On October 11, 2018, the French data protection authority (the “CNIL”) announced that it adopted two referentials (i.e., guidelines) on the certification of the data protection officer (“DPO”). View the announcement (in French). As a practical matter, both referentials are intended to apply to DPOs located in France or who speak French. The referentials include: Continue Reading CNIL Adopts Referentials on DPO Certification

On October 5, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP hosted a workshop on how to implement, demonstrate and incentivize accountability under the EU General Data Protection Regulation (“GDPR”), in collaboration with AXA in Paris, France. In addition to the workshop, on October 4, 2018, CIPL hosted a Roundtable on the Role of the Data Protection Office (“DPO”) under the GDPR at Mastercard and a pre-workshop dinner at the Chanel School of Fashion, sponsored by Nymity. Continue Reading CIPL Hosts Workshop on Accountability Under the GDPR in Paris

On September 26, 2018, the SEC announced a settlement with Voya Financial Advisers, Inc. (“Voya”), a registered investment advisor and broker-dealer, for violating Regulation S-ID, also known as the “Identity Theft Red Flags Rule,” as well as Regulation S-P, the “Safeguards Rule.” Together, Regulations S-ID and S-P are designed to require covered entities to help protect customers from the risk of identity theft and to safeguard confidential customer information. The settlement represents the first SEC enforcement action brought under Regulation S-ID. Continue Reading SEC Fines Broker-Dealer $1 Million in First Enforcement Action Under Identity Theft Rule

The U.S. Department of Commerce’s National Institute of Standards and Technology recently announced that it is seeking public comment on Draft NISTIR 8228, Considerations for Managing Internet of Things (“IoT”) Cybersecurity and Privacy Risks (the “Draft Report”). The document is to be the first in a planned series of publications that will examine specific aspects of the IoT topic. Continue Reading NIST Seeks Public Comment on Managing Internet of Things Cybersecurity and Privacy Risks

Recently, the French Data Protection Authority (“CNIL”) published its initial assessment of the compatibility of blockchain technology with the EU General Data Protection Regulation (GDPR) and proposed concrete solutions for organizations wishing to use blockchain technology when implementing data processing activities. Continue Reading CNIL Publishes Initial Assessment on Blockchain and GDPR

On September 27, 2018, the Federal Trade Commission announced a settlement agreement with four companies – IDmission, LLC, (“IDmission”) mResource LLC (doing business as Loop Works, LLC) (“mResource”), SmartStart Employment Screening, Inc. (“SmartStart”), and VenPath, Inc. (“VenPath”) – over allegations that each company had falsely claimed to have valid certifications under the EU-U.S. Privacy Shield framework. The FTC alleged that SmartStart, VenPath and mResource continued to post statements on their websites about their participation in the Privacy Shield after allowing their certifications to lapse. IDmission had applied for a Privacy Shield certification but never completed the necessary steps to be certified. Continue Reading Four Companies Settle FTC Allegations Regarding False EU-U.S. Privacy Shield Certifications

On September 25, 2018, the French Data Protection Authority (the “CNIL”) published the first results of its factual assessment of the implementation of the EU General Data Protection Regulation (GDPR) in France and in Europe. When making this assessment, the CNIL first recalled the current status of the French legal framework, and provided key figures on the implementation of the GDPR from the perspective of privacy experts, private individuals and EU supervisory authorities. The CNIL then announced that it will adopt new GDPR tools in the near future. Read the full factual assessment (in French). Continue Reading CNIL Publishes Initial Assessment of GDPR Implementation

As reported in BNA Privacy Law Watch, the Office of the Privacy Commissioner of Canada (the “OPC”) is seeking public comment on recently released guidance (the “Guidance”) intended to assist organizations with understanding their obligations under the federal breach notification mandate, which will take effect in Canada on November 1, 2018.  Continue Reading Canadian Regulator Seeks Public Comment on Breach Reporting Guidance

On September 4, 2018, the Department of Commerce’s National Institute of Standards and Technology (“NIST”) announced a collaborative project to develop a voluntary privacy framework to help organizations manage privacy risk. The announcement states that the effort is motivated by innovative new technologies, such as the Internet of Things and artificial intelligence, as well as the increasing complexity of network environments and detail of user data, which make protecting individuals’ privacy more difficult. “We’ve had great success with broad adoption of the NIST Cybersecurity Framework, and we see this as providing complementary guidance for managing privacy risk,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. Continue Reading NIST Launches Privacy Framework Effort

On August 31, 2018, the California State Legislature passed SB-1121, a bill that delays enforcement of the California Consumer Privacy Act of 2018 (“CCPA”) and makes other modest amendments to the law. The bill now goes to the Governor for signing. The provisions of the CCPA will become operative on January 1, 2020. As we have previously reported, the CCPA introduces key privacy requirements for businesses. The Act was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. The CCPA’s hasty passage resulted in a number of drafting errors and inconsistencies in the law, which SB-1121 seeks to remedy. The amendments to the CCPA are primarily technical, with few substantive changes. Continue Reading CCPA Amended: Enforcement Delayed, Few Substantive Changes Made