The 25th of May, 2019 marked a year since the EU General Data Protection Regulation (“GDPR”) came into force. For most in privacy, involvement with the GDPR has been ongoing for well over this year, but on the first anniversary of the GDPR we take an opportunity to look back and reflect on where we are now in relation to some key areas of interest including enforcement action, privacy litigation, breach notification and developing guidance from the European Data Protection Board (“EDPB”).
As the legislative session drew to a close, what once seemed like an inevitability suddenly looked unlikely. The Washington Privacy Act, SB 5376/HB1854, failed to make its way through the legislative process. The Bill’s sponsor, Sen. Reuven Carlyle, called the game on April 17, tweeting that despite the “unprecedented 46-1 vote” in the Senate, “[u]nfortunately, House failed to pass privacy legislation this year. We’re committed to 2020.” Nevertheless, the State of Washington did pass notable privacy legislation, albeit on a more narrow topic.
The Malaysia Personal Data Protection Act applies to all companies operating in Malaysia, as well as persons not established in Malaysia, if they use equipment in Malaysia for the processing of personal data otherwise than for the purposes of transit through Malaysia. (more…)
On 29 March 2019, the Belgian House of Representatives appointed a new Data Protection Commissioner and four directors to the executive committee of the Belgian Data Protection Authority (‘DPA’).
These are the first appointments to be made to the DPA since it replaced the previous Belgian Privacy Commission in anticipation of the EU GDPR. This is therefore the first time that executive roles have been officially filled in the context of the regulator’s expanded competence – including the DPA’s new power to impose administrative fines of up to €20,000,000 EUR or 4 percent of an undertaking’s worldwide annual revenues for certain infringements of the EU GDPR.
Singapore may soon mandate data breach notifications and data portability via amendments to the Singapore Personal Data Protection Act, or PDPA. The PDPA applies to all organizations that collect, use and disclose data in Singapore, and the PDPA has extraterritorial effect as it applies to all organizations collecting, using or disclosing personal data from individuals in Singapore (whether or not the company has a physical presence in Singapore).
The UK Financial Conduct Authority (“FCA”) has carried out a multi-firm review of cybersecurity practices with a sample of 20 firms in the wholesale banking and asset management sectors (the “Report”). The review aimed to look more closely at how wholesale banking and asset management firms oversee and manage their cybersecurity, including the extent to which firms identify and mitigate relevant cyber risks and their current capability to respond to and recover from data security incidents.
On December 28, 2018, Michigan adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law in the form of Michigan H.B. 6491 (Act). By doing so, Michigan joins Ohio and South Carolina as the third state to adopt the Model Law and the fifth state – along with Connecticut and New York – to have enacted cybersecurity regulations focused on insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (Please see our prior coverage for more information on Ohio and South Carolina’s adoption of the Model Law). Moreover, adoption of the Model Law is still gaining steam with Rhode Island potentially next in line.
On December 3, 2018, twelve attorneys general (“AGs”) jointly filed a data breach lawsuit against Medical Informatics Engineering and its subsidiary, NoMoreClipboard LLC (collectively “the Company”), an electronic health records company, in federal district court in Indiana. See Indiana v. Med. Informatics Eng’g, Inc., No. 3:18-cv-00969 (N.D. Ind. filed Dec. 3, 2018). The suit—led by Indiana Attorney General Curtis Hill—is joined by AGs from Arizona, Arkansas, Florida, Iowa, Kansas, Kentucky, Louisiana, Minnesota, Nebraska, North Carolina and Wisconsin. While state AGs have previously exercised their civil enforcement authorities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this is the first multi-state data breach lawsuit alleging HIPAA violations in federal court and may signal increased interest on the part of state officials in exercising their data protection authorities to address cybersecurity incidents.
On December 19, 2018, Ohio adopted the National Association of Insurance Commissioners’ (NAIC) Insurance Data Security Model Law. By doing so, Ohio joins South Carolina as the second state to have adopted the Model Law and the fourth state – along with Connecticut and New York – to have enacted cybersecurity regulations for insurance companies. See CT Gen Stat § 38a-999b (2015); 23 NYCRR 500. (For more information on South Carolina’s adoption of the Model Law, see our prior coverage.) (more…)
*This article first appeared in the Hill.com on November 19, 2018
With the House having now flipped, policy consensus in Congress is not likely to get any easier. But there is one subject around which countries, companies, consumers and, yes, even Congress is increasingly converging. That issue is privacy. The new privacy zeitgeist follows years of data breaches as well as new concerns about invisible data collection, political micro-targeting and manipulation, the proliferation of internet-connected devices, and a potential lack of transparency in the decisions that machines increasingly make about us.