FTC Rings in New Year with ‘Major Changes’ to Cybersecurity Orders and Throwback Reference to WISPs

Earlier this month, Andrew Smith, the FTC’s Director of the Bureau of Consumer Protection, announced that the Commission had made “three major changes” to its data security orders.[1] Citing recent hearings at the FTC, as well as the Commission’s defeat in the closely watched LabMD case,[2] Director Smith highlighted three key takeaways from seven consent orders announced against “an array of diverse companies.”[3]

READ MORE

The CCPA Is in Effect and It Is Not Too Late to Get Started in 2020

Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE

A Survival Guide for GDPR Enforcement Actions from a German Perspective – How to Assess and Mitigate Fines for GDPR Violations

Chinese: GDPR 执法措施的德国生存指南—如何评估和减低违反GDPR的罚款

Since the first enforcement actions have been initiated, some with significant fines, many companies may find themselves somewhat at a loss as they may not fully know how to assess the risks involved and how to react should an enforcement action be initiated against them. Here we will give a high-level overview on risks and strategies in enforcement actions. READ MORE

Digital Devices Sold in Russia After July 2020 Must Have Russian Software Installed

Amendments to Russian consumer protection law require installation of local software on digital devices to be sold in Russia after July 2020. The Russian government will publish lists of the digital devices covered by the new requirements and local software that is approved by the government. Experts believe that computers, smartphones and smart TVs will likely be named among such digital devices.

The amendments were signed into law on December 2, 2019, and will come into force on July 1, 2020. READ MORE

Russia Significantly Increases Fines for Violations of Data Localization Requirement

Under Russian Data Protection Law, when collecting personal data, data operators (controllers) must ensure that recording, systematization, accumulation, storage, updating and extraction of personal data relating to Russian citizens are performed utilizing databases located in Russia (data localization requirement).

The new law, adopted by the Russian parliament and signed into law on December 2, 2019, introduces substantial fines for violations of that requirement. READ MORE

German regulator issues record fine for keeping personal data too long

The Data Protection Supervisory Authority for the state of Berlin (Die Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Supervisory Authority”) recently issued a fine for GDPR violations against Germany’s second largest housing company Deutsche Wohnen SE (“DW”) for retaining personal data without legal justification. The amount of the fine, EUR 14.5m, is the highest issued by a German Supervisory Authority for data protection infringements so far and the first to be in the millions. Germany is thus following the trend of increasing fines set by other EU Member States’ authorities, such as the UK, France and Austria in particular. READ MORE

EUR 30,000 for “a simple cookie banner”?!? – Spanish Supervisory Authority fines airline for non-compliance

The Spanish supervisory authority agencia española protección datos (“Supervisory Authority”) has issued a fine (the original Spanish document can be accessed here) against an airline based on their use of a cookie banner, which the Supervisory Authority considered not to be compliant with privacy provisions.

In issuing the fine, the Supervisory Authority referred to Art. 22.2 of the Spanish Act of the Services of the Information Society and Electronic Commerce (Ley de Servicios de la Sociedad de la Información—“LSSI”) rather than the General Data Protection Regulation (“GDPR”). Art. 22.2 LSSI is based on the ePrivacy Directive, which is still in effect and is not replaced by the provisions of the GDPR—we note, however, that the ePrivacy Directive would likely be replaced by the provisions of the proposed ePrivacy Regulation, which is still being negotiated.

This fine highlights the European data protection authorities’ continued concern over the collection of personal information through cookies and other tracking technologies and should thus attract the attention of companies that provide websites to customers in the EU. The decision might set the standard for fines on the lack of consent for cookies and is in line with the rather conservative view of the European Court of Justice (“CJEU”) in its recent court decision, which explicitly referred to the GDPR (please also see our blog post on the CJEU’s decision). READ MORE

E-Commerce Businesses Beware: The Freedom to Contract does not Trump Reasonable Privacy Expectations

The EDPB’s new Guidelines on Article 6(1)(b) may severely limit e-commerce business’ ability to enhance data processing by unilaterally defining contractual services.

On October 8, 2019, the European Data Protection Board (“EDPB”) released the “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” (the “Guidelines”) after public consultation. The text of the Guidelines is available here. Largely in line with previous guidance, the EDPB takes the view that companies cannot expand legal justifications for data processing operations based on broader definitions of their services. The legal justification of a processing for performing a contract does not cover processing operations, which, reasonably, the individuals would not expect when entering into the contract. Businesses should thus carefully review the legal justifications for the processing operations and be prepared to consider limitations on certain data processing should individuals object. READ MORE

California Governor Signs CCPA and Breach Notification Statute Amendments into Law

With the January 1, 2020 effective date of the California Consumer Privacy Act (the “CCPA”) rapidly approaching, all eyes have been on the California legislature’s consideration of a robust suite of amendments that would clarify ambiguities and address discrepancies underlying the prominent privacy statute. On October 11, 2019, six CCPA amendments were signed into law by the California Governor, as well as an amendment to the state’s breach notification statute. The rest of the CCPA amendments have either failed or will have to wait until next year for further consideration.

READ MORE