On February 21, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights entered into a resolution agreement and corrective action plan with Green Ridge Behavioral Health LLC. This marks the second such settlement with a HIPAA-regulated entity for violations that were discovered following a ransomware attack, according to HHS.
Continue Reading HHS Targets Small Behavioral Health Clinic for HIPAA Violations Following Ransomware Investigation

On February 22, 2024, the Federal Trade Commission announced a settlement order against Avast Limited requiring the company to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes.
Continue Reading FTC Announces $16.5 Million Settlement Against UK Service Provider and Ban from Selling Browsing Data for Advertising Purposes

On February 23, 2024, the UK Information Commissioner’s Office reported that it had ordered public service providers Serco Leisure, Serco Jersey and associated community leisure trusts to stop using facial recognition technology and fingerprint scanning to monitor employee attendance.
Continue Reading ICO Orders Companies to Cease Using Facial Recognition Technology and Fingerprint Scanning to Monitor Attendance

On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.Continue Reading CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR

On November 25, 2022, Ireland’s Data Protection Commission released a decision fining Meta Platforms, Inc. €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.
Continue Reading Irish Data Protection Commission Fines Meta €265 Million for Privacy Violations

On October 24, 2022, the UK Information Commissioner’s Office issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the GDPR, during the period of March 2019 to December 2020.
Continue Reading UK Information Commissioner’s Office Fines Construction Company £4.4 Million for Breach of Security Obligations

On October 20, 2022, Texas Attorney General Ken Paxton brought suit against Google alleging various violations of Texas’s biometric privacy law, including that the company unlawfully collected and used the biometric data of millions of Texans without obtaining proper consent.
Continue Reading Texas AG Sues Google for Alleged Violations of State Biometric Privacy Law