Global Privacy & Security Compliance Law Blog

France’s Highest Administrative Court Provides Insights on Lawful Cookie Practices

Posted in Legislative & Regulatory Developments

Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application.

By Myria Saarinen and Charlotte Guérin

France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data Protection Authority (the CNIL) had published on 4 July 2019 (the Guidance). However, the Conseil d’Etat struck down the provision of the Guidance imposing a blanket prohibition on so-called “cookie walls” that prevent users who do not consent to the use of cookies from accessing a website or an application. On the same day, the CNIL published a communication acknowledging the decision and announcing that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision. Continue Reading

CJEU Invalidates EU-US Privacy Shield

Posted in Legislative & Regulatory Developments, Privacy

A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

By Gail E. Crawford, Fiona M. Maclean, Michael H. RubinUlrich Wuermeling, Calum Docherty, and Amy Smyth

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post provides an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU. Continue Reading

French State Council Upholds CNIL’s €50M Fine for GDPR Violations

Posted in GDPR

The Council decision contains useful considerations and clarifications on the “one-stop shop” mechanism, transparency obligations, and consent for targeted advertising.

By Myria Saarinen and Camille Dorval

On 19 June 2020, France’s Highest Administrative Court (Council) handed down its decision on the appeal filed by Google LLC (Google) against the French Data Protection Authority’s (CNIL’s) decision of 21 January 2019, which imposed a fine of €50M to Google for failure to comply with the obligations of transparency and to lawfully process personal data on the basis of a valid consent, with respect to the operating system for Android mobile terminals. Continue Reading

EDPB Guidelines – What is the Territorial Reach of the GDPR?

Posted in GDPR

After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to?

By Gail Crawford, Ulrich Wuermeling, and Calum Docherty

Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look at the final guidelines on the territorial scope of the GDPR, which the European Data Protection Board (the EDPB) published on 12 November 2019 following public consultation of its draft guidelines dated 23 November 2018 (the Guidelines).

The Guidelines contain several helpful clarifications around when the GDPR applies to controllers and processors of personal data. At the same time, however, the Guidelines still present latent ambiguity as to when and to what extent the GDPR applies, particularly for multinationals.

Continue Reading

UK Supreme Court Clarifies Position on Vicarious Liability for Data Breaches

Posted in Privacy

Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions.

By Ian Felstead and Calum Docherty

The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data of 98,998 co-workers. The UKSC unanimously overturned a 2018 Court of Appeal judgment, and allowed Morrisons’ appeal against vicarious liability claims relating to breach of statutory duty under the Data Protection Act 1998 (DPA 1998), misuse of private information, and breach of confidence.

In its judgment, the UKSC found that Morrisons was not vicariously liable for the data breaches committed by its rogue employee, because the rogue employee’s “wrongful conduct was not so closely connected with acts which he was authorised to do”,  but held that the DPA 1998 does not exclude the imposition of vicarious liability. It is uncertain whether the same interpretation applies under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Continue Reading

Hong Kong Privacy Regulator Responds to Personal Data Privacy Issues Arising From COVID-19

Posted in Legislative & Regulatory Developments, Privacy

Hong Kong regulator declares that the disclosure of personal data of potential COVID-19 carriers is permissible under law.

By Kieran Donovan

COVID-19 is having a profound impact not only on the way the world interacts socially, but also in the way it interacts in business. Businesses are choosing to protect the health and well-being of their employees by vetting the travel histories and health status of visitors, as well as tracking potential COVID-19 carriers using social media.

Hong Kong’s data protection regulator, the Office of Privacy Commissioner for Personal Data (PCPD) has recently published guidance considering the implications of these activities, as described below.

Continue Reading

UK MRC Clarifies When Health Data Is Anonymised in Research Context

Posted in GDPR, Privacy

Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR.

By Frances Stocks Allen and Mihail Krepchev

The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds research organisations that the General Data Protection Regulation (GDPR) applies to health data used in research and contains a number of recommendations that participants in the research process, particularly clinical trial sponsors, should bear in mind. The Guidance has been developed with the participation of the UK privacy regulator, the Information Commissioner’s Office (ICO). Continue Reading

California AG Releases Modified CCPA Regulations

Posted in Legislative & Regulatory Developments, Privacy

While still in draft form, the modifications both clarify certain obligations and introduce new uncertainty for businesses covered by the CCPA.

By Jennifer C. Archie, Michael H. Rubin, Robert Blamires, Marissa R. Boynton, and Scott C. Jones

Earlier this month, the California Attorney General released modified draft regulations further clarifying, and in some cases complicating, compliance with the California Consumer Privacy Act. Key developments include narrowing the definition of “personal information,” changing the use limitations on “service providers,” and other amendments affecting how businesses must respond to data rights requests. The regulations must be final by July 1, which means the California AG may still publish another round of modifications after the public comment period closes on February 25. For more information on all key modifications, see our recent Client Alert.

UK Government Releases Details of New ‘Online Harms’ Regime for Online Platforms

Posted in Legislative & Regulatory Developments, Privacy

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services. Continue Reading

The Pervasive Threat of Business Email Compromise Fraud — and How to Prevent It

Posted in Privacy, Security

Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols.

By Jennifer C. Archie, Serrin Turner, and Tim Wybitul

Key Points:

  • The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US.
  • The FBI’s Internet Crime Complaint Center (IC3) estimates that global “exposed dollar losses” to BEC fraud has exceeded US$26 billion in the past three years.[i] In 2019 alone, the IC3 recorded 23,775 complaints about BEC, which resulted in losses worth some US$1.7 billion.
  • All parties to financial transactions must be aware of this fraud risk. Each should put in place not only appropriate security controls for email, but also financial controls for bank account and wiring-instruction verification.

What Is Business Email Compromise?

Business email compromise is a type of Internet-based fraud that typically targets employees with access to company finances — using methods such as social engineering and computer intrusions. The objective of the fraud is to trick the employee into making a wire transfer to a bank account thought to belong to a trusted partner, but that in fact is actually controlled by the fraudster. Continue Reading

LexBlog