Although South Africa’s first comprehensive piece of data protection legislation, the Protection of Personal Information Act (POPIA), was originally signed into law in November 2013, the substantive provisions of the law have not yet taken legal effect. That is likely to change since South Africa’s data protection authority, the Information Regulator, published the final draft of its POPIA regulations… Continue Reading
A number of legislative proposals seeking to amend the California Consumer Privacy Act (CCPA) are moving forward following an April 23 hearing before the California Assembly’s Committee on Privacy and Consumer Protection in which the bills were approved. The bills will now advance to the Assembly’s Appropriations Committee before being voted on by the full Assembly and potentially advancing to … Continue Reading
The European Data Protection Board (EDPB) has adopted the narrowest possible interpretation of ‘contractual necessity’ as a ground for processing of personal data. The Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects (adopted on April 9, 2019 and open for consultation until May 24, … Continue Reading
As we head towards 2020, it’s time once again for the decennial U.S. national Census – one of the broadest data collections that the United States federal government undertakes to learn more about its citizens, recalibrate Congressional districts, allocate public funding, and deliver critical public services. But the government’s ability to conduct the upcoming Census is under threat from an … Continue Reading
2018 was a momentous year for data protection and cyber security regulation globally – the implementation of the European Union’s General Data Protection Regulation (GDPR) was, of course, the main event. The shockwaves of GDPR hit APAC with full force, coupled with the … Continue Reading
In a decision dated March 1st, 2019, the Paris Court of Appeal reminded that specific conditions must be met for hosting providers to be held liable in case of unlawful content. The French court also ruled that hosting providers are not data controllers per se and, as such, are not subject to obligations under the Data Protection Act.
In this … Continue Reading
The President of the Personal Data Protection Office in Poland (Polish DPA) imposed a fine amounting to PLN 943,470 (approximately EUR 220,000; approximately USD 245,977) for failing to fulfil the company’s transparency obligations towards over six million data subjects under Article 14 of Europe’s General Data Protection Regulation (GDPR).
This is the first fine imposed by the Polish DPA under … Continue Reading
It’s no secret that a hot topic, perhaps the hot topic, in the European data protection world at present is the interplay between the GDPR and the e-Privacy Directive, in particular how it affects online advertising involving cookies. The European Data Protection Board recently released an opinion on this topic (as we discuss here), and on 21 March the … Continue Reading
The Consumer industry is evolving at lightning speed, and the way consumer companies operate is shifting. From issues in supply chain to the digitalization of the consumer experience, companies are rapidly changing to keep up with consumer demands. Last year businesses in the consumer industry saw a wave of unprecedented disruption and transformation, and 2019 promises challenges of similar or … Continue Reading
On 14 March 2019, the Dutch data protection authority (Autoriteit Persoonsgegevens, DPA) announced (in Dutch) its fining structure for violations of the European General Data Protection Regulation (GDPR) and the Dutch law implementing the GDPR (Implementation Act).
The GDPR sets two levels of administrative fines that may apply depending on which GDPR provisions have been infringed: The higher of €10 … Continue Reading
The European Telecommunications Standards Institute (ETSI) has published a new standard for cybersecurity in relation to consumer IoT products. The standard builds on the UK’s Code of Practice for Consumer IoT Security, published in October last year. The Code of Practice was developed by the UK Government following publication of a draft code as part of the Secure by … Continue Reading
Many companies have been struggling with GDPR implementation over the past two years, putting much effort into new roles, privacy concepts, and workflows. Now that the dust of the immediate GDPR compliance rush is settling, the first details of fines imposed under the GDPR and the number of cases pending with Data Protection Authorities (DPAs) in Europe are being made … Continue Reading
Article 83 of the GDPR provides for two levels of administrative fines: a lower level – maximum of €10 million or 2% of the global turnover – for violations relating to record-keeping, data security, data protection impact assessments, data protection by design and default, and data processing agreements; and a higher level – maximum of €20 million or 4% of … Continue Reading
Since publishing the original version of our guide to blockchain and data protection in September 2017, there has been considerable further commentary from academics, politicians and practitioners, some of which suggested that there is inherent incompatibility of blockchain systems with EU data protection law.
The Brazilian General Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”), passed by Congress on 14 August 2018, will come into effect on 15 February 2020. The new data protection law significantly improves Brazil’s existing legal framework by regulating the use of personal data by the public and private sectors. Very similar to the General Data Protection … Continue Reading
The European Parliament has adopted a non-legislative resolution on distributed ledger technologies (DLTs) and blockchains. In the resolution, which was adopted last month, the Parliament emphasised that the EU has an opportunity to become “the global leader” in the field of DLT and to be a “credible actor” in shaping its development and markets globally. The resolution discusses potential … Continue Reading
An ever increasing variety of companies are incorporating machine learning into their products and services. Machine learning provides the ability to quickly and accurately perform, in parellel, a large number of well-defined tasks. The accuracy will improveover time as additional data is obtaied and the machine learning model continues to “learn”. Many companies, however, are struggling with the best way … Continue Reading
This is the fifth installment in Hogan Lovells’ series on the California Consumer Privacy Act.
As the most comprehensive privacy law to be enacted in the United States thus far, the California Consumer Privacy Act (CCPA) has inevitably invited comparisons to the European Union’s General Data Protection Regulation (GDPR). At first glance, it is clear that the drafters of the … Continue Reading
This is the fourth installment in Hogan Lovells’ series on the California Consumer Privacy Act
This post discusses litigation exposure that businesses collecting personal information about California consumers should consider in the wake of the California Legislature’s passage of the California Consumer Privacy Act of 2018 (CCPA).
For several years, the plaintiffs’ bar increasingly has relied on statutes like the … Continue Reading
In stark contrast to the rapid development of e-commerce in China, it has taken nearly five years and no less than four drafts for China to finalise its first e-Commerce Law. The new law will enter into force on 1 January 2019.
This new law has a remarkably broad scope, encompassing many aspects of e-commerce, including, for example, e-payments, … Continue Reading
We have heard the California Consumer Privacy Act of 2018 (CCPA) called all these things and more since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy.
We will explore the ramifications for businesses of this seminal legislation … Continue Reading
On 4 September, the Legislative Decree no. 101 of 10 August 2018 (the “Decree”) for the national implementation of General Data Protection Regulation (EU) 2016/679 (the “GDPR”) has been published in the Official Journal. The approach of the legislator was to maintain the structure of former Legislative Decree 196/2003 (the “Privacy Code”) which, however, has been extensively amended and … Continue Reading
India’s Committee of Experts, under the chairmanship of Justice B.N. Srikrishna (the Srikrishna Committee), has submitted a draft Data Protection Bill (the Bill) for review by the Ministry of Electronics and Information Technology. The Srikrishna Committee tabled the Bill alongside a report entitled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” (the committee report).
India Charts its … Continue Reading
Over the past few years, there has been a surge in class actions challenging companies’ privacy and data security practices. But, while the number of class actions continues to grow, the suits face several significant challenges, have afforded limited relief to individual consumers, and have provided no coherent privacy standards in the US By comparison, the primary government regulator, the … Continue Reading