Online Privacy

Subscribe to Online Privacy via RSS
iStock_000038860070_Large-669x669

Businesses need to be proactive in updating their compliance measures to meet the ever-evolving set of privacy laws and regulatory expectations in 2024 and beyond.

By Michael H. Rubin, Robert W. Brown, Max G. Mazzelli, Jennifer Howes, and Sarah Zahedi

Following the notable uptick in state-level privacy laws in 2023, a wave of new comprehensive state privacy laws and state laws seeking to regulate health privacy, youth privacy, online platforms, and data brokers are set to take effect this year. While a draft federal comprehensive privacy law — the American Privacy Rights Act — aimed at harmonizing this patchwork of state laws was introduced last month, until such a law actually passes, the quickly evolving state regulatory landscape will continue to set the standards for how most businesses must handle personal information in the US.

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security.

Delicate balance required, as regulators and lobbyist warn of the risks of over-regulation while research indicates users seek greater protection.

By Alain Traill

Both the ICO and the outgoing Chief Executive of Ofcom have sounded a cautious note regarding the possible consequences of UK proposals to introduce a new regulatory regime intended to combat online harms. The Internet Association — a Washington based lobbying group — has also voiced its concerns, suggesting that they risk discouraging businesses from continuing to operate in the UK.

The ICO did, however, offer support for key aspects of the proposals, and acknowledged that they identify an “important gap in the existing regulation of the internet”. Furthermore, research carried out on behalf of both Ofcom and the ICO has shown an increasing appetite for online regulation among UK web users.

By Jennifer Archie, Gail Crawford, Serrin Turner, Hui Xu & Lex Kuo

The Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) has introduced China’s first and comprehensive Network Security Law (also referred to as Cybersecurity Law). The law will have far-reaching implications for parties that utilize the internet and handle network data and personal information in the PRC.

What this means for China’s internet users

Both individuals and entities which access internet in the PRC will be subject to enhanced security requirements and new regulation relating to the use and transfer of personal data. Network operators, equipment suppliers, security solution providers and other market participants will need to comply with the sweeping new security requirements and national standards, which will come into effect on June 1, 2017.

iStock_000005643842XSmall.jpgA court in the United Kingdom has cast doubt on whether IP addresses can be used to identify infringement of copyright by a specific individual. In this post, we ask whether this case impacts the generally accepted view in Europe that IP addresses should be treated as personal data under applicable data privacy laws. 

The case of Media CAT Limited v Adams & Ors [2011] EWPCC 6 involved allegations that a number of defendants had infringed copyright in pornographic films

Thumbnail image for iStock_Lock.jpgThe First Chamber of the German Federal Supreme Court decided on the permissibility of outbound advertising calls on the basis of a so-called “double-opt-in” (judgement dated February 10, 2011 – I ZR 164/09 – Telefonaktion II). The full reasoning of the decision has not been published yet. But the press release already gives important clues as to the Court’s considerations.

A local healthcare insurance company had called consumers whose telephone numbers had been collected in the course of a lottery.

It seems fitting that on Data Privacy Day, a day designed to raise awareness of privacy issues (and not, as reported by Wikipedia, an international public holiday), we touch on the issue of “transparency” e.g. how to ensure individuals understand how their data is being processed. The EDPS, in its 14th January Opinion, describes transparency of processing as being of paramount importance for individuals, because only “if individuals know about data processing, can they exercise their rights”.

Within

The processing of personal data in the context of evolving technology and globalisation of commerce has prompted the Article 29 Working Party to take a hard look at the applicable law provisions under the European Data Protection Directive and its implementation by the Member States in its most recent Opinion.

The Working Party believes that the increase in the number of multi-jurisdictional businesses and changes in technology, together with the current inconsistency in approach to the applicable law provisions seen across the Member States, make this a pressing area for review.

Whilst the guidance provides some helpful clarification on the current rules that apply national laws to controllers either (i) “established” in an European country or (ii) that use equipment located in a European country where the controller is not established in any EU territory; what is more interesting is some of the more fundamental changes which are being considered as part of the proposed overhaul of the Data Protection Directive (and how the approach has changed since the views of the Working Party issued in 2002).

There is a suggestion that Europe should return to a country of origin principle, where all establishments of a controller within Europe will apply the law of the territory of the controller’s head quarters or “main” establishment (as opposed to different national laws applying to each establishment that carries out processing depending on the territory in which it is situated). Given the marked differences in implementation of the Directive, enforcement activity and imposition of penalties throughout Europe, without a major harmonisation exercise such an approach could only result in forum shopping and confusion for individuals as to what rights apply.

One of the newest and most talked about developments outlined by the European Commission (as part of its plans to update the EU’s data privacy regime), is the introduction of a ‘right to be forgotten’ for individuals. The Commission intends for individuals to be given much more control over their personal data, including rights to tell those using and storing their personal data to permanently delete it from their records when no longer required. This follows the theme of the