Global Privacy & Security Compliance Law Blog

Indiana, Montana, and Tennessee Enact General Data Privacy Laws, Bringing the Total to Nine and Counting

Posted in Legislative & Regulatory Developments, Privacy, Security

The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards.

By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson

Key Takeaways:

(i) Indiana, Montana, and Tennessee have all enacted general data privacy legislation, bringing the total to nine US state data privacy laws.

(ii) Montana will be the first of the three new laws to take effect on October 1, 2024, followed by Tennessee on July 1, 2025, and Indiana on January 1, 2026.

(iii) For businesses subject to existing similar general data privacy laws in other US states, many of the requirements will look familiar. The laws in Indiana and Tennessee generally follow in the wake of Virginia’s privacy law, while Montana’s law tracks more closely to Connecticut’s privacy law.  

(iv) All three laws will be exclusively enforced by the respective state attorneys general, but the penalties and applicable cure periods vary.

Continue Reading

Irish Data Protection Commission Orders Meta Ireland to Suspend Facebook Data Transfers to the US and Imposes Record GDPR Fine of €1.2 Billion

Posted in GDPR, Privacy, Security

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]

The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).

Continue Reading

CJEU Rejects Minimum Threshold for GDPR Claims

Posted in GDPR, Privacy

The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey

In a recent judgment (Case C-300/21), the Court of Justice of the European Union (CJEU) held that mere infringement of the General Data Protection Regulation (GDPR) is insufficient to claim compensation under Article 82, absent any material or non-material damage suffered by the individual. In relation to non-material damage, the CJEU rejected the concept of a minimum threshold level of damage or harm to the individual.

Article 82 of the GDPR states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation.

The CJEU’s judgment has the potential to encourage non-material damages claims — whether individual or collective — as it is clear that there is no de minimis threshold for such damages. However, the judgment also holds that mere GDPR infringement is an insufficient basis for non-material damages and therefore the claimant must prove that they suffered damage — albeit not to a standard, European Union-wide minimal threshold. Therefore, the specific impact of this judgment will vary across Member States, depending on applicable domestic law underpinning non-material damages claims more broadly.

Continue Reading

CJEU Sets High Bar for Responses to Data Subject Access Requests

Posted in GDPR, Privacy, Security

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.

Continue Reading

DIFC Proposes to Amend Data Protection Rules to Regulate Use of AI

Posted in Privacy, Security

The Dubai International Financial Centre urges companies to protect personal data when using artificial intelligence.

By Brian A. MeenaghKsenia Koroleva, and Lucy Tucker 

On 18 April 2023, the Dubai International Financial Centre (DIFC), a financial free zone with its own data protection laws, published a consultation paper (the Consultation Paper) regarding amendments to DIFC Data Protection Regulations (the Regulations) for a 30-day public consultation.

The Consultation Paper acknowledges that AI systems are important and useful but carry risks to personal data processing. The DIFC’s proposed approach urges all companies using AI systems to adopt and reinforce technical and organisational means to protect personal data when using AI.

Continue Reading

CJEU Advocate General Rejects Strict Liability for GDPR Fines

Posted in GDPR, Privacy, Security

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected a broader concept of “strict liability” for alleged GDPR violations.

The opinion was issued in relation to a new landmark case (C-807/21) in which the CJEU will determine whether organisations face strict liability for violating the GDPR, or whether data protection authorities (DPAs) must prove relevant misconduct of an individual within the organisation before imposing fines. The Advocate General’s opinion, though not binding on the CJEU, carries considerable weight because courts often follow such opinions.

This Client Alert reviews the opinion and examines the potential implications for companies.

And Now There Are Six: Iowa Passes New Privacy Law

Posted in Legislative & Regulatory Developments, Privacy, Security

Iowa’s new data privacy law, which will come into force in 2025, adds to an increasingly complex patchwork of state laws.

By Robert Blamires, Clay Northouse, Michael Rubin, Robert Brown, Joseph Hansen, and Zac Alpert

On March 28, 2023, Iowa became the sixth US state to pass a comprehensive privacy law. The Iowa data privacy law (SF 262) (Iowa Privacy Law) was passed unanimously by the state House and Senate, and signed by Governor Kim Reynolds.

The Iowa Privacy Law imposes requirements similar to those already required by other state privacy laws—most notably, Utah. The key task for companies subject to the law will be to ensure that their existing measures cover personal data collected about Iowa residents, for example, by extending their privacy notices, contracts, and user rights mechanisms to include Iowa consumer personal data.

Continue Reading

UK Data Protection and Digital Information (No. 2) Bill: What Is Changing?

Posted in Legislative & Regulatory Developments

The updated reform legislation provides welcome guidance and clarifications on aspects such as legitimate interests and accountability, without substantially shifting the approach proposed under the existing reform bill.

By Gail E. Crawford, Fiona M. Maclean, Timothy Neo, Irina Vasile, and Amy Smyth

On 8 March 2023, the UK government introduced the second draft of its UK data protection reform legislation, the Data Protection and Digital Information (No.2) Bill (the No. 2 Bill). The No. 2 Bill supersedes the original Data Protection and Digital Information Bill (the Original Bill), which the government first introduced last summer, following the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post; for more details on the proposed changes in the first version of the Bill, see this Latham overview and deep dive.)

The No. 2 Bill details how the government proposes to reform the current UK data protection regime, which consists primarily of the UK Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (UK GDPR), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

Continue Reading

European Data Protection Board Focuses Coordinated Enforcement on Data Protection Officers

Posted in GDPR, Legislative & Regulatory Developments

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

Continue Reading

Hong Kong Privacy Regulator Highlights Data Security Guidance as Cyberattacks Increase

Posted in Legislative & Regulatory Developments, Security

The Privacy Commissioner for Personal Data reminds organisations to review and implement appropriate data security measures amidst more data breaches.

By Kieran Donovan, Anthony Liu, and Jacqueline Van

On 13 February 2023, the Privacy Commissioner for Personal Data of Hong Kong (PCPD) published an article titled “Guidance on Data Security – Heightened Importance of Data Security Amid Increased Cyberthreats”. The article discusses the increasing trend of cyberattack incidents, identifies common vulnerabilities based on data incidents the PCPD has investigated, and sets out practical guidance for data security measures.

Continue Reading

LexBlog