On March 13, 2024, the European Parliament adopted the Artificial Intelligence Act (AI Act). It is considered to be the world’s first comprehensive horizontal legal framework for AI. It provides for EU-wide rules on data...more
3/15/2024
/ Artificial Intelligence ,
EU ,
European Commission ,
European Parliament ,
Extraterritoriality Rules ,
General Data Protection Regulation (GDPR) ,
Machine Learning ,
Member State ,
New Legislation ,
OECD ,
Risk Assessment ,
Technology Sector
On July 10, 2023, the European Commission adopted its long-awaited adequacy decision for the EU-U.S. Data Privacy Framework (“Adequacy Decision”). This ends a three-year journey to set up a successor to the EU-U.S. Privacy...more
7/12/2023
/ Adequacy Requirement ,
Court of Justice of the European Union (CJEU) ,
Department of Justice (DOJ) ,
EU ,
EU-US Privacy Shield ,
European Commission ,
Executive Orders ,
Federal Trade Commission (FTC) ,
General Data Protection Regulation (GDPR) ,
Iceland ,
International Data Transfers ,
Liechtenstein ,
Member State ,
Norway ,
Personal Data ,
U.S. Commerce Department
On May 16, 2022, the European Data Protection Board (EDPB), the independent body of data protection supervisors that promotes consistent data protection rules and application thereof throughout the European Union (EU),...more
5/31/2022
/ Artificial Intelligence ,
Biometric Information ,
Corporate Counsel ,
Corporate Fines ,
Data Protection Authority ,
Enforcement Actions ,
EU ,
European Data Protection Board (EDPB) ,
Facial Recognition Technology ,
General Data Protection Regulation (GDPR) ,
Law Enforcement ,
New Guidance ,
Personal Data ,
Right to Privacy
On May 3, 2022, the European Commission published a proposal for a Regulation on the European Health Data Space (EHDS) (“EHDS Regulation”, or “Proposal”). With the Proposal, the European Commission aims to make significant...more
5/26/2022
/ Digital Health ,
Electronic Health Record Incentives ,
Electronic Protected Health Information (ePHI) ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Life Sciences ,
Member State ,
Patient Privacy Rights ,
Popular ,
Proposed Regulation
U.S. privacy law is undergoing dramatic change on an accelerating pace. New laws across the country address specific industries, certain kinds of data, and various concerning practices. There is international pressure to...more
4/22/2022
/ Antitrust Provisions ,
Competition Authorities ,
Data Privacy ,
Data Protection Authority ,
Facebook ,
Federal Trade Commission (FTC) ,
General Data Protection Regulation (GDPR) ,
Legislative Agendas ,
Personal Data ,
Privacy Laws ,
Regulatory Agenda ,
Regulatory Oversight ,
Regulatory Requirements ,
Right to Privacy ,
Social Networks
On March 18th, 2022, Sri Lanka enacted the Personal Data Protection Act, No. 9 of 2022 (the “Act” or “PDPA”) thereby becoming the first South Asian country to enact comprehensive data protection legislation. The law is...more
French regulators have held that the use of Google Analytics violates the GDPR, a decision that likely has broad implications for web analytics companies and website operators.
On February 10, 2022, the French Data...more
2/16/2022
/ Analytics ,
CNIL ,
Corporate Counsel ,
Data Protection Authority ,
Facebook ,
FISA ,
France ,
General Data Protection Regulation (GDPR) ,
Google ,
International Data Transfers ,
Schrems I & Schrems II
Businesses that transfer personal data to and from the United Kingdom will soon have clarity regarding transfers from the UK to recipients outside the EU/EEA.
