2016 (as declared by the EU’s national data protection authorities via the Article 29 Working Party).

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries!

Two years after the massive holiday season theft of customers’ payment card data from Target point of sale terminals, the Target data breach litigation appears to be entering its final act. 

The webinar on Post-Safe Harbor Update & Cross-Border Data Transfer Issues for Life Sciences Companies that was originally scheduled for today is being postponed and will take place after the holidays. We will announce a new date shortly.

In a decision almost a year in the making, the Third Circuit’s recent opinion in In re Google Inc. Cookie Placement Privacy Litig. (3d Cir. Nov. 10, 2015),  (“Google”), reversed a trial court order dismissing a lawsuit alleging that Google and other internet advertising companies circumvented cookie-blocking technology in Safari and Internet Explorer web browsers. 

The latest Pew Research Center Report relayed useful information regarding application users’ concerns with sharing personal data. Ninety percent of app users indicated that how their personal data will be used is “very” or “somewhat” important to them, and influences their decision to download an app. 

We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework.

For the first Monday in November, we have 10 easy steps to make sure that your data breach incident response planning is viewed from that pesky point of view of a litigator.

EU Commissioner Vera Jourova recently announced in a speech to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) that the Commission and the US have made substantial progress in finalizing a new Safe Harbor program.

As all of our readers know by now, as of October 6, the US-EU Safe Harbor Framework is no more. Safe Harbor was the mechanism on which thousands of US companies (and thousands of companies based in the European Union) legitimized their data transfers from the EU to the US.

The Irish High Court today has ordered the Irish Data Protection Commissioner (DPC) to investigate Facebook's European data privacy practices, bringing Max Schrems' three-year fight full circle. 

The so-called "Article 29 Working Party" of EU Data protection officials from the 28 EU member states today released a much-anticipated press release regarding the Court of Justice of the European Union (CJEU) landmark decision invalidating the US-EU Safe Harbor framework.

To take a step back from our continuing analysis of the situation and developments in Europe, there are other things going on in the privacy and data security world! Our October Wednesday Webinar is coming up and we will take a walk on the wild side: data security litigation. 

The EU Parliament committee that is charged with considering data protection matters (LIBE) has issued a press release calling on the European Commission to take action before the end of 2015 to come up with alternatives to Safe Harbor. 

As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves.