Cybersecurity

Subscribe to Cybersecurity

On September 24, 2019[1], the Court of Justice of the European Union (the “CJEU”) handed down its much anticipated follow-on judgment[2] in connection with an individual’s right to have links removed from search results displayed following a search of that individual’s name on Google’s search engine.

Building on its recognition of a “right to de-referencing” in its landmark 2014 Google Spain judgment[3] (establishing the so-called “right to be forgotten” or “RTBF”), the CJEU now further clarified the territorial scope of such right, and limited the de-referencing obligation to Google’s search engine websites corresponding to EU Member States, as opposed to all domain name extensions (e.g., the obligation applies to domain names with top-level domain (“TLDs”) corresponding to EU Member States, such as “google.fr” for France or “google.be” for Belgium). The Court added that Google may need to use, “where necessary”, measures effectively preventing or seriously discouraging an internet user from accessing (on other versions of the search engine, which are not subject to the de-referencing obligation) the links at issue from an EU Member State. As a consequence, Google has no obligation to remove the links at issue on all Google websites worldwide (such as on “google.com”), but may need to implement sufficiently effective measures to prevent Internet users from accessing the links from the EU.
Continue Reading

California’s 2019 legislative session has drawn to a close with passage of five amendments to the California Consumer Privacy Act (CCPA) during the final days of the session.  Assuming that the bills are timely signed by the Governor before the October 13 deadline, businesses will finally have the complete version of the statute that will

While the EU General Data Protection Regulation 2016/679 (the “GDPR”) has grabbed headlines due to its extraterritorial reach and administrative fining regime (which permits fines for non-compliance up to the higher of €20 million or 4% of global, annual turnover),[1] a recent decision in the Northern District of California – Finjan v. Zscaler (“Finjan”)[2] – suggests that U.S. Courts won’t view the EU data protection legislation as an absolute obstacle to domestic discovery.  Finjan, as the first post-GDPR ruling of its kind, suggests that it will be business as usual navigating between U.S. civil discovery and EU law, at least from the U.S. courts’ perspective.
Continue Reading

Responding to a request by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU’s data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) on the EU data protection framework.

The preliminary assessment by the European

In February of this year the German antitrust agency, the Federal Cartel Office (“FCO”), issued a decision against Facebook regarding their handling of user data. Please see our previous blog-post detailing the FCO’s arguments here

Facebook appealed and on August 26, 2019, the Düsseldorf Court of Appeal (“DCA”) in an interim decision granted suspensive effect to Facebook’s appeal against the FCO decision.

The DCA can order suspensive effect to an appeal if it has serious doubts whether the prohibition decision is legally valid.  Despite the preliminary character of the DCA’s decision, this could represents a significant setback for the FCO and have signaling effect beyond the German borders,. The DCA made certain important points on issues of law, which it will likely not revers during its main proceedings.
Continue Reading

In late July 2019, U.S. federal and state regulators announced three headline‑grabbing data privacy and cybersecurity enforcement actions against Equifax and Facebook.  Although coverage of these cases has focused largely on their striking financial penalties, as important are the terms the settlements imposed on the companies’ operations as well as their officers, directors, and compliance professionals—and what they signal about potential future enforcement activity to come.
Continue Reading

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (the “SHIELD Act” or the “Act”), which expands data breach notification obligations under New York law and for the first time imposes affirmative cybersecurity obligations on covered entities.

The Act makes five principal changes

On 9 July, the UK Information Commissioner’s Office (“ICO”) issued a notice of its intention to fine Marriott International, Inc. (“Marriott”) £99,200,396 for alleged infringements of the EU General Data Protection Regulation ( “GDPR”) in connection with a cybersecurity incident notified to the ICO by Marriott in November 2018. The ICO’s public statement followed Marriott’s disclosure of the ICO’s intention to the US Securities and Exchange Commission (“SEC”) and comes just one day after the ICO published its notice of intention to fine British Airways £183.4 million (see our previous blog post here). The proposed fines, if enforced by the ICO, will be the two highest fines levied under the GDPR, to date.

Continue Reading

On June 24th, Senators Mark Warner (D-VA) and Josh Hawley (R-MO) introduced a bill that would require large technology companies to regularly disclose to their users and the Securities and Exchange Commission (SEC) the value of the user data they collect and monetize.  The bipartisan bill, cited as the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act, is intended to capture major online platforms such as Amazon, Facebook, Google and Twitter that offer “free” services to users while monetizing user data through targeted advertising.

Continue Reading