New Mexico Data Breach Legislation Passes

Written by
New Mexico recently became the 48th state to pass some form of data breach notification legislation, leaving Alabama and South Dakota as the lone holdouts.  The Data Breach Notification Act was signed by New Mexico Governor Susana Martinez on April 6, 2017.  The law applies to persons that own or license personal identifying information of New Mexico residents, defined as an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, government-issued ID number, account number plus security or access code or password, or biometric [...] Read more

New York Attorney General Announces Record Number of Data Breach Notices in 2016

Written by
On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from [...] Read more

ICO Seeks Extra Resources for GDPR Enforcement

Written by
On March 13, 2017, Elizabeth Denham, head of the UK data protection authority (“ICO”) publicly expressed her intention to massively recruit new personnel in an effort to be ready for the European (“EU”) general data protection regulation (“GDPR”). In a statement released on its website, the ICO announced its plan to recruit new personnel by May 2018, in light of the new responsibilities and enforcement powers granted to the ICO under the GDPR. Ms. Denham later told the press the ICO would hire approximately 200 persons. Interestingly, the ICO statement comes on the same day the [...] Read more

Germany Proposes Bill Requiring Social Network Takedowns – with € 50 Million Fines

Written by
Recent media reports indicated that Germany was considering legislation that would fine social networks for failing to combat fake news and hate speech.  Today, German Justice Minister Heiko Maas introduced a “Draft Law to Improve Law Enforcement in Social Networks” (abbreviated as the Network Enforcement Act (Netzwerkdurchsetzungsgesetz), or “NetzDG”).  The NetzDG aims to curb “hate-based criminality” in large social networks that have the potential to drive public opinion, and to improve law enforcement access to evidence held by social networks.  The Justice Department’s NetzDG [...] Read more

Italy Imposes Record Data Protection Fines

Written by
On March 10, Italy’s data protection authority, Il Garante per la protezione dei dati personali (the “Garante”), announced that it had ordered fines totaling more than €11 million on five companies operating in the money transfers sector for breach of Italian data protection law.   The sanctions have been described as the largest privacy fines ever imposed in the European Union. The Garante’s review grew out of an investigation by the Guardia di Financia, Italy’s financial police, of potential money-laundering violations by UK-based Sigue Global Service Limited (“Sigue”) and [...] Read more

UK Launches Public Consultation on GDPR Consent Guidance

Written by
The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, replacing UK’s Data Protection Act 1998 (DPA). It is yet unclear how Brexit will play out, yet in the meantime the United Kingdom is moving to adopt the GDPR principles so that it adequately protects the personal data transferred within the EU. The GDPR sets a high standard for consent and compliance, which means that companies must start preparing for this transition. The Information Commissioner’s Office (ICO) issued a guidance on GDPR consent on 2 March, explaining its recommended approach to compliance and [...] Read more

CNIL Launches Second Round of Public Consultation on GDPR

Written by
Last week, the French Data Protection Authority ("CNIL") launched the second round of a public consultation on the General Data Protection Regulation (“GDPR”).  The first public consultation was launched in June 2016 and addressed the requirements in the GDPR relating to data protection officers, data portability and privacy seals and certifications.  The outcome of the June 2016 consultation was integrated by the Consortium of the European data protection authorities (“WP29”) into WP29’s recent guidance. Similarly, the new public consultation launched by the CNIL is aligned with [...] Read more

Australia Adopts New Data Breach Notification Legislation

Written by
On February 13, 2017 Australia became one more among nation states adopting data breach notification legislation. In recent House and Senate votes, the Australian Parliament amended the Privacy Act 1988, introducing mandatory data breach notification requirements for entities regulated by the Privacy Act. Who is Subject to the New Legislation? The recent bill requires entities with revenue over $3 million AUD ($2.3 million USD) and certain credit reporting bodies and recipients of tax file number information to notify both the Australian Information Commissioner and affected individuals “as [...] Read more

Spanish Ministry of Justice Launches Public Consultation on GDPR

Written by and
On February 7, 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before the drafting of a new bill implementing the General Data Protection Regulation (“GDPR”).  The press release clarifies that although the GDPR has direct effect in the European Member States, its implementation into Spanish law is not a straightforward exercise because (i) the obligations in existing data protection legislation need to be maintained or amended (as the case may be), and (ii) other sector specific laws containing provisions on data protection need to be updated.  A [...] Read more

Smart Television Manufacturer Settles by Paying $ 2.2 Million to the FTC and the State of New Jersey

Written by
The FTC and the State of New Jersey recently announced a settlement with Vizio, Inc., in the amount of $2.2 million for tracking consumer behavior using its smart television devices. The complaint alleged that Vizio acted unfairly by collecting, storing (indefinitely) and sharing consumer data with third parties without consent and in an unexpected manner. Further, the complaint alleged that Vizio had misrepresented the functionality of the feature in their smart televisions that collected such data (also known as “Smart Interactivity”). It was also alleged that these practices were an unconscionable [...] Read more