The EU-Japan Economic Partnership Agreement between Japan and the European Union (“EU”) recently came into force, creating the world’s biggest open trading zone that covers 635 million people and almost one-third of the world’s total GDP. In the shadow of that agreement, however, another development—the mutual acknowledgment of data protection standards—took place, which should not be overlooked because it sets another world record. On January 23, 2019, the European Commission adopted its adequacy decision on Japan, acknowledging that Japan provides for an adequate level of data protection. Similarly, effective January 23, 2019, the Japanese independent data protection authority, the Personal Information Protection Commission (“PPC”), has also designated countries within the European Economic Area as having an equivalent level of data protection. This mutual acknowledgement created what is being referred to as the “largest area of safe data transfer” in the world.
These developments have important benefits for companies transferring data from the EU to Japan and vice versa, reducing burdens and giving companies greater access to customers. Below, we discuss the developments and describe what companies should consider in the future. READ MORE
A recent decision from the Supreme Court of Illinois heightens the risks faced by companies collecting biometric information by holding that an individual who is the subject of a violation of Illinois’ Biometric Information Privacy Act—but who suffered no separate harm from the violation—is an “aggrieved party” with a cause of action under the statute. Rosenbach v. Six Flags Entertainment Corp., No. 123186 (Ill. Jan. 25, 2019). This decision will only further embolden plaintiffs’ lawyers to bring biometric privacy suits, and the risk to companies collecting biometric information will likely increase as newly enacted and proposed legislation comes into effect. In this post, we discuss what happened, what is on the horizon, and some steps to consider. READ MORE
On January 21, 2019, the French data protection supervisory authority (“CNIL”) fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation (“GDPR”). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms. READ MORE
Rivera v. Google, a recent federal court decision from the Northern District of Illinois, highlights how challenges to Article III standing are a versatile and useful tool for corporate defendants in privacy and cybersecurity litigation. At the same time, the litigation underscores the significant legal risk faced by entities that collect biometric information and the consequent need to proactively assess and mitigate that risk. READ MORE
In November, the German Data Protection Conference (committee of the independent German federal and state data protection supervisory authorities) (“DSK”) published a guidance on the processing of personal data for direct marketing purposes under the GDPR. This guidance finally brings some light into the darkness of marketing under the GDPR. READ MORE
This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE
The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.
Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE
Game-changing Calif. Consumer Privacy Act of 2018 puts statutory breach damages on the table
The recently-enacted California Consumer Privacy Act of 2018 is a game-changer in a number of respects. The Act imports European GDPR-style rights around data ownership, transparency, and control. It also contains features that are new to the American privacy landscape, including “pay-for-privacy” (i.e., financial incentives for the collection, sale, and even deletion of personal information) and “anti-discrimination” (i.e., prohibition of different pricing or service-levels to consumers who exercise privacy rights, unless such differentials are “reasonably related to the value provided to the consumer of the consumer’s data”). Privacy teams will be hard at work assessing and implementing compliance in advance of the January 1, 2020 effective date. READ MORE
Orrick partners Emily Tabatabai, Tony Kim and Jennifer Martin authored this article for Corporate Counsel on the sweeping implications for businesses of California’s newly-enacted privacy law. Members of our global Cybersecurity, Privacy and Data Innovation Practice, Emily, Tony and Jennifer outline the reasons the new law will have “a significant impact on core business operations.”
Are you ready for the CCPA? Take Orrick’s CCPA Readiness Assessment.
- Assess your company against CCPA provisions.
- Receive a complimentary report summarizing the likely key impacts.
- Use the report to development to develop your CCPA project plan.
Noting the “astounding” statistics on the use of smartphones and other mobile devices to “shop, bank, play, read, post, watch, date, record, and go” across consumer populations, the FTC has recently re-focused its attention on mobile security issues. As the amount of information collected on mobile devices, and through applications on those devices, continues to rise exponentially, unsurprisingly, mobile devices have become increasingly fertile grounds for cyberattacks. Against this backdrop, in February 2018 the FTC issued a 134-page report titled Mobile Security Updates: Understanding the Issues (the “Report”). Not long afterward, on April 2, 2018, the FTC appointed a new Acting General Counsel, Alden Abbot, who has substantial experience in the mobile-communication industry, including serving in key legal roles at Blackberry Corporation and the National Telecommunications and Information Administration in the Department of Commerce. Although the Report is narrowly focused on processes for patching vulnerabilities and software updates, the FTC notes that the Report is “part of an on-going dialogue” and that it intends to work with industry, consumer groups, and lawmakers to further the “goals of reasonable security and greater transparency” in its efforts to improve mobile-device security. READ MORE