Privacy & Information Security Law Blog

On January 6, 2020, the Federal Trade Commission announced that it granted final approval to a settlement with InfoTrax Systems, L.C. and its former CEO, Mark Rawlins, related to allegations that InfoTrax failed to implement reasonable, low-cost and readily available security safeguards to protect the personal information the company maintained on behalf of its business clients.

In a January 6, 2020 blog post, the Director of the Federal Trade Commission’s Bureau of Consumer Protection reflected on how the FTC has taken action over the past year to strengthen its orders in data security cases. These orders have been a subject of focus for the FTC: in June 2018, the 11th Circuit’s LabMD decision struck down an FTC data security order as unenforceably vague, and the FTC subsequently held a hearing in the course of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century on how it could improve data security orders.

Though all may be quiet on New Year’s Day, January 1, 2020, is the compliance date for the California Consumer Privacy Act of 2018 (“CCPA”). On the cusp of a new decade, we enter a new era of privacy rights.

The CCPA is now in effect, but the California Attorney General cannot begin enforcement until July 1, 2020. We want to congratulate everyone on their hard work this past year and a half.

If you watched the ball drop in New York City last night, we hope you can say that you didn’t drop the ball on CCPA compliance. They say hindsight is always 20/20. CCPA compliance can be your New Year’s ...

On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy. Specifically, the Mandate Letter states that Minister Bains is expected to work with the Minister of Justice, Attorney General of Canada and the Minister of Canadian Heritage to advance Canada’s Digital Charter and enhance powers for the Privacy Commissioner, in order to establish a new set of online rights, including:

• data portability;
• the ability to withdraw, remove and erase basic personal data from a platform;
• the knowledge of how personal data is being used, including with a national advertising registry, and the ability to withdraw consent for the sharing or sale of data;
• the ability to review and challenge the amount of personal data that a company or government has collected;
• proactive data security requirements;
• the ability to be informed when personal data is breached with appropriate compensation; and,
• the ability to be free from online discrimination including bias and harassment.

On December 19, 2019, the members of the Permanent Representations of EU Member States to the Council of the European Union (“the Council”) published a draft position on the application of the General Data Protection Regulation (“GDPR”). After the draft position has been formally adopted by the Council, it will be provided to the European Commission. This is part of the GDPR evaluation process under Article 97 of the GDPR, which requires the European Commission to publish a report on the evaluation and review of the GDPR by May 25, 2020.

On December 12, 2019, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC, agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.

The U.S. Department of Education and the U.S. Department of Health and Human Services released joint guidance on the application of the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to student records. This is the first update to the agencies’ guidance since it was issued in 2008. The 27-page document includes FAQs clarifying for schools, health care professionals and families how FERPA and HIPAA apply to student education and health records. The FAQs answer which rule ...

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.

On December 18, 2019, the House Energy and Commerce Committee released a bipartisan staff-level draft privacy bill (“the bill”). While comprehensive in scope, much of the key language in the bill was left in brackets, meaning the two sides have not yet reached a compromise on final language.