On 10 October 2017, Jamaica introduced into its House of Parliament a comprehensive Bill for privacy and data protection, entitled “An Act to Protect the Privacy of Certain Data and for Connected Matters.” The new law would cover personal data, including data in an “accessible record” such as a health record or an educational record. If passed, the new law will be named the “Data Protection Act, 2017.” (more…)
On September 22, 2017, Illinois Governor Bruce Rauner vetoed the proposed Geolocation Privacy Protection Act, which sought to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. The General Assembly originally passed the bill on June 27, 2017. (For more background on the bill, see Illinois Becomes the First State to Pass a Geolocation Privacy Protection Bill (July 5, 2017)). (more…)
Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation into a proposed revision to the law that would require reporting of certain data breaches. Singapore currently uses a voluntary approach to data breach notifications, but, according to the PDPC, this has resulted in uneven notification practices. Under the proposals, it will be mandatory for organizations to inform customers of personal data breaches that pose any risk of impact or harm to the affected individual as soon as they are discovered. If an incident involves 500 or more individuals, organizations will need to notify the PDPC as soon as possible but no later than 72 hours after discovery of the breach. The proposals aim to allow individuals to take steps to protect their interests in the event of a data breach, for example, by changing their password. (more…)
Federal legislation on the regulation of self-driving cars may be gaining traction. The House Energy and Commerce Committee approved a bipartisan bill that would ease safety restrictions on self-driving cars and preempt state laws banning “highly automated systems” or self-driving vehicles to allow designers to test and deploy cars on the road. The Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (the “SELF DRIVE Act”) bill passed the House Committee with a 54-0 vote. It would facilitate the release by automakers of 25,000 automated vehicles in the first year and up to 100,000 automated vehicles annually, starting in the third year after the bill’s effective date. (more…)
Businesses and consumers are increasingly using Internet of Things (“IoT”) devices to communicate and process quantities and types of information that have never before been captured. In response, more federal agencies are turning their attention to the potential risks, and developing guidance for the deployment of IoT technologies. The latest to weigh in on risks include the Governmental Accountability Office and the Department of Commerce. (more…)
On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed. If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices. (more…)
2016 was a year of seismic changes in the global data protection and privacy landscape. Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.
Year In Review
1. GDPR Adoption
On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer. Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.
2. Political Cyber Warfare
There is a new front in geopolitical battles. (more…)
On December 19, 2016 the Joint Committee of the European Supervisory Authorities (“ESAs”) launched a public consultation (the “Consultation”) on the potential benefits and risks of Big Data for consumers and financial firms to determine whether any regulatory or supervisory actions will be required. The ESAs are three EU-wide supervisory authorities, the European Banking Authority (“EBA”), European Securities and Markets Authority (“ESMA”) and the European Insurance and Occupational Pensions Authority (“EIOPA”).
On Friday, December 4, President Obama signed the Fixing America’s Surface Transportation (“FAST”) Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade. Despite its title, the bill impacts a number of regulated sectors. Nestled within this 490-page law are 13 pages that pertain to cybersecurity and other protections for the electric grid. As detailed below, the FAST Act also includes a number of privacy and cybersecurity provisions relating to privacy notices by financial institutions as required by the Gramm Leach Bliley Act, event data records in vehicles, Internet of Things technologies, and connected cars.
The new year will ring in significant privacy, data protection and cybersecurity changes in the U.S., Europe, Asia and elsewhere around the world. Below are some key developments and possible concrete action items for General Counsels, Chief Privacy Officers and Chief Information Officers: