Privacy & Information Security Law Blog

The U.S. Department of Education and the U.S. Department of Health and Human Services released joint guidance on the application of the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to student records. This is the first update to the agencies’ guidance since it was issued in 2008. The 27-page document includes FAQs clarifying for schools, health care professionals and families how FERPA and HIPAA apply to student education and health records. The FAQs answer which rule ...

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.

On December 18, 2019, the House Energy and Commerce Committee released a bipartisan staff-level draft privacy bill (“the bill”). While comprehensive in scope, much of the key language in the bill was left in brackets, meaning the two sides have not yet reached a compromise on final language.

On December 9, 2019, the Federal Communications Commission (“FCC”) announced that online fax services do not fall under legal prohibitions against junk faxes. In a petition filed in 2017 for declaratory judgement brought by AmeriFactors Financial Group, LLC pursuant to the Telephone Consumer Protection Act (“TCPA”) and the Junk Fax Protection Act  (“JFPA”), the petitioner sought clarification regarding the status of online cloud-based fax services.

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

On December 10, 2019, the French Data Protection Authority (the “CNIL”) published the final version of its standard (“Referential”) concerning the processing of personal data in the context of whistleblowing hotlines. The Referential on whistleblowing hotlines was adopted following a public consultation launched by the CNIL on April 11, 2019. It replaces the CNIL’s Single Authorization AU-004 decision regarding such data processing, and anticipates certain changes introduced by the EU Directive on the protection of whistleblowers (Directive (EU) 2019/1937 of October 23, 2019), which EU Member States will have to implement into their national laws by December 17, 2021. The CNIL also published a set of questions and answers (“FAQs”), which aim to answer some practical questions that the CNIL are regularly asked regarding the operation of a whistleblowing hotline.

On December 11, 2019, the European Data Protection Board (“EDPB”) published its draft guidelines 5/2019 (the “Guidelines”) on the criteria of the right to be forgotten in search engine cases under the EU General Data Protection Regulation (“GDPR”). The Guidelines aim to provide guidance on: (1) the grounds on which individuals can rely for submitting a request for the right to be forgotten in relation to links to web pages containing their personal data; and (2) the exceptions to the right to be forgotten that search engine operators could use to reject such a request. The Guidelines will be supplemented by an appendix on the assessment of criteria for the handling of individuals’ complaints by EU data protection authorities following the refusal by search engine operators to grant the individuals’ request.

On December 10, 2019, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) published a statement regarding compliance with the rules on cookie consent (the “Statement”).

On December 6, 2019, the Federal Trade Commission announced its Final Order and Opinion in the matter of Cambridge Analytica, LLC, finding that Cambridge Analytica violated the FTC Act’s Section 5 prohibition against “unfair or deceptive acts or practices” when harvesting personal information through its “GSRApp” Facebook application.

On December 3, 2019, the Federal Trade Commission announced that it had reached settlements in four separate Privacy Shield cases. Specifically, the FTC alleged that Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC, and TDARX, Inc. each falsely claimed to participate in the EU-U.S. Privacy Shield framework. The FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework and that Global Data and TDARX continued to claim participation in the EU-U.S. Privacy Shield after their Privacy Shield certifications lapsed. The complaints further alleged that Global Data and TDARX failed to comply with the Privacy Shield framework, including by failing to (1) verify annually that statements about their Privacy Shield practices were accurate, and (2) affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.