On 29 July 2019, the Court of Justice of the European Union (CJEU) issued a decision in the Fashion ID case, a case referred to it by a German court. In this blog post we will focus on what this case means with regard to joint controllership when you have social media plug-ins on your

‘Privacy Shield’ certifications possible since August 1, 2016; Hamburg DPA aims to challenge ‘Privacy Shield’; EU Court rules on applicability of EU privacy laws to online companies; Pokémon Go violating EU Privacy Laws?; Norwegian DPA criticizes ‘Facebook at Work’; Advocate Health to Pay Largest HIPAA Settlement Ever; FTC Overrules LabMD Dismissal; Banner Health Cyberattack Affects 3.7M; HHS Announces Grant for Healthcare Sector Information Sharing Organization

Privacy Shield’ certifications possible since August 1, 2016

On Monday, August 1, 2016, the U.S. Department of Commerce has opened up the registration process for multinationals so that they can self-certify their compliance with the newly adopted ‘EU-U.S. Privacy Shield’ (‘Privacy Shield’) for transfers of personal data from Europe to the U.S.

The ‘Privacy Shield’, which had been formally approved via the European Commission’s adequacy decision on July 12, 2016, is replacing the formerly invalidated ‘U.S.-EU Safe Harbor’ Framework that had been struck down before the European Court of Justice in October 2015. The national Data Protection Authorities (‘DPAs’), in their function as Article 29 Working Party (‘WP29’), had also okayed the new Framework, by stating that they would not seek to challenge it “at least until the next annual review”.

Companies, who decide to sign up with the new framework as from now, may therefore rely on it at least until next May. For more details, see also our Client Alert on Privacy Shield as well as our previous week’s blog post.


Continue Reading

“Pokémon Go” Developer feels the heat over data collection; 2nd Circuit Ruling limits government’s access to data stored overseas; 9th Circuit CFAA Ruling increases Facebook’s control over its Users’ Data; Dutch Study reveals tension between EU Trade Deals and Data Protection

“Pokémon Go” Developer in Hot Water over Extensive Data Collection Practices

In early July, mobile game developer Niantic released “Pokémon Go,” a free-to-download “augmented reality” game for Android and iOS devices. In less than a week, the game had been downloaded by more than 15 million unique users, making the game’s launch one of the most widely-adopted in history. Privacy advocates soon raised serious questions about the game and its accompanying privacy policy, which until July 12 granted full access to users’ Google account data unless users opted-out of such permissions—prompting Niantic to issue its first update resolving the permissions issue.

On July 12, Senator Al Franken (D-MN) sent a letter to Niantic CEO John Hanke demanding the company explain in detail the types of data Niantic collects from players, why that data “in necessary for the provision or improvement of services,” and how the company plans to use the data gathered. Franken’s letter also questioned the company’s opt-out data collection practices, suggesting that “Niantic consider making this collection/access opt-in.”  Franken, who serves as the Ranking Member on the Senate Judiciary Committee’s Subcommittee on Privacy, Technology, and the Law, has in the past spoken out against similar practices by other mobile app developers, including Uber and Lyft. Mr. Hanke has until August 12 to respond to Sen. Franken’s questions.


Continue Reading

Adoption of Privacy Shield expected in early July; Federal Court limits VPPA liability; Belgian Court overturns Facebook fine; FTC robocall crackdown; A rare HIPAA criminal conviction; UK’s ICO fines Brexit campaigners for mass text messages; House report calls for national encryption commission.

European Commission expects adoption of Privacy Shield for beginning of July

European officials are hoping to finally formalize the “EU-U.S. Privacy Shield”, the cross-Atlantic data transfer pact aiming at replacing the formerly invalidated “U.S.-EU Safe Harbor” Framework, on July 5. The initial draft agreement has been amended to include new explanations of U.S. governmental entities and further limitations on the bulk collection of data and mass surveillance. The European Commission is now confident that also the Article 31 Committee will give its approval to the draft framework.

Many European Privacy regulators and EU bodies, such as the European Parliament and the European Data Protection Supervisor, had argued that the initial draft did not sufficiently protect the fundamental rights of European data subjects. The revised version now “only” allows bulk collection “exceptionally”, where targeted collection is “not feasible”, although it remains open how ‘feasibility’ should be determined.


Continue Reading

OCR Announces a Settlement … Again; HHS Eases Restrictions on Mental Health Information Sharing to Facilitate Gun Control Efforts; Facebook: Users Lack Standing in Cookie MDL; Plaintiffs Argue for Summary Judgment in $5 Million Twitter TCPA Suit

OCR Announces a Settlement … Again

For the second time this week, OCR announced another huge settlement. The

FTC Settles False Ad Claim with LifeLock for $100M; CISA Signed into Law; University of Washington Settles HIPAA Claims Arising from 2013 Data Breach; Senators Urge White House to Search Social Media Profiles During Visa Background Checks; FTC Announces COPPA Settlements with App Developers; Cybersecurity Enters the 2016 Presidential Race.

FTC Announces Staggering Sum in Settlement with LifeLock

The FTC announced Thursday that identity protection firm LifeLock would pay $100 million to settle allegations that it violated a 2010 federal court order requiring the firm to secure its customers’ personal data – the largest settlement ever reached by the FTC under an order enforcement action. The FTC alleged that LifeLock failed to maintain an adequate information security program and that the firm misled its customers into believing that LifeLock provided security protections tantamount to those offered by financial institutions.

Cybersecurity Bill Signed into Law

On Friday morning, Congress passed a sizeable omnibus spending bill with several policy riders, including the Cybersecurity Information Sharing Act of 2015 (“CISA”). Under CISA, any “non-federal entity” can now share information with federal government agencies “notwithstanding any other provision of law.” CISA also calls for information sharing portals whereby companies can send information to federal law enforcement authorities, and provides liability protections to those entities who voluntarily share cyber threat indicators or defensive measures with the government. President Obama signed the $1.8 trillion deal into law Friday evening.

Continue Reading

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy

One year ago, data broker Spokeo, Inc. asked the Supreme Court to reconsider the Ninth Circuit’s revival of a putative class action against it for willfully violating the Fair Credit Reporting Act (“FCRA”) by publishing personal information without notice.  This week, the Court heeded that request, granting certiorari.  In doing so, it has paved the way for yet another decision by the highest court on how the issue of standing plays out in the context of privacy violations.

Plaintiff Thomas Robins sued Spokeo under the FCRA after the data broker allegedly published false information about him without his knowledge.  Interestingly, Robins claims that the information falsely stated that he had more education than he actually did and that he was in a better financial position than he actually was.  But according to Robins’s complaint, these false facts made it more difficult for him to find employment, credit, or insurance and thus caused actual harm.  He seeks to represent a class of individuals whose personal information has been similarly misstated. 
Continue Reading

In just the last few years, most companies – big and small – have embraced the Bring Your Own Device (BYOD) movement at varying levels from allowing employees to access company email on their personal smartphones all the way to not issuing company-owned computers and instead having employees bring in their personal laptops to access