State laws governing the collection and use of personal information continue to proliferate. The latest comes from New Jersey, which on July 21, 2017, signed into law legislation that restricts a merchant’s ability to collect personal data of shoppers and share such data with third parties. New Jersey’s Personal Information Privacy and Protection Act permits retailers to scan an identification card only for certain purposes—such as verifying the consumer’s identity—and requires retailers to store such data securely. Further, a retailer may not share the data with a third party unless the retailer discloses its data-sharing practices to the consumer. (more…)
In a statement of intent published on 7 August 2017, the UK Government has committed to updating and strengthening data protection laws through a new Data Protection Bill (the “Bill”). The Bill will incorporate the new EU General Data Protection Regulation (the “GDPR”) into UK law.
According to the UK’s Minister of State for Digital, Matt Hancock, the Bill will “give [the UK] one of the most robust, yet dynamic, set of data laws in the world. The Bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.” (more…)
Singapore’s Personal Data Protection Commission (PDPC) has launched a public consultation into a proposed revision to the law that would require reporting of certain data breaches. Singapore currently uses a voluntary approach to data breach notifications, but, according to the PDPC, this has resulted in uneven notification practices. Under the proposals, it will be mandatory for organizations to inform customers of personal data breaches that pose any risk of impact or harm to the affected individual as soon as they are discovered. If an incident involves 500 or more individuals, organizations will need to notify the PDPC as soon as possible but no later than 72 hours after discovery of the breach. The proposals aim to allow individuals to take steps to protect their interests in the event of a data breach, for example, by changing their password. (more…)
Federal legislation on the regulation of self-driving cars may be gaining traction. The House Energy and Commerce Committee approved a bipartisan bill that would ease safety restrictions on self-driving cars and preempt state laws banning “highly automated systems” or self-driving vehicles to allow designers to test and deploy cars on the road. The Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act (the “SELF DRIVE Act”) bill passed the House Committee with a 54-0 vote. It would facilitate the release by automakers of 25,000 automated vehicles in the first year and up to 100,000 automated vehicles annually, starting in the third year after the bill’s effective date. (more…)
On June 27, 2017, the Illinois General Assembly passed a bill seeking to limit the collection, use, retention, or disclosure of precise geolocation data from a mobile device without a person’s prior express and written consent. This notable bill, the Geolocation Privacy Protection Act (“GPPA”), is on its way to Illinois Governor Bruce Rauner’s desk – although it is unclear if it will be signed or vetoed. If signed, this bill would mark the first state geolocation privacy protection bill in the country—and represent the most stringent requirements related to geolocation data in the nation, potentially creating complex issues for the rapidly proliferating variety of mobile Internet of Things devices. (more…)
On April 18 in the DC office, Sidley hosted the firm’s third annual Privacy and Cybersecurity Roundtable for over 70 clients. Speakers included a senior representative of the European Data Protection Supervisor, senior officials from the Office of the New York State Attorney General and the Federal Trade Commission, legal, policy and compliance leaders from Facebook and Gannett, along with several members of the firm’s privacy, securities law and governance groups. (more…)
On 27 April 2017 the German Parliament passed the new Federal Data Protection Act (the Bundesdatenschutzgesetz or “new BDSG”) which from 25 May 2018 will replace the current German Data Protection Act. The new BDSG adapts German law in line with the EU’s new General Data Protection Regulation (the “GDPR”). The GDPR has direct effect in EU members states, but it allows member states to pass legislation which supplements the GDPR but is consistent with it.
On 6th April, 2017, the European Parliament adopted a resolution stating that there are deficiencies in the EU-US data transfer accord Privacy Shield which must be “urgently resolved” in order to give citizens and companies legal certainty. MEPs called on the EU Commission to conduct an assessment and to ensure that the Privacy Shield complies sufficiently with the EU Charter of Fundamental Rights and new EU data protection rules. (more…)
New Mexico has become the 48th state to enact a data breach notification law, which also includes data security requirements. The Data Breach Notification Act, signed by Governor Martinez on April 6, 2017, requires notification within 45 days of discovery of a security breach, or “unauthorized acquisition” of computerized personal information, subject to the needs of law enforcement. A security breach is also limited to unencrypted data or encrypted data when the decryption key is compromised. Personal data protected by the law includes Social Security numbers, driver’s license numbers, government-issued identification numbers, account, credit card or debit card number paired with the security code or other pin, and biometric data.
On April 3, 2017, President Trump signed the bill repealing the Federal Communications Commission’s much-debated broadband privacy rules. The House of Representatives voted 215–205 to disapprove the rules, after a party-line Senate vote of 50–48. The result is that the FCC’s key rules governing internet service providers’ collection and use of consumer data, as well as data security, will not go into effect as scheduled. Moreover, the FCC will be precluded from promulgating any regulation in “substantially the same” form until a future Congress allows such action.