On February 2, 2022, the United Kingdom Secretary of State...more
Last week, the Belgian Data Protection Authority ruled that the IAB’s cookie consent framework violated the GDPR. This decision has tremendous potential implications on the ad tech industry, as both publishers and advertisers...more
2/8/2022
/ Adtech ,
Advertising ,
Belgium ,
Consent ,
Cookies ,
Data Controller ,
Data Protection Authority ,
EU ,
General Data Protection Regulation (GDPR) ,
Online Advertisements ,
Publishers
Despite its antecedents in one of the most widely cited law review articles of all time from more than 130 years ago, modern United States privacy law is roughly twenty years old. Even though still in its relative infancy,...more
7/8/2021
/ Big Data ,
California Consumer Privacy Act (CCPA) ,
Data Breach ,
Data Privacy ,
Data Security ,
Enforcement ,
General Data Protection Regulation (GDPR) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Personal Data ,
Personal Information ,
Preemption ,
Privacy Laws ,
Private Right of Action ,
Sensitive Personal Information ,
State Privacy Laws
On June 7, 2021, the Colorado House of Representatives passed the Colorado Privacy Act (CPA), a comprehensive privacy law similar to the California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA), as well...more
6/9/2021
/ Business Associates ,
California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Covered Entities ,
Data Controller ,
Data Privacy ,
Exemptions ,
General Data Protection Regulation (GDPR) ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Opt-Outs ,
Pending Legislation ,
Personal Data ,
Sensitive Personal Information ,
State Privacy Laws
On June 4th, 2021, the European Commission adopted and published a new set of so-called standard contractual clauses (“SCCs”) providing a legal basis for international transfers of personal data from the EU/EEA to third...more
6/7/2021
/ EU ,
EU-US Privacy Shield ,
European Commission ,
European Court of Justice (ECJ) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK
The long wait to see if any state would join California in passing a comprehensive privacy law is finally coming to an end, as the Virginia Senate passed the Virginia Consumer Data Protection Act (CDPA) on February 3. An...more
On November 11, 2020, the European Data Protection Board (“EDPB”) released two documents as a follow-up to the Court of Justice of the European Union’s (“CJEU”) notable July 2020 decision, known as Schrems II. These documents...more
The European Court of Justice (the “Court”) issued the long-awaited “Schrems II” decision. (see Facebook Ireland Ltd. v. Maximillian Schrems).
In its decision, the Court (1) struck down the Privacy Shield program that...more
I am not a real academic. I teach privacy law very part-time as an adjunct professor. I am a full-time law firm partner, focusing on privacy and data security issues.
I have been teaching formal privacy and data security...more
This second installment assesses options for moving forward to address emerging gaps and an evolving health care industry. Why? Because the substantial history behind the Health Insurance Portability and Accountability Act...more
2/10/2020
/ California Consumer Privacy Act (CCPA) ,
CMIA ,
Covered Entities ,
Data Privacy ,
Data Protection ,
General Data Protection Regulation (GDPR) ,
Health Care Providers ,
Health Insurance Portability and Accountability Act (HIPAA) ,
Legislative Agendas ,
Privacy Laws ,
Proposed Legislation
The United States has always had privacy law. For most of our history it mainly regulated the government in connection with its citizens.
About 20 years ago we started modern privacy - presumably why we have Data Privacy...more
Congress is debating whether to enact a national privacy law. Such a law would upend the approach that has been taken so far in connection with privacy law in the United States, which has either been sector specific...more
Continuing Congress’s consideration of possible comprehensive federal privacy legislation, the Senate Commerce Committee’s Subcommittee on Manufacturing, Trade, and Consumer Protection held a hearing on March 26, 2019 on...more
4/1/2019
/ California Consumer Privacy Act (CCPA) ,
Congressional Committees ,
Data Controller ,
Data Privacy ,
Data-Sharing ,
Federal Trade Commission (FTC) ,
General Data Protection Regulation (GDPR) ,
Personally Identifiable Information ,
Preemption ,
Privacy Concerns ,
Privacy Laws ,
Small Business
Continuing Congress’s efforts to craft comprehensive federal privacy legislation, the Senate Judiciary Committee on March 12, 2019, held a hearing on “GDPR & CCPA: Opt-ins, Consumer Control, and the Impact on Competition and...more
3/15/2019
/ Behavioral Advertising ,
California Consumer Privacy Act (CCPA) ,
Federal Trade Commission (FTC) ,
General Data Protection Regulation (GDPR) ,
Legislative Agendas ,
Legislative Committees ,
Opt-In ,
Opt-Outs ,
Preemption ,
Privacy Laws ,
Privacy Policy ,
Small Business