On November 23, 2018, the European Data Protection Board (“EDPB”) published draft guidelines seeking to clarify the territorial scope of the GDPR (“Guidelines”). The Guidelines have been eagerly awaited, particularly by controllers and processors outside of the EU looking for confirmation as to whether or not the EU data protection rules apply to them. The Guidelines largely reaffirm prior interpretations of the GDPR’s territorial application under Article (3)(1), and offer essential guidance with respect to the GDPR’s – heavily debated – extraterritorial application under Article (3)(2). The GDPR applies to companies established in the EU as well as companies outside of the EU that are “targeting” individuals in the EU (by offering them products or services) or monitoring their behavior (as far as that behavior takes place in the EU).
The proposed Guidelines are open for public consultation until January 18, 2019. It remains to be seen whether and how any outstanding issues will have been addressed upon conclusion of the consultation. (more…)
Former Department of Homeland Security Chief Privacy Officer Hugo Teufel III and Sidley’s Edward McNicholas addressed a packed room on Chinese Cybersecurity Law at the 2018 Privacy + Security Forum hosted at George Washington University. The timely presentation highlighted how, with significant attention in the past few years focused on the GDPR, many have not fully appreciated the significant policy and legal developments coming out of Beijing. In particular, China has been creating a materially different approach to cybersecurity which serves the central purpose of defending the Chinese notion of cyber sovereignty. Much uncertainty remains about the newly-effective laws and regulations, but it is clear that foreign technology and other companies operating in China should rapidly focus on its significant restrictions on outbound data transfer, the expansive definitions of “important data”, as well as reviews of network equipment security. Their presentation is available here.
* This article originally appeared in Law360 on September 27, 2018.
On September 26, the Senate Commerce Committee invited tech and telecom companies to the Hill to discuss safeguards for consumer data privacy. “The question,” noted Chairman John Thune, “is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.” The Senators and testifying witnesses expressed strong support for a comprehensive federal privacy law. (more…)
*This article first appeared in the Washington Post on September 26, 2018.
In a recent piece for Washington Post Outlook, Chris Fonzone and Josh Geltzer (from the Georgetown Law Center’s Institute for Constitutional Advocacy and Protection) explained why a legal case that began with a dispute between a Loudoun County supervisor and a constituent may help set a new standard for online interaction nationally:
A legal case that began with a dispute between a member of the Loudoun County Board of Supervisors and a constituent may help to set the rules for how government officials — up to and including President Trump — interact with the public online. A federal appeals court in Richmond will hear the case this week, and, while the stakes of the conflict may seem small at first — one man was banned for a day from an official’s Facebook page — it has potentially enormous First Amendment implications. (more…)
An increasing number of eyes are now turning to the U.S. Congress to see how it will react to these developments, and Data Matters – and the privacy community generally – will thus be closely watching the Senate Committee on Commerce, Science, and Transportation on Wednesday, September 26, 2018, when it hosts a hearing titled “Examining Safeguards for Consumer Data Privacy.” (more…)
*This article first appeared in the July 2018 issue of Digital Health Legal
Massive data breaches. Threats to medical devices. The Internet of Persons. Healthcare entities are all too familiar with the rising cyber threat. But they are also familiar with the complex array of laws and regulations in the United States that attempt to address the threat and the potentially significant compliance costs and risks caused by that complexity. The US Court of Appeals for the Eleventh Circuit’s recent and long-awaited decision in LabMD v. Federal Trade Commission, which trimmed the sails of one of the primary regulators of the healthcare information security landscape, may thus appear to some, at first blush, to be a necessary corrective. Yet closer inspection shows that the Eleventh Circuit’s decision raises more questions than it answers – and that its true implications will only become clear once we see how federal regulators, the courts, and perhaps Congress respond.
On June 25, the United States Court of Appeals for the First Circuit in Cullinane v. Uber Technologies, Inc., __ F.3d __, 2018 WL 3099388 (1st Cir. 2018), evaluated the enforceability of arbitration provisions in online contracts. The First Circuit found Uber’s arbitration provision, which contained a class action waiver, unenforceable because Uber did not make its terms of service sufficiently conspicuous. Cullinane highlights the importance of obtaining customers’ affirmative consent to an online contract and reaffirms that conspicuousness of the arbitration agreement and the form of assent that retailers require from consumers remain paramount.
On 28 May 2018, the European Data Protection Board (the “EDPB”) released a statement on the revision of the ePrivacy Regulation (the “proposed Regulation”) and its impact on the protection of individuals in relation to the privacy and confidentiality of their communications. It is the first statement of substance by the EDPB since it was established by the EU General Data Protection Regulation on 25 May 2018. The statement calls on the European Commission, Parliament and Council to work together to ensure a swift adoption of the proposed Regulation, which will replace the current ePrivacy Directive (the “Directive”).