In December 2018, the New York Attorney General’s Office announced settlements with five companies operating mobile apps, including Equifax and Western Union. The N.Y. Attorney General stated that the companies failed to keep sensitive information secure on their mobile apps and have agreed to implement improved security controls. The settlements came following a data privacy initiative by the Attorney General’s Office to proactively identify security vulnerabilities before consumer information is breached. As part of this effort, the Attorney General’s Office tested dozens of mobile apps that collect sensitive information.
Rosenbach v. Six Flags Entertainment Corporation – Illinois Supreme Court Holds That a Technical Violation of Statutory Biometric Rights is Sufficient to Bring a Claim
On Friday, the Illinois Supreme Court ruled that in order to pursue a claim for $1,000 – $5,000 in statutory damages under the Biometric Information Privacy Act (BIPA) an individual need not plead or prove more than a technical violation of the statute. This decision opens the door to additional lawsuits under the only biometric law in the nation that allows for a private right of action.
European Union Adopts Adequacy Decision For Safe Data Flows With Japan
On January 23, 2019, the European Commission announced its decision to adopt adequacy status with Japan for transfers of personal data. Pursuant to the European Union’s (EU) General Data Protection Regulation (GDPR), this decision will allow personal data to flow freely between the 28 EU countries, three additional European Economic Area member countries (Norway, Liechtenstein, and Iceland), and Japan, without the need for additional data protection safeguards or derogations. Japan adopted an equivalent decision with the EU on January 22, 2019. These reciprocal findings of adequacy will create the largest area of safe data flows in the world.
Continue reading “European Union Adopts Adequacy Decision For Safe Data Flows With Japan”
California Attorney General’s Office Gathers Public Opinions Regarding the Implementation of the California Consumer Privacy Act
The California Department of Justice has opened up public forums this month as part of the Attorney General’s rulemaking process to promulgate regulations under the California Consumer Privacy Act of 2018 (CCPA). We previously discussed the Attorney General’s Office’s public statement regarding the CCPA here.
As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. In holding these public forums, the Attorney General’s Office hopes to provide an initial opportunity for the public to participate in establishing procedures to facilitate consumers’ rights under the CCPA and to provide guidance for business compliance. Specifically, the following aspects are of high priority: businesses’ obligation to disclose data collection and sharing practices to consumers; consumer rights to request deletion of data; consumer rights to opt out of having their personal information sold to third parties; and restrictions on the sale of personal information of consumers under the age of 16 without explicit consent. The Attorney General’s Office scheduled six public forums across different counties in California and invites in-person attendance or written submissions of public comments through February 2019.
Charges Connected to Hack of SEC’s EDGAR System Discussed in SECurities and Law Perspectives
Last week, the Department of Justice (“DOJ”) and the Securities & Exchange Commission (“SEC”) announced charges connected to a large-scale, international conspiracy to hack into the SEC’s Electronic Data Gathering, Analysis and Retrieval (“EDGAR”) system and profit by trading on stolen material, non-public information. The conduct underlying these cases was one of the principal reasons that the SEC created its Division of Enforcement “Cyber Unit” to target cyber-related securities fraud violations.
CNIL issues $57 million dollar fine under GDPR
Issues of lack of transparency and consent formed the basis of the CNIL’s $57 million dollar fine against Google under the GDPR. CNIL is France’s highest ranking data-privacy agency. It’s the first large penalty for a U.S. technology company since the GDPR went into effect last May.
Continue reading “CNIL issues $57 million dollar fine under GDPR”