Category

Litigation

06 April 2017

The Widening Data Breach Standing Split: Fourth Circuit Finds No Standing From Increased Risk of Future Identity Theft

The U.S. Court of Appeals for the Fourth Circuit has added to the growing circuit split on standing in data breach cases in Beck v. McDonald, No. 15-1395 (Feb. 6, 2017). The circuit split now divides at least six federal courts of appeal regarding what data-breach victims must show to establish an “injury-in-fact” under Article III. The Fourth Circuit held that merely having your personal data stolen — and the alleged corresponding increased risk of future theft—is insufficient to satisfy Article III’s injury-in-fact requirement. (more…)

SHARE
EmailPrintShare
04 April 2017

A Farewell to the FCC Broadband Privacy Rules

On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.

(more…)

SHARE
EmailPrintShare
14 March 2017

Google’s Overseas Warrants: A Game of Tug-of-War Over Access to Data

On February 3, 2017, Eastern District of Pennsylvania Magistrate Judge Thomas J. Rueter ordered Google to comply with FBI search warrants to produce emails stored on foreign servers as part of a domestic criminal investigation.  In re Search Warrant No. 16-960-M-01 to Google (E.D. Pa. Feb. 3, 2017).  This ruling comes on the heels of the Second Circuit’s decision in Microsoft Corp. v. United States, 829 F.3d 197 (2d Cir. 2016) (denied rehearing on January 24, 2017), which reached an opposite decision and held that Microsoft could not be forced to turn over user data stored on a server located in Ireland.  (For more background, see Second Circuit Microsoft Ruling: A Plea for Congressional Action (August 8, 2016)).

(more…)

SHARE
EmailPrintShare
02 March 2017

The Continuing Impact of the Judgment of the Court of Justice of the European Union Declaring Invalid the European Commission’s Decision on U.S.-EU Safe Harbor

The decision by the Court of Justice of the European Union (the CJEU) on Oct. 6, 2015, invalidating the U.S.-EU Safe Harbor Decision (the Judgment) is a landmark judgment. Case C-362/14 Maximillian Schrems v Data Protection Commissioner [2015] ECLI: EU:C:2015:650. By voiding the legal basis for transatlantic data transfers for the 4,400 companies reliant on U.S.-EU Safe Harbor, the Judgment began what has been a seismic year for data protection and crossborder data transfers in the European Union, whose aftershocks will reverberate throughout 2017 and beyond.

Read More

SHARE
EmailPrintShare
15 February 2017

Chronicles from the Standing Wars: Third Circuit Rules Disclosures of Personal Data in Violation of FCRA De Facto Injury

The Third Circuit recently overturned a district court’s ruling on In re Horizon Healthcare Services Inc. Data Breach Litigation and gave new life to a putative class action over a data breach.  No. 15-2309 (Jan. 20, 2017).  The Third Circuit panel held that allegations of unauthorized disclosure of personal information in violation of the Fair Credit Reporting Act (“FCRA”) constituted a de facto injury sufficient to establish Article III standing.  Plaintiffs did not allege identity theft, any other misuse of the compromised data, or even any mitigation costs.

(more…)

SHARE
EmailPrintShare
06 February 2017

Update on the Legal Challenge to Standard Contractual Clauses

The closely followed case challenging the validity of Standard Contractual Clauses for the transfer of personal data outside the EEA to countries considered not to provide an adequate level of data protection, including the US, is progressing with a hearing coming up February 7th and schedule set for the proceedings, including amicus participation.

(more…)

SHARE
EmailPrintShare
31 January 2017

2016 Year in Review and 2017 Preview: Top Ten for Data Protection and Privacy

2016 was a year of seismic changes in the global data protection and privacy landscape.  Here, we look back at the top ten events and issues that shaped 2016, and are poised to shape the year ahead as well.

Year In Review

1. GDPR Adoption

On April 14, the European Parliament voted to adopt the long-awaited EU General Data Protection Regulation (GDPR), formally completing adoption of the GDPR. The GDPR was published in the Official Journal of the EU on May 25, 2016, giving companies and Member States until the May 25, 2018 effective date to implement the Regulation fully. In the wake of its adoption, businesses should have planning under way for implementation of the significantly expanded Regulation by evaluating whether they are subject to the expanded jurisdiction, and if so, completing an internal gap analysis of current data protection practices as compared with the new requirements and rights under the Regulation. Some of the key aspects to consider include data breach response planning under the new 72-hour notice requirement, reviewing existing data protection notices and consents for the more robust obligations, identifying current profiling activities and existing data protection and retention policies and procedures, ensuring privacy impact assessments are carried out where required, and evaluating whether there is an obligation to appoint a data protection officer.  Despite the time until the effective date, the extensive preparation necessary to comply presents a challenge as companies around the world refocus resources to develop compliance plans.

2. Political Cyber Warfare

There is a new front in geopolitical battles.  (more…)

SHARE
EmailPrintShare
12 January 2017

CJEU issues ruling on retention of data by Electronic Communication Services

The Court of Justice of the European Union (“CJEU”) issued, on December 21, 2016, its ruling in the joined cases, Tele2 Sverige AB v. Post-och telestyrelsen (C-203/15), and Secretary of State for Home Department v. Tom Watson and Others (C-698/15), concerning the interpretation of EU’s Article 15(1) of the ePrivacy Directive (2002/58/EC). Article 15(1) enables EU Member States to adopt measures that restrict privacy rights granted to users of Electronic Communication Services (“ECSs”) when they are “necessary, appropriate and proportionate… to safeguard national security”. Examples of ECSs include private and public companies in Internet, telecommunication, satellite and cable businesses. (more…)

SHARE
EmailPrintShare
28 December 2016

The Privacy, Data Protection and Cybersecurity Law Review

The third edition of The Privacy, Data Protection and Cybersecurity Law Review appears as the world is converging on more privacy laws that cover more areas of business and are subject to more enforcement. Several Sidley lawyers in the Privacy, Data Security and Information Law practice have contributed to this publication.

(more…)

SHARE
EmailPrintShare
15 December 2016

Changes to DMCA Safe Harbor Registration Require Action by December 31, 2017

As part of a housekeeping effort, the U.S. Copyright Office issued a final rule that changes the designated agent mechanism protecting online service providers from certain copyright infringement liability under the Digital Millennium Copyright Act (“DMCA”).  Companies will now have to re-register every three years, and existing registrations will cease to be valid by the end of next year.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator