Though all may be quiet on New Year’s Day, January 1, 2020, is the compliance date for the California Consumer Privacy Act of 2018 (“CCPA”). On the cusp of a new decade, we enter a new era of privacy rights.

The CCPA is now in effect, but the California Attorney General cannot begin enforcement until July 1, 2020. We want to congratulate everyone on their hard work this past year and a half.

If you watched the ball drop in New York City last night, we hope you can say that you didn’t drop the ball on CCPA compliance. They say hindsight is always 20/20. CCPA compliance can be your New Year’s resolution.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy. Specifically, the Mandate Letter states that Minister Bains is expected to work with the Minister of Justice, Attorney General of Canada and the Minister of Canadian Heritage to advance Canada’s Digital Charter and enhance powers for the Privacy Commissioner, in order to establish a new set of online rights, including:

  • data portability;
  • the ability to withdraw, remove and erase basic personal data from a platform;
  • the knowledge of how personal data is being used, including with a national advertising registry, and the ability to withdraw consent for the sharing or sale of data;
  • the ability to review and challenge the amount of personal data that a company or government has collected;
  • proactive data security requirements;
  • the ability to be informed when personal data is breached with appropriate compensation; and,
  • the ability to be free from online discrimination including bias and harassment.

Continue Reading Canada Signals Overhaul of Data Privacy

On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.

Continue Reading Belgian DPA Releases Draft 2019-2025 Strategic Plan

On December 19, 2019, the members of the Permanent Representations of EU Member States to the Council of the European Union (“the Council”) published a draft position on the application of the General Data Protection Regulation (“GDPR”). After the draft position has been formally adopted by the Council, it will be provided to the European Commission. This is part of the GDPR evaluation process under Article 97 of the GDPR, which requires the European Commission to publish a report on the evaluation and review of the GDPR by May 25, 2020.

Continue Reading EU Council’s Draft Position on the Application of the GDPR

On December 12, 2019, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC, agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.

Continue Reading OCR’s Second Settlement Under HIPAA Right of Access Initiative

The U.S. Department of Education and the U.S. Department of Health and Human Services released joint guidance on the application of the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to student records. This is the first update to the agencies’ guidance since it was issued in 2008. The 27-page document includes FAQs clarifying for schools, health care professionals and families how FERPA and HIPAA apply to student education and health records. The FAQs answer which rule applies in particular circumstances, and what information can be shared, for example, when dealing with an adult student, a minor with a mental health condition or one who presents a danger to one’s self or others. The FAQs also address when educational institutions can disclose personal information from a student’s records, including health records, to the institution’s law enforcement officials or to the National Instant Criminal Background Check System.

On December 18, 2019, the House Energy and Commerce Committee released a bipartisan staff-level draft privacy bill (“the bill”). While comprehensive in scope, much of the key language in the bill was left in brackets, meaning the two sides have not yet reached a compromise on final language.

Continue Reading House Energy and Commerce Committee Staff Release Bipartisan Draft Privacy Bill

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.

Continue Reading Advocate General Upholds Validity of Standard Contractual Clauses in Schrems II Case

On December 9, 2019, the Federal Trade Commission announced that online fax services do not fall under legal prohibitions against junk faxes. In a petition filed in 2017 for declaratory judgement brought by AmeriFactors Financial Group, LLC pursuant to the Telephone Consumer Protection Act (“TCPA”) and the Junk Fax Protection Act  (“JFPA”), the petitioner sought clarification regarding the status of online cloud-based fax services.

Continue Reading FTC Announces TCPA Junk Fax Prohibitions Do Not Apply to Online Faxes

On December 11, 2019, an updated version of India’s draft data privacy bill was introduced in the Indian Parliament (the “Draft Bill”) by the Ministry of Electronics and Information Technology (“MeitY”). The Draft Bill updates a prior version submitted to MeitY in July 2018.

Continue Reading India’s Draft Data Privacy Bill Introduced in Parliament