Privacy & Information Security Law Blog

2019 was the “Year of the CCPA” as companies around the world worked tirelessly to comply with the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA aims to provide data privacy rights for California residents and imposes significant new requirements on covered businesses.

On January 8, 2020, the Information Commissioner's Office (“ICO”) launched a consultation on its draft direct marketing code of practice (the “Draft Code”), as required by section 122 of the Data Protection Act 2018 (“DPA 18”). The Draft Code is open for public consultation until March 4, 2020.

According to MLex, on January 6, 2020, the Seoul Eastern District Court found Kim Jin-Hwan, a privacy officer of the South Korean travel agency Hana Tour Service Inc., guilty of negligence in failing to prevent a 2017 data breach that affected over 465,000 customers of the agency and 29,000 Hana Tour employees.

On January 6, 2020, the Federal Trade Commission announced that it granted final approval to a settlement with InfoTrax Systems, L.C. and its former CEO, Mark Rawlins, related to allegations that InfoTrax failed to implement reasonable, low-cost and readily available security safeguards to protect the personal information the company maintained on behalf of its business clients.

In a January 6, 2020 blog post, the Director of the Federal Trade Commission’s Bureau of Consumer Protection reflected on how the FTC has taken action over the past year to strengthen its orders in data security cases. These orders have been a subject of focus for the FTC: in June 2018, the 11th Circuit’s LabMD decision struck down an FTC data security order as unenforceably vague, and the FTC subsequently held a hearing in the course of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century on how it could improve data security orders.

Though all may be quiet on New Year’s Day, January 1, 2020, is the compliance date for the California Consumer Privacy Act of 2018 (“CCPA”). On the cusp of a new decade, we enter a new era of privacy rights.

The CCPA is now in effect, but the California Attorney General cannot begin enforcement until July 1, 2020. We want to congratulate everyone on their hard work this past year and a half.

If you watched the ball drop in New York City last night, we hope you can say that you didn’t drop the ball on CCPA compliance. They say hindsight is always 20/20. CCPA compliance can be your New Year’s ...

On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy.

On December 19, 2019, the members of the Permanent Representations of EU Member States to the Council of the European Union (“the Council”) published a draft position on the application of the General Data Protection Regulation (“GDPR”). After the draft position has been formally adopted by the Council, it will be provided to the European Commission. This is part of the GDPR evaluation process under Article 97 of the GDPR, which requires the European Commission to publish a report on the evaluation and review of the GDPR by May 25, 2020.

On December 12, 2019, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC, agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.