data protection

California Sets the Standard With a New IoT Law

This past September Governor Brown signed into law Senate Bill 327, which is the first state law designed to regulate the security features of Internet of Things (IoT) devices. The bill sets minimum security requirements for connected device manufacturers, and provides for enforcement by the California Attorney General. The law will come into effect on January 1, 2020, provided that the state legislature passes Assembly Bill 1906, which is identical to Senate Bill 327. READ MORE

Making Your Head Spin: “Clean Up” Bill Amends the California Consumer Privacy Act, Delaying Enforcement But Making Class Litigation Even MORE Likely

The California Consumer Privacy Act of 2018 (the “CCPA” or the “Act”), which we reported on here and here continues to make headlines as the California legislature fast-tracked a “clean up” bill to amend the CCPA before the end of the 2018 legislative session. In a flurry of legislative activity, the amendment bill (“SB 1121” or the “Amendment”) was revised at least twice in the last week prior to its passage late in the evening on August 31, just hours before the legislative session came to a close. The Amendment now awaits the governor’s signature.

Although many were hoping for substantial clarification on many of the Act’s provisions, the Amendment focuses primarily on cleaning up the text of the hastily-passed CCPA, and falls far short of addressing many of the more substantive questions raised by companies and industry advocates as to the Act’s applicability and implementation. READ MORE

Understanding Calif.’s Game-Changing Data Protection Law: The California Consumer Privacy Act of 2018

Orrick partners Emily TabatabaiTony Kim and Jennifer Martin authored this article for Corporate Counsel on the sweeping implications for businesses of California’s newly-enacted privacy law. Members of our global Cybersecurity, Privacy and Data Innovation Practice, Emily, Tony and Jennifer outline the reasons the new law will have “a significant impact on core business operations.”

Data Protection Officer and IT Manager – Two Jobs That Do Not Match

Companies required to appoint a data protection officer (“DPO” ) in Europe should carefully consider which candidate is best to select for the job. A company established in Bavaria, Germany, was recently fined by the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht, “BayLDA“) for appointing a DPO who at the same time held an operational position as an IT manager. The appointment was deemed to create a conflict of interests between the two functions. This decision could potentially influence the interpretation of the upcoming EU General Data Protection Regulation (“GDPR“) and thus influence the appointment of DPOs by international companies.

READ MORE

FCC Privacy Regulations: The Next Litigation Trend?

Last month the Federal Communications Commission (“FCC”) closed the comment period for its proposed privacy regulations, which we previously wrote about here.  The million dollar question on everyone’s minds is whether the final regulations will be broader or narrower in scope than the initial proposal, which included not only a significant expansion of the definition of personal information, but also sweeping new obligations and raised serious questions in areas where the obligations could become even stricter still.[1]  Accordingly, companies subject to the new regulations are bracing for tighter FCC Enforcement Bureau scrutiny of broad data collection and handling practices.

READ MORE

The FCC’s Proposed Privacy Regulations: What They Mean for ISPs and Those That Do Business with Them

Internet Service Providers

The Federal Communications Commission (“FCC”) recently issued a proposed set of privacy regulations that, if passed, will have broad implications for broadband providers, as well as for the companies that collect or receive information from them.  We recently authored an article in Law360 that outlines the key elements of the FCC’s Notice of Proposed Rulemaking (“NPRM”), includes some of the questions that the FCC is seeking comment on regarding the proposed regulations, and identifies how the regulations may impact business models and practices for companies that are not Internet Service Providers.

READ MORE

German DPAs Add Further Pressure to EU-US Data Transfers

International Privacy Law

Yesterday, German federal and state (Länder) data protection authorities (“DPAs”) issued a Position Paper following the recent Court of Justice of the European Union (“CJEU”) ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.

Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States.[1] READ MORE

EU Working Party Issues Statement on CJEU’s Invalidation of Safe Harbor Framework

Safe Harbor

The European Court of Justice’s (CJEU) recent decision striking down the EU-US Safe Harbor framework has created significant marketplace uncertainty and left companies scrambling for alternative cross-Atlantic data transfer mechanisms.

READ MORE

More Fines to Come in Germany? Service Provider Engagements are Under Increased Scrutiny

data processing

Following a significant fine against the parties to an asset acquisition for illegally transferring customer information, the Bavarian Data Protection Supervisory Authority (Bavarian DPA) announced on August, 20, 2015 that it has fined a company that engaged a service provider based on a data processing agreement which did not meet the requirements of Section 11 of the German Federal Data Protection Act (FDPA). The technical and organizational measures of the service provider were not specified as required by Section 11 of the FDPA.

READ MORE