On December 19, 2022, the United States Federal Trade Commission (“FTC”) announced two separate record-breaking settlements with Epic Games, Inc. (“Epic”), the video game publisher behind the popular online multiplayer game “Fortnite,” totaling over $520 million for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”) and use of “dark patterns” to deceive players into making unwanted, in-game purchases. 

Continue Reading Regulators Impose Epic Consequences for Children’s Privacy Rights Violations

On December 13, 2022, the European Commission (“Commission”) formally launched the process to adopt an adequacy decision for the EU – U.S. Data Privacy Framework and proposed a draft adequacy decision concerning personal data transfers to the U.S. (available here).

Continue Reading The Draft Adequacy Decision on the EU-US Data Privacy Framework

On 24 November 2022, the UK government announced its adequacy decision for the Republic of Korea, which will allow UK organizations to share personal data with Korean organizations more freely under the UK General Data Protection Regulation (“UK GDPR”).

Continue Reading The United Kingdom and the Republic of Korea Finalize Data Sharing Agreement

The Information Commissioner’s Office (“ICO”) has opened a consultation on new draft guidance on monitoring at work (the “Draft Guidance”).  The Draft Guidance applies in both the private and public sectors in respect of any worker, a term which is used to include employees as well as non-employee workers, independent contractors and volunteers. Continue Reading UK ICO Issues Draft Guidance on Monitoring at Work

Today, after over two years of detailed negotiations, President Joe Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (the “Order”)  outlining steps the U.S. will take to implement its commitments under the European Union-U.S. Data Privacy Framework, originally announced by President Biden and European Commission President Ursula von der Leyen in March of 2022 (as previously discussed here).[1] Continue Reading President Biden Signs Executive Order on New EU-US Data Privacy Framework

Determined to maintain its position as a pioneer for consumer privacy rights, California is again among the first to take action to tackle issues of children’s safety and privacy online with the enactment of the California Age-Appropriate Design Code (the “Code”), which was signed into law by Governor Gavin Newsom on September 15, 2022.  Once effective on July 1, 2024, the Code would, among other things, prescribe rules that require  businesses to design their online products and services with children’s privacy in mind and identify and mitigate any risks of material detriment to children that arise from businesses’ online data practices. Continue Reading California Refuses to “Kid Around” on Children’s Privacy With Enactment of the California Age Appropriate Design Code

On September 5, 2022, following the election of the new UK Prime Minister, the UK Government decided not to proceed with the second reading and other motions relating to the Data Protection and Digital Information Bill (the “Bill”), which was due to have taken place on the same day.  According to the Leader of the House of Commons, this Bill was pulled as “to allow Ministers to consider the legislation further”. Continue Reading UK’s Data Protection and Digital Information Bill: An Uncertain Direction

On August 1, 2022, Robinhood Crypto LLC (“RHC”) entered into a Consent Order with the New York Department of Financial Services (“DFS”) based on “serious deficiencies” related to anti-money laundering (“AML”), cybersecurity, and virtual currency that were identified in DFS’s examination of RHC covering the period from January to September 2019. Continue Reading DFS Enters Consent Order with Robinhood Crypto for Deficiencies in AML, Cybersecurity, and Virtual Currency Compliance

On May 3, 2022, the European Commission published its proposal for a regulation on the “European Health Data Space”.

The EHDS is a talismanic European healthtech initiative that could revolutionize access to a deeper pool of EU-wide health data and unlock significant tech, AI and data analytics innovation.  As a core part of the Commission’s European Data Strategy, the EHDS seeks to tackle legacy systemic issues that have hindered lawful access to electronic health data.  The Regulation strives to create a “European Health Union” by strengthening individuals’ access to and portability of their electronic health data and allowing innovators and researchers to process this data through reliable and secure mechanisms.  It is worth noting that the EHDS proposal does not to create (nor could it feasibly do so) a unitary central EU database of electronic health data, but seeks to facilitate multilateral exchange of such health data from decentralized databases through the EHDS’s regulatory infrastructure.

The EHDS proposal builds upon other recent and contemporaneous EU data and healthcare reforms, such as Regulation (EU) 2017/745 on medical devices, the proposed AI Act, the Data Governance Act, and the proposed Data Act.  It presents a welcome opportunity to resolve areas of uncertainty as to the lawful bases for health data processing under Regulation (EU) 2016/679 and fragmented Member State national laws that might otherwise inhibit “big data” innovation in the European healthcare sector.  However, work remains to be done to reconcile areas of legislative interplay and ensure that data subjects’ GDPR rights remain protected.

Please click here to read the full alert memorandum.

After a failed attempt in 2021, Connecticut has become the fifth U.S. state to enact comprehensive data privacy legislation with the passing of “An Act Concerning Personal Data Privacy and Online Monitoring” or the Connecticut Data Privacy Act (the “CDPA” or the “Act”). The Act will take effect July 1, 2023 giving covered organizations about 14 months to become compliant. Continue Reading New England’s New Privacy Act: Connecticut Becomes the Fifth State To Enact Comprehensive Data Privacy Act