Echoing other agencies in recent weeks, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued an alert sharing resources to address and protect institutions against the recent influx of ransomware attacks.  Resources included a White House Memo urging companies to strengthen their commitment to cybersecurity.

Continue Reading OCR Urges Private Sector to Beef Up Ransomware Protections

Colorado recently joined Virginia and California in passing a more comprehensive privacy law. The Colorado Privacy Act (CPA) will go into effect July 1, 2023. This is six months after Virginia’s law (CDPA) and California’s Privacy Rights Act (CPRA), which amends the existing CCPA, go into effect. The law does not have a private right of action, and the AG is to adopt regulations on certain aspects by July 1, 2023.

Continue Reading And Then There Were Three: Colorado Passes Privacy Law, Effective July 2023

The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.

Continue Reading Free Data Flow to the UK May Continue – EU Adopts Adequacy Decision

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

Google recently announced that beginning next year it will require Android mobile apps to provide privacy disclosures. These disclosures will live in a new “safety section” in Google Play. The requirements include disclosing:

  • What information the app collects and how information is used;
  • How the app protects information and if it uses encryption;
  • If information is shared and if users have a choice about sharing;
  • If users can request data deletion; and
  • If the disclosures made in the safety section have been verified by an independent third party.


Continue Reading Time to Update Your Privacy Disclosure Creation Checklists? Google Will Add to Mobile Privacy Disclosure Requirements

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.
Continue Reading Portugal Puts Halt on Data Transfers Between INE and Cloudflare

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.

Continue Reading Booking.com Fined By Dutch DPA For Breach Notice Delay

As of this week, Apple’s requirements for apps to follow its AppTrackingTransparency are now in effect. These requirements went hand-in-hand with the iOS 14.5 launch, and impacts how an app can track users and access their advertising device IDs. In particular, consumer consent is now required if the app collects consumer information and shares it with others “for purposes of tracking across apps and web sites.” Apple has provided developers with specific implementation steps, which will be reviewed when apps are submitted to Apple for approval. As part of the submission, companies need to explain why they want to track users, as required under Apple’s guidelines.
Continue Reading Apple’s App Tracking Transparency Now In Effect