France Imposes Fine for Unauthorized Use of Fingerprint Timeclocks

French data protection authority CNIL has issued a fine against company Assistance Centre d’Appel related to the use of biometric technology in the workplace. During an audit at the end of 2016, CNIL found that the company was using fingerprint timeclocks to track employee hours without prior authorization from CNIL as required by the French Data Protection Act. In France, an employer may not use biometric data to monitor employees’ hours absent prior approval from CNIL, which is only granted in exceptional circumstances. During the 2016 audit, CNIL also found that the company was recording employee phone calls without informing the employees or other call participants, and lacked adequate workstation security. While the company has since ceased the use of fingerprint timeclocks, a 2018 audit by CNIL revealed that the company had failed to properly inform telephone call participants about call recording, and that workstations remained insecure. The fine was set at € 10,000, which was based upon the partial compliance of the company and its finances. The company only employs fourteen workers. In publishing its decision, CNIL stated that it sought to remind employees of their rights and employers of their obligations, particularly with respect to biometrics in the workplace. CNIL also intended to remind companies of the consequences for failing to respond to and comply with CNIL notices of default. Continue Reading

UK’s Data Protection Authority Enforces GDPR

The UK’s Information Commissioner’s Office (ICO) has issued its first GDPR notice to Canadian data analytics firm AggregateIQ Data Services Ltd. The company uses personal data to target political advertising at voters prior to elections. The ICO was concerned about the firm’s use of targeted advertising in the UK’s 2016 EU referendum and the 2016 US presidential election, something the ICO is otherwise investigating. In this case, the ICO accused AggregateIQ of failing to follow GDPR by using personal information without a legal basis under GDPR, and using it in ways that people would not have expected when they provided it. Although the data was gathered before GDPR went into effect on May 25, 2018, the ICO stated that GDPR applies due to AggregateIQ’s continued retention and processing of the information about UK residents after that date. Continue Reading

California Pioneers IoT Security Legislation

California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of information collected. The security measures should also guard against breaches. Reasonable measures include, where appropriate, having a unique, preprogrammed password or making people create a password before using the device the first time. Continue Reading

Dramatic Increase in French Privacy Complaints Since GDPR

The French data protection authority CNIL has received 3,767 data protection complaints since EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. According to CNIL this is a 64 percent increase compared to the same four-month period last year. CNIL also reported that it has received 600 data breach notifications during the same period. CNIL is in the process of developing new French regulatory tools under GDPR. It has already developed and proposed strict new biometric privacy regulations, and has nearly finalized a certification program for company Data Protection Officers. It is now developing regulations related to customer relations, human resources, and health monitoring. Continue Reading

Apple Imposes Privacy Policy Requirement for All Apps Operating on its Platform

As Apple recently reminded developers, starting on October 3, 2018 it will require all apps being submitted for distribution through its app store, or for testing by its TestFlight service, to have a publicly posted privacy policy. This requirement was incorporated into Apple’s App Store Review Guidelines and will apply to all new apps, as well as all updated versions of existing apps. Previously only those apps that collected user information had to have a privacy policy. Continue Reading

Upcoming Canadian Breach Notification Requirements Still in Flux

Canada’s national breach notification requirements are coming online November 1st, meaning companies experiencing a data breach will soon have new reporting obligations.  These requirements were created in 2015 by the Digital Privacy Act, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s main privacy statute.  In April 2018, in preparation for the national implementation of the new law, the Office of the Privacy Commissioner of Canada (OPC), with authority to issue promulgating regulations under PIPEDA, issued Regulations that establish detailed requirements regarding the content and methodology of breach notifications to the OPC and affected individuals.  After issuing those Regulations, the OPC continued to receive requests for further clarity and guidance regarding the breach notification requirements under PIPEDA and the OPC Breach Regulations.  In response to those further requests for guidance, the OPC announced that it would issue further guidance (“What You Need To Know About Mandatory Reporting Of Breaches Of Security Safeguards”) on breach notification and reporting.  On September 17th, the OPC invited public feedback on the draft guidance.  The OPC will accept feedback until October 2, 2018.  Comments can be sent to OPC-CPVPconsult2@priv.gc.ca and must be either in the body of the email or attached as a Word or PDF document.  The OPC will publish the final guidance soon after the October 2nd deadline to ensure guidance is in place when the amendment becomes effective in November. Continue Reading

UK’s ICO Fines Marketing Company Over Unsolicited Emails

The UK’s data protection authority, the ICO, recently fined marketing firm Everything DM Ltd for sending almost 1.5 million marketing emails without obtaining sufficient consent as required by the UK’s Privacy and Electronic Communications Regulations. In particular, the company sent messages on its clients behalf, the messages appeared to the recipient to come from the client, not Everything DM Ltd, yet Everything DM could not establish for the ICO that either it or its clients had obtained consent. Of concern to the ICO was that Everything DM merely “relied on the consent of third parties but didn’t take reasonable steps” to make sure that the appropriate consents were in place. Continue Reading

New York Federal Court Dismisses Nationwide Class Action Arising Out of Alleged Spying by E-Commerce Retailers

In a victory for online retailers, a New York federal court recently dismissed three putative class action lawsuits brought on behalf of website visitors whose mouse clicks, keystrokes, and electronic communications were tracked by a third-party marketing company. The cases were filed against three e-commerce retailers—Casper (a mattress manufacturer and retailer), Tyrwhitt (a men’s clothing company), and Moosejaw (an active outdoor retailer)—and against a marketing company named NaviStone. NaviStone offers computer code that allows e-commerce retailers to determine the identities of consumers who visit their websites and track their online behavior. The plaintiff alleged that the code offered by NaviStone, and embedded in the retailers’ websites, functioned as an illegal wiretap enabling the retailers and NaviStone to “spy” on website visitors in real time as they browse. The lawsuits alleged violations under the federal Electronic Communications Privacy Act (ECPA), the federal Stored Communications Act (SCA), and New York General Business law (NYGBL). Continue Reading

BIPA Claims Against United Airlines Must be Arbitrated Due to Collective Bargaining Agreement

Last month a federal district court dismissed a putative class action lawsuit against United Airlines challenging its use of fingerprint scanning timeclocks. The lawsuit brought by United employee David Johnson alleged that the company’s collection and use of employees’ fingerprints violated the Illinois Biometric Information Privacy Act (BIPA) because the company failed to get the requisite consent from its employees for fingerprint collection and use. Continue Reading

Two Cyber Laws Go Into Effect Over US Labor Day Weekend

On September 1, the Colorado breach notification statute update became effective, the first of two developments that occurred over the weekend. As we wrote about when the modification was passed, Colorado’s updated statute expands the definition of “personal information” to include ID numbers, medical information, and biometric information and places a proactive obligation on companies to investigate potential breaches. If notification is required, it will now have to be provided within 30 days of the company determining that the breach has occurred, and Colorado now joins many other states in having content requirements for breach notices. In addition to the data breach notification changes, the law also creates a requirement to “reasonably” protect personal information. Continue Reading

LexBlog

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.

Agree