Last week, the Federal Trade Commission granted a petition by Sears Holding Management seeking modification of a 2009 Commission Order. The notable 2009 Order settled allegations that Sears had improperly failed to provide notice regarding data collection by certain software the company offered to consumers. Sears argued that the 2009 Order placed it at a “competitive disadvantage” in the mobile application marketplace. The now-modified Order enables Sears to conduct certain “consumer-expected” forms of data collection and use without requiring heightened notice or consent under the 2009 [...] Read more
About this time last January, the European Parliament released its proposal for a new ePrivacy Regulation. The intent of the ePrivacy Regulation is to replace the current ePrivacy regime – which consists of an ePrivacy Directive and a patchwork of local implementing legislation – with a uniform set of directly-applicable EU-wide rules. Since the Parliament released its ePrivacy Regulation draft, both the European Council and the European Parliament have reviewed it and released their own revised drafts.
The ePrivacy Regulation contains a number of important rules for companies. Traditionally, [...] Read more
In what it considered “an unusual case” (available here), the Irish High Court has referred the issue of the way data is transferred between the EU and countries outside the EU to the Court of Justice of the European Union (“CJEU”). Ms. Justice Caroline Costello will ask the CJEU for a preliminary ruling on the validity of the Standard Contractual Clauses (“SCCs”) as an adequate data transfer mechanism. Justice Costello did not comment on the laws of the EU or the US, but rather on the validity of SCCs as a data transfer measure between the EU and the US.
The case arose from a complaint [...] Read more
Japan’s Act on Protection of Personal Information currently in force (“Current APPI”) dates back to 2003. It was originally enacted on May 30, 2003, and came into effect in 2005. Ten years later, the National Diet passed extensive reforms to modernize the Current APPI in September, 2015. Although the Amended Act on Protection of Personal Information (“Amended APPI”) has been partly in effect, it will come fully into effect on May 30, 2017.
It is important to note that the Amended APPI applies to “personal information handling business operators” which is defined as a person [...] Read more
The Federal Trade Commission (FTC) recently released its staff report on Cross-Device Tracking.
Cross-device tracking refers to the tracking of consumer activity across multiple devices such as smartphones, desktops, tablets and other connected devices. It helps companies understand consumer behavior better. The tracking can be deterministic (where a user logs into multiple devices affirmatively identifying the device as his/hers) or probabilistic (companies infer cross-device activity using factors like common IP address). Benefits include account security, fraud detection, targeted advertising [...] Read more
On July 14, 2016, the Federal Trade Commission (FTC) announced that it had issued warning letters to 28 companies regarding their claim of participation in the Asia Pacific Economic Cooperation Cross Border Privacy Rule (APEC CBPR) system. The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies.
The warning letter states the FTC’s records do not indicate these companies have taken the requisite steps to be able to claim participation [...] Read more
On June 29, 2016, the Federal Trade Commission (FTC) announced it had approved a final order resolving the complaint against Vipvape, a manufacturer of hand-held vaporizers. The complaint alleged Vipvape misrepresented its practices on the website related to Vipvape’s participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system when, if fact, Vipvape was not certified to participate in the APEC CBPR system.
In the Analysis of Proposed Consent Order to Aid Public Comment, the FTC explained that the APEC CBPR system is a voluntary, enforceable mechanism [...] Read more
One of the most important EU legislative initiatives in recent years, and a landmark in privacy regulation worldwide, the GDPR is set to replace the Data Protection Directive (95/46/EC) of 1995. After the Council of Ministers accelerated the voting timetable for GDPR passage and the Parliament approved the GDPR in an up-or-down vote, all eyes were on the GDPR’s publication to begin setting compliance timetables.
Today, the final and as-approved version of the GDPR was published in the EU’s Official Journal. The Official Journal version of the GDPR can be downloaded here.
With that, [...] Read more
Last week, we reported that the Council of Ministers accelerated the timetable for passage of the General Data Protection Regulation (GDPR). The European Parliament followed suit and approved the GDPR this morning.
As a result, the GDPR is now officially adopted and will become the law of the land in the EU. The GDPR will be published either this month or next in the Official Journal of the European Union. Twenty days after its publication, it will enter into force – i.e. either in May or June 2016. As soon as the GDPR enters into force, its two-year clock for bringing business operations [...] Read more
Several hours after holding a closely-watched press conference we reported on yesterday, the Article 29 Working Party (“Art. 29 WP”) released its highly anticipated formal opinion on the adequacy of Privacy Shield.
Background
The European Commission has put forth a draft “adequacy decision” in which it declares that on the basis of Privacy Shield, the United States offers data protection that is essentially equivalent to that offered in the EU. If adopted, this adequacy decision would permit data transfers to US companies that agree to abide by the Privacy Shield principles. The [...] Read more
