On August 1, 2022, the Court of Justice of the European Union (CJEU) issued an opinion regarding a Lithuanian data protection case that may signal an expansion of interpretation of the definition of sensitive personal data under the EU’s General Data Protection Regulation (GDPR). Specifically, the CJEU found that data indirectly disclosing sexual orientation constitutes sensitive personal data.
At issue was a Lithuanian law that requires the Chief Official Ethics Commission of Lithuania to publish information about the private interests of public officials in an effort to combat corruption. In the facts underlying the case, a Lithuanian official objected to the Chief Official Ethics Commission’s online publication of his private interest information, which included his spouse’s name. The CJEU concluded that the publication of such information was prohibited by the GDPR because it was “liable to disclose indirectly the sexual orientation of a natural person,” a type of special category of personal data generally prohibited from processing under GDPR Article 9 (processing of special categories of personal data) unless certain additional conditions are satisfied such as the data subject’s explicit consent, or that processing is necessary for reasons of substantial public interest.
Continue reading “Court of Justice of the European Union Recognizes Inferred Special Categories of Personal Data”
A bipartisan group of legislators in Washington, D.C., recently released a discussion draft of a federal privacy bill — the American Data Privacy and Protection Act (ADPPA). This draft bill reaches compromise positions on two key issues that have been the largest obstacles to passing such legislation: state preemption and a private right of action. This discussion draft preempts most comprehensive state privacy laws and includes a narrow and limited private right of action. The compromises on these issues in the bill, however, are likely to draw criticism from both Democrats and Republicans, along with industry and privacy advocates.
Continue reading “Progress on Federal Privacy Legislation, but Still a Long Way to Go”
Recognizing that cyberattacks have already commenced and could spread beyond the Russian-Ukrainian battlefield, organizations can take several steps to protect themselves. They can recognize the risk. Then organizations can assess likely cyber threats and vulnerabilities, build resilience and take preventive actions, to avoid becoming another casualty in a conflict that already has too many.
Continue reading “Capping Cyber Casualties: Steps to Avoid Cyberattacks Flowing From Hostilities in Ukraine”
The California Office of the Attorney General, under the leadership of new Attorney General Rob Bonta, has taken significant actions in recent weeks indicating that it is ramping up and potentially adding a new area of focus in its enforcement of the California Consumer Privacy Act. Read on for some important considerations for businesses.
Continue reading “A New Sheriff in Town: Enforcement of the CCPA Picks Up Under Bonta”