On Monday, May 22, the European Data Protection Board (EDPB) published a decision hitting Meta, parent of Facebook, WhatsApp, and Instagram, with a €1.2b ($1.3b) fine for impermissibly transmitting personal information from the European Economic Area (EEA) to the United States. The EDPB described Meta’s activities as “serious” and including “transfers that are systematic, repetitive, and continuous,” and it stated that the fine was intended to serve as a “strong signal to organizations that serious infringements have far-reaching consequences.”Continue Reading How Much Forgiveness Does $1.3 Billion Buy in the EU?

In between impeaching an Attorney General and creating a new type of business court, the 88th Texas Legislature passed the Texas Data Privacy and Security Act (TDPSA) (H.B. 4), which, once signed by Governor Abbott, will take effect July 1, 2024. State data privacy statutes generally track concepts in Europe’s General Data Protection Regulation (GDPR), including notices of data collection, data subject rights (knowing what data a business has, correcting it, deleting it, opting out of certain uses of personal data, etc.), and restrictions on use or transfer of personal data. Texas, which would join nine other states in enacting “comprehensive” data privacy regulations, has added some twists and traps for the unwary, particularly midsized businesses engaging in interstate commerce. Here are three notable features of the TDPSA.Continue Reading Texas Passes One of the Strongest Data Privacy Laws in the Nation

The United Kingdom may be headed for a major break from EU GDPR. In mid-2022, the UK began studying potential reform of GDPR. This was revived with the United Kingdom’s Data Protection and Digital Information (No. 2) Bill (Bill 265, 58/3), introduced on March 8, 2023. It includes 106 groups of line-item amendments to the General Data Protection Act 2018 (UK GDPR). Particularly significant is a modification to what qualifies “personal data” under the prior act (and the EU GDPR). Article 4(1) of GDPR (and present UK GDPR) sweeps into “personal data;”

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”

(emphasis added). Continue Reading UK GDPR Reform: A Bridge Too Far?

Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.

Data Collection in Europe

The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest.
Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over

The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.
Continue Reading Will COVID-19 Finally Prompt a Federal Privacy Law?

Recently, Apple and Google – two of the world’s biggest tech firms–jointly devised a system of contact tracing for COVID-19. This contact tracing does not involve analyzing centralized data stores of personal data. Rather, it leverages a proximity technology most often seen in retail stores and shopping centers plus a peer-to-peer (P2P) communications concept that parallels methods explored for connected vehicles. The Apple-Google design is a fascinating departure from the conventional model of central collection and processing of personal data.

Coincidence… or Bluetooth?

You may have encountered mobile applications that have asked for Bluetooth access. Or you may have received what seems like a strangely coincidental promotional email as you have walked through the door of a store. This is not a coincidence; retailers frequently use Bluetooth, among other methods, to determine where a customer is standing in a store and to trigger promotions. This is not regulated in most of the United States. We normally think of Bluetooth as a way that a “master” device (a computer, car, or audio source, typically) can communicate with an “accessory” such as keyboards, mice, headphones, hands-free sets, etc. As most users encounter the technology, it is a matter of “pairing” one device with another. But Bluetooth can run under numerous profiles that transmit a variety of data types. GPS-free location tracking was largely enabled by Bluetooth LE, which allows the radio technology to run on a mobile device without creating an excessive battery drain. This eliminated a major inconvenience of prior versions of Bluetooth, and the practical effect is that it can remain “on” all the time. Many implementations of Bluetooth 4.0/LE allow range-finding between a transmitter and receiver. A store, for example, can determine where a customer is standing by measuring the distances from the visitor’s phone to sensors in the store.
Continue Reading Locating COVID-19 Without the Location Data

Cookies are the subject of much discussion in data regulation. If you visited a website that complies with the European General Data Protection Regulation (GDPR), you have seen the usual cookies popup. Maybe you wondered why this is necessary. At a basic level, the use of cookies is regulated by GDPR and the California Consumer Privacy Act (“CCPA”), and concerned site owners. Conventional knowledge (and in many cases practice) is that cookies should be disclosed—and that non-essential cookies, particularly those involved in advertising, require consent.

What exactly are cookies?

The “what” is known. The “why” is rarely discussed. The term “cookies” has its roots in magic cookies—identification tokens – in UNIX. Web cookies made their appearance in 1994 with Netscape Navigator 0.9 beta—in other words, the beta of the first commercialized web browser. This technology, which was once patented(!) involves data that is placed on a user’s computer in response to a user action. That information can then be read by the site later. It was first designed for use in shopping carts—so that a commercial website would not have to create an ID and store shopping selections unless and until a user decided to buy. Cookies were recognized by Internet Explorer 2 by 1995, they hit the media in 1996 in the Financial Times, and in the same year, the Federal Trade Commission began public hearings on them. Just as they have always been a part of the internet landscape, so have they been controversial. 
Continue Reading Understanding Regulation of Cookies

Congress’ 2,000-page Omnibus Spending Bill slipped in a trap for the unwary: a radical expansion of the reach of the Stored Communications Act, 18 USC §§ 2701-2712. The “Clarifying Overseas Use of Data Act,” aptly shorthanded as the CLOUD Act, successfully mooted the issue presented in the United States v. Microsoft Corp. case recently dismissed by the United States Supreme Court by instituting a new framework for cross-border discovery in criminal actions. Under the previous version of the Stored Communications Act (SCA), it was necessary to have a Mutual Legal Assistance Treaty (MLAT), essentially a treaty negotiated by a foreign nation and ratified by the Senate. The CLOUD Act, passed on March 23, 2018, allows authorities to bypass MLATs and gives law enforcement the ability to directly compel production of materials by a party storing its data abroad, as well as allowing foreign governments to access data stored in the U.S. 
Continue Reading A Storm Cloud on the Cross-Border Discovery Horizon

In 2017, the Cayman Islands passed the Data Protection Law (“DPL”), which reads much like the upcoming European Union General Data Protection Regulation (“GDPR”) that goes into effect Mary 25, 2018. The DPL applies to entities falling within the definition of “data controller” who are established in the Islands or who process data in the Islands. The DPL divides data into two categories, personal data and sensitive data. Certain information is exempt from the application of the DPL, such as data processed in connection with a corporate finance service.[1] The DPL gives individuals the right to access their information, object to processing, and the right to request their information be corrected or erased.

Continue Reading Cayman Islands Seek to Supplement Its Data Protection Law