Privacy and Data Security

Privacy and data security continue to make headlines and this time the waves are coming from the European Court of Justice (i.e., the highest court of the European Union). Without comprehensive U.S. federal privacy legislation, it is of little to no surprise (albeit disappointing) that the European Court of Justice (the “Court”) invalidated the EU-U.S. Privacy Shield Framework because it failed to impose appropriate safeguards with respect to the transfer of personal data located in Europe to the United States.

 

What is Privacy Shield and What Happened to Change it?

The EU-U.S. Privacy Shield Framework (“Privacy Shield”), as stated on the official government website, “was designed by the U.S. Department of Commerce and the European Commission…to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union…to the United States in support of transatlantic commerce.”


Continue Reading European Court of Justice Invalidates EU-U.S. Privacy Shield and Upholds Standard Contractual Clauses

On June 1, 2020, the Office of the California Attorney General (AG) announced it submitted a final CCPA proposed regulations package to the California Office of Administrative Law (OAL). The final proposed regulations package includes no new changes to the second round of modified regulations published on March 11, 2020.

This final proposed regulations package also includes a request for expedited review. Generally, OAL has 30 working days to review and approve proposed regulations. But a California executive order issued in response to Covid-19 now permits OAL to take an additional 60 calendar days if necessary.
Continue Reading On Day of Unprecedented Civil Disturbances During a Pandemic, California AG Submits Finalized CCPA Regulations Package Unmodified Over Last Two Months.

Previously, my colleague Tanya Forsheit wrote a cautionary tale, “A Big Zooming Mess,” about the Zoom video conferencing service whose rise in popularity also brought increased scrutiny of its privacy and data security practices. That scrutiny came not just from media outlets and consumers, but also from government agencies such as the New York Attorney General and New York City Department of Education. The entire FKKS Privacy and Data Security team even had a round-table discussion (over WebEx) to unpack all the issues (recording available here). Now, both the New York Attorney General and the New York City Department of Education announced that they reached coordinated but independent agreements with Zoom to address various privacy and security issues, and paving the way for NYC DOE educators to resume using Zoom for virtual classroom instruction. This post looks at the terms of the NY AG agreement and discusses some of its key takeaways.

Continue Reading Zoom Reaches Agreement with New York Attorney General to Resolve Privacy and Security Issues

On April 29, 2020, Google and Apple released the first version of their COVID-19 contact tracing tools to public health organizations. The tools, first announced by the companies on April 10th, aim to help public health agencies build apps to track and contain the virus. This article discusses how the contact tracing tools work, the planned two-phase implementation for the tools, and some of the privacy questions around the tools.

How Do the Tools Work?

“Contact-tracing” is not a new concept. The concept is that a society can limit the spread of a virus by tracing whom a person who has tested positive with a virus has recently come in contact with, and notifying those individuals to further prevent the spread of the virus. For example, if John tests positive for the virus and visits a grocery store, part of the contact tracing process would be to find and notify those individuals who came close to him in the grocery store. As you can imagine, contact tracing has historically been a laborious and inaccurate process that requires a manual review of an infected person’s interactions.

Google and Apple’s partnership aims to dramatically improve the contact tracing process by using Bluetooth technology within an infected person’s cell phone to determine whom the person has interacted with and notifying those other people. The partnership is particularly notable because it involves the creation of shared standards between two tech giants that rarely allow for any interoperability. Below is an example of how the tools work:
Continue Reading Google and Apple Release First Version of Contact Tracing Tools

Authored by Shely Berry and Amy Lawrence.

The creativity with which people around the world have responded, and continue to respond, to this pandemic in addressing the needs of others is remarkable. Virtual educational services, or “EdTech”, are one of the most visible needs as schools around the world transition to online learning. Many companies are highlighting the educational aspects of their current products and services or creating entirely new products and services that fall squarely within the EdTech industry. The goal: to assist those who now find themselves trying to figure out how to be safe at home, “teach children,” and focus on the ninety-nine other tasks that have to be completed at the exact same time.

It’s one thing if you made your online guitar lessons free for a general audience (thank you, Fender), but another if you provide products and services for educational purposes. You may find yourself subject to several state and federal privacy laws. At least 40 states have one or more such laws.

This blog post highlights the state laws that regulate the EdTech industry by aligning with California’s 2014 law, known as the Student Online Personal Information Protection Act (“SOPIPA”). Twenty-four states and the District of Columbia have SOPIPA-type laws aimed at limiting the use of personal information (and similarly defined terms) collected from students through EdTech products or services.
Continue Reading When it Comes to Virtual Learning, Privacy Isn’t as Easy as 2 + 2 = 4

The start of 2020 did not just bring us the effective date of the California Consumer Privacy Act (CCPA). It also lead to several state legislators introducing their own versions of potentially ground-breaking privacy and data security laws. Each law has nuances that will likely result in a compliance nightmare, particularly if all or most of the states and territories enact their own law. However, each also appears on its face to riff on either the EU’s General Data Protection Regulation (GDPR) or the CCPA.

The chart below provides a list (current as of April 14, 2020) of proposed state privacy legislation that could still be enacted this session. The purpose of the chart is to provide the broad strokes of each proposed law, show their similarities, and highlight key differences. The question is whether the GDPR and/or CCPA actually provide the most appropriate models to emulate? The CCPA is perceived and touted by many as the first and most comprehensive privacy and data security law of its kind in the US, but we can’t help but wonder: does first necessarily mean best?

States that considered but ultimately chose not to pass proposed privacy legislation in 2020 include: Florida, Maryland, Virginia, Washington, and Wisconsin.
Continue Reading What’s the Deal with the Other State Privacy Bills?

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business:
Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

The California Assembly had a busy May hearing amendments that might clarify (or further muddy) the California Consumer Privacy Act (“CCPA”). With four new bills approved by the Assembly in the final week of the month, May saw a total of 10 CCPA-related bills pass through the Assembly and on to the Senate. We covered a number of these in our last update. Here’s a rundown of the 10 bills:
Continue Reading CCPA ABs – the Latest Alphabet Soup

On May 29, 2019, Nevada’s SB 220[1] became law, amending Nevada’s Privacy Law (2017).[2] The existing Nevada Privacy Law is similar to California’s Online Privacy Protection Act (2004), by requiring a conspicuously posted privacy policy. The new SB 220 resembles the new California Consumer Privacy Act (“CCPA”) but is more narrow in application and scope.


Continue Reading Nevada’s New Privacy Law Has Data Sale Opt-Out Rights

The Office of the California Attorney General (AG) made its fourth stop on its statewide California Consumer Privacy Act listening tour, holding in Los Angeles a public forum on the CCPA. The forums invite public comment as the AG prepares regulations for implementing and enforcing the law. Although the AG specifically requested comment on the seven areas identified in the law for the AG’s regulation,[1] it was clear that some categories caught the attention of the public more than others. And even though the forum was structured to allow participants to provide ideas and suggestions (the AG did not respond to comments or questions presented), most commentators asked for clarity and specific direction from the AG regulations, to help decipher the reach of CCPA and its compliance obligations.


Continue Reading Attorney General Holds Public Forum on CCPA