Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.

By James Lloyd and Sami Qureshi

In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and

The amended rules follow the Biden Administration’s “whole of government” approach to maximizing notifications to executive agencies of cybersecurity events.

By Jennifer C. Archie, Matthew A. Brill, Gabriela Aroca Montaner, Chad Kenney, and Molly Whitman

On December 21, 2023, a divided Federal Communications Commission (FCC or the Commission) released a Report and Order updating its data breach reporting rules for certain telecommunications providers. The updated rules require that providers of telecommunications services, interconnected Voice over Internet

Covered financial institutions now face heightened expectations in relation to cybersecurity governance, risk assessment, and incident reporting.

By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman

The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.

On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.

Washington State’s landmark privacy law has inspired other states to pass similar laws with stringent requirements on a broad range of companies and processing activities.

By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte

Key Takeaways:

  • On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status.
  • On June 16, 2023, Nevada passed a similar law by enacting Senate Bill 370 (Nevada Health Privacy Law).
  • Both laws apply to consumer health information not covered under health data privacy laws like the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). However, while Nevada’s law shares similar terminology as Washington State’s law, it is narrower in scope and unlike the Washington State law, it does not include a private cause of action.
  • The requirements under both laws include publishing a consumer health data privacy policy, obtaining consent for the collection and sharing of consumers’ health data with prescriptive requirements, and establishing consumer health data rights.
  • While both laws will be enforced by the states Attorney General, the Washington State law also provides a private right of action, allowing individuals to directly bring an enforcement action against a business.
  • With certain exceptions (see small businesses and the geolocation restriction under My Health My Data), both laws will go into effect on March 31, 2024.

Washington State and Nevada have now passed health data privacy laws that impose obligations relating to the collection, processing, and sharing of “consumer health data.” Both laws (collectively, State Health Data Privacy Laws) go into effect on March 31, 2024, with some exceptions. The Washington State law’s ban on geofencing went into effect on July 23, 2023, and the law also includes a slight delay for small businesses, which are not subject to most of the law’s requirements until June 30, 2024.

The guidance encourages organisations to formulate a data breach response plan, and outlines recommendations for handling an increasing number of data breach incidents.

By Kieran Donovan and Jacqueline Van

On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling And Data Breach Notifications” (the Guidance Note). While the Guidance Note broadly aligns with the last update in January 2019 (the 2019 Guidance), it also contains further details and recommendations to organisations on how to respond to data breaches.

The PCPD published the Guidance Note following a surge in reported data breach incidents, which have increased by more than 20% in the first half of this year compared to the second half of 2022.

A California court has held that the regulations the California Privacy Protection Agency adopted in March 2023 may not be enforced until March 2024.

By Michael Rubin, Joseph Hansen, Austin Anderson, and Max Mazzelli

On June 30, 2023, a day before the California Consumer Privacy Act (CCPA) as amended by the California Consumer Privacy Act (CPRA), and the accompanying regulations issued by the California Privacy Protection Agency (Agency), were set to come into force, the Superior Court of California granted a petition to restore a key aspect of the voter-enacted law: covered businesses must receive a one-year grace period between final adoption and enforcement of the CCPA regulations. Certain forthcoming regulations will also receive a one-year grace period.

The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.

By Myria Saarinen

On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).

Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.

The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards.

By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson

Key Takeaways:

(i) Indiana, Montana, and Tennessee have all enacted general data privacy legislation, bringing the total to nine US state data privacy laws.

(ii) Montana will be the first of the three new laws to take effect on October 1, 2024, followed by Tennessee on July 1, 2025, and Indiana on January 1, 2026.

(iii) For businesses subject to existing similar general data privacy laws in other US states, many of the requirements will look familiar. The laws in Indiana and Tennessee generally follow in the wake of Virginia’s privacy law, while Montana’s law tracks more closely to Connecticut’s privacy law.  

(iv) All three laws will be exclusively enforced by the respective state attorneys general, but the penalties and applicable cure periods vary.

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]

The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.