On November 19, 2021, the European Data Protection Board published its draft Guidelines 05/2021 on the interplay between the application of Article 3 of the GDPR, which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers.
Continue Reading The EDPB Issues Guidelines Clarifying What Constitutes an International Data Transfer Under the GDPR

On November 5, 2021, IAB Europe announced that, in the coming weeks, the Belgian Data Protection Authority plans to share with other data protection authorities a draft ruling on the IAB EU Transparency & Consent Framework.
Continue Reading Belgian DPA Expected to Rule that IAB Europe’s Cookie Consent Framework Violates the GDPR

On November 10, 2021, the UK Supreme Court issued its long-awaited judgment in the Lloyd v Google case. The decision is expected to make it difficult in practice for a future class action lawsuit that is brought on behalf of a class of individuals who have not actively opted in to being represented by the lead claimant to proceed under UK law.
Continue Reading Lloyd Court Says No to Class Action-Style Lawsuits in the UK

On October 29, 2021, the Cyberspace Administration of China released for public comment Draft Measures on Security Assessment of Cross-border Data Transfer. The CAC issued the Draft Measures three days before the November 1, 2021 effective date of the Personal Information Protection Law.
Continue Reading China Issues Draft Measures on Security Assessment of Cross-border Data Transfer

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020, California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies, and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.
Continue Reading California Governor Signs into Law Bills Updating the CPRA and Bills Addressing the Privacy and Security of Genetic and Medical Data, Among Others

On October 12, 2021, the Oxford County Court determined that a homeowner had breached the Data Protection Act 2018 (“DPA”) and UK General Data Protection Regulation (“UK GDPR”) by using Ring security cameras around his property. In Dr Mary Fairhurst v Mr Jon Woodard, Fairhurst claimed harassment, nuisance and breach of UK data protection law based on her former neighbor, Woodard’s, use of security cameras and lights around his property. While the claim in nuisance failed, the judge found for the claimant on the claims of harassment and breach of data protection law.

Continue Reading UK Homeowner’s Use of Ring Security Camera Found to Infringe UK GDPR

A New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders recently became law. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and permit customers to opt out of the sharing. The law also imposes certain requirements and limitations regarding restaurants’ use and sharing of such data.
Continue Reading New York City to Require Food Delivery Services to Share Customer Data with Restaurants

The U.S. Securities and Exchange Commission recently announced that Pearson plc agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records, including birth dates and email addresses.
Continue Reading SEC Sanctions Public Company for Misleading Disclosures About Data Breach

On August 25, 2021, New Mexico Attorney General Hector Balderas sued Rovio Entertainment, the developer of the popular Angry Birds mobile app games, alleging that the Company violated the federal Children’s Online Privacy Protection Act by knowingly collecting data from players under age 13 and sharing it with advertisers.
Continue Reading New Mexico Attorney General Files COPPA Suit Against Game Developer