Using Data De-Identification to Protect Companies

Many companies hope to benefit from amassing large amounts of data by mining it for market insights, creating internal business models, and supporting strategic, data-driven decisions. But as companies collect and store increasingly enormous volumes of data, they may unknowingly take on significant legal risks, including potential violations of data privacy laws and increased exposure to U.S. litigation discovery obligations. One way that businesses can mitigate these risks is to de-identify the data they collect and store.

Read More

EmailShare

Part II – Digital Health Passports in Europe: Amended Proposal for a Digital Green Certificate and Eligible Testing Methods

In March 2021, the European Commission released a proposal for the creation of a “Digital Green Certificate,” which will allow EU citizens to travel easier throughout the EU during the COVID-19 pandemic. Last week, the EU Member States agreed on some proposed changes to the proposal, including strengthening of the data privacy provisions. According to the proposal, in order to obtain a Digital Green Certificate, individuals must prove that they have been vaccinated, present a negative test result, or have recently recovered from COVID-19. The proposal allows the issuance of a certificate for all COVID-19 vaccines, which have received an EU-wide marketing authorisation, however only the results of certain in vitro diagnostic tests will be considered valid.

Read More

EmailShare

EU Commission Invites Stakeholders Feedback on Draft AI Regulation

On April 26, 2021, the European Commission announced that its draft proposal for the new EU Artificial Intelligence Regulation (“Draft AI Regulation”) is open for feedback until June 22, 2021. The Draft AI Regulation was published on April 21. Please refer to our blog post here that provides an overview of the Draft AI Regulation and its potential impact.

Read More

EmailShare

Developments in Cookie Regulation: French CNIL Declares Intent to Audit Websites for Cookie Compliance

On April 2, 2021 the French Data Protection Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its intent to start auditing websites for compliance with cookie regulations. This publication comes following a large number of developments and actions taken by the CNIL to further improve and guide organizations through cookie compliance. The CNIL had issued several recommendations, guidelines and cookie tools to raise awareness on the importance of this topic, with a final set of guidelines published on October 1, 2020 following public consultation rounds (“Cookie Guidelines”). The CNIL had determined that a 6-month grace period would apply following publication of the Cookie Guidelines. This grace period ended on April 1, 2021 and the CNIL now expects companies to be compliant with its recommendations and guidelines. The CNIL has confirmed that it may make use of the totality of its corrective powers to remedy non-compliance with the rules, including issuing (public) sanctions. In light of the increase in scrutiny on cookies in the EU (and the US pursuant to certain state laws), organizations with websites / platforms operating in the EU (and U.S.) may want to reconsider their cookie practices and start carrying out cookie audits.

Read More

EmailShare

EU Commission Issues Draft AI Regulation

On April 21, 2021, the European Commission (EC) issued its eagerly awaited draft proposal on the EU Artificial Intelligence Regulation (Draft AI Regulation) – the first formal legislative proposal regulating Artificial Intelligence (AI) on a standalone basis. The Draft AI Regulation is accompanied by a revision of the EU’s rules on machinery products, which lay down safety requirements for machinery products before being placed on the EU market. The new draft Machinery Products Regulation – proposed by the EU Commission on the same day – intends to tackle safety issues that arise in emerging technologies. The Draft AI Regulation (which appears to have borrowed a number of principles from existing EU legislation, including the EU General Data Protection Regulation 2016/679 (GDPR)) has an intentionally broad scope, and regulates the use of AI in accordance with the level of risk the AI system presents to fundamental human rights and other key values the EU adheres to. AI systems that are considered to present an “unacceptable” level of risk are banned from the EU, and “high-risk” systems are subject to strict requirements. AI systems which are considered to present a lower risk level are subject to transparency requirements or are not regulated at all. Companies engaged in the development, manufacturing, importation, distribution, servicing, and use of AI – irrespective of industry – should assess to what extent their products are implicated and how they will address any regulatory requirements they are subject to. The Draft AI Regulation foresees maximum administrative fines of up to €30m or 6% of total worldwide annual turnover in the event of non-compliance – meaning fines are higher than the ones under the GDPR.

Read More

EmailShare

Supreme Court Considers Injury and Typicality Questions in Case With Implications for Data Breach and Privacy Class Action Litigation

On March 30, 2021, the Supreme Court heard arguments in TransUnion LLC. v. Ramirez, a case in which Respondent Ramirez brought a class action lawsuit against Petitioner TransUnion, alleging that it incorrectly placed a flag on his credit report; the flag suggested that Ramirez was on a list of potential terrorists and criminals maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (the “OFAC list”) because his name was similar to two individuals whose name were on that list. After Ramirez learned he had been flagged, he requested a copy of his credit report from TransUnion. TransUnion sent him a copy of his credit report, which did not include any reference to the OFAC list, and a second mailing indicating that his name was a potential match for a name on the OFAC list. Ramirez sued on behalf of himself and a class of over 8,000 individuals who received similar mailings, alleging that TransUnion violated the Fair Credit Reporting Act (“FCRA”) by (i) incorrectly flagging him as potentially appearing on the OFAC list and (ii) sending him the information about the potential match separately from his requested credit report, which he argued was confusing because the mailing regarding the OFAC list did not include FCRA-required information about how to dispute and correct the incorrect information.

Read More

EmailShare

DOL Puts Plan Sponsors and Other Fiduciaries on Notice: ERISA Requires Appropriate Precautions to Mitigate Cybersecurity Threats

There just may be a new cybersecurity regulator in town.

In an effort it describes as “an important step” toward safeguarding more than $9.3 trillion in retirement assets, the U.S. Department of Labor (DOL) published its first cybersecurity guidance last week (Cybersecurity Guidance). The Cybersecurity Guidance is directed at plan sponsors and fiduciaries regulated by the Employee Retirement Income Security Act of 1974 (ERISA) as well as plan participants and beneficiaries.  Significantly, the Cybersecurity Guidance formally states the DOL’s position that cybersecurity is a matter of fiduciary responsibility under ERISA, stating that ERISA requires plan fiduciaries to take appropriate precautions to mitigate cybersecurity risks.

Read More

EmailShare
1 2 3 97
EmailShare
XSLT Plugin by BMI Calculator