Select Page

Author: Hogan Lovells International LLP

The Ninth Circuit Revives Consumer Class Action, Finding Intangible Harm Sufficient to Confer Article III Standing

The six-year fight over the type of harm a plaintiff must allege to satisfy the “injury in fact” requirement for lawsuits alleging false reporting of credit information took its latest turn this week.  On Tuesday, August 15, 2017, the U.S. Court of Appeals for the Ninth Circuit, on remand from the United States Supreme Court, issued its opinion in Spokeo, Inc. v. Robins, a highly-watched case challenging whether a plaintiff can satisfy Article III standing based solely on a technical violation of the Fair Credit Reporting Act (FCRA).  Plaintiff Thomas Robins brought a putative class action for willful violations...

Read More

New Case Law on Restrictions for Employee Monitoring in the Workplace in Germany

According to the German Federal Labor Court, Germany’s highest court for employment disputes, German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty (judgment dated July 27, 2017, case ref. 2 AZR 681/16). This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data...

Read More

Russian Data Protection Authority Publishes Privacy Policy Guidance

On 31 July, the Russian data protection authority, Roskomnadzor, issued guidance for data operators on the drafting of privacy policies to comply with Russian data protection law. Russia’s 2006 privacy law – Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (Personal Data Law) – requires, among other things, that Russian data operators must adopt a privacy policy that describes how they process personal data. This notice requirement is similar to the approach in Europe. Furthermore, data operators shall publish such a policy online when personal data is collected online or otherwise provide unrestricted access to the...

Read More

UK Government Releases Statement of Intent on Proposed Data Protection Bill

On 7 August 2017, the UK Department for Culture, Media and Sport (DCMS) published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998 (DPA). The proposals set out in the Statement of Intent are intended to reassure businesses concerned about the impact of Brexit on data flows between the UK and the rest of Europe. The Bill is designed to fully implement the two new laws emanating from the EU – the General Data Protection Regulation (GDPR) and the Data Protection Law Enforcement Directive (DPLED) –  in an...

Read More

FTC Schools “Smart” Toys with Updated COPPA Compliance Guidance

The Federal Trade Commission (“FTC”) released an updated guidance document for complying with the Children’s Online Privacy Protection Act (“COPPA”).  The revised guidance, released on June 21, 2017, explicitly identifies connected toys and other Internet of Things devices as being covered under COPPA and adds clarity to web operators’ responsibility for the activities of third parties, such as ad networks and plug-ins, that collect personal information protected under COPPA.  It also includes recently approved methods for obtaining verifiable parental consent.The new guidance comes shortly after Senator Mark R. Warner (D-VA) urged the FTC to strengthen protections for children’s personal...

Read More

Bipartisan Group of Senators Introduce Bill to Impose Baseline Security Requirements for IoT Devices Provided to U.S. Government

On August 1, a bipartisan group of four senators introduced a bill that would impose specific cybersecurity requirements on providers of Internet of Things (IoT) devices when doing business with the U.S. Government and provide liability protections for security researchers who disclose vulnerabilities affecting these devices. Though the bill’s security requirements would apply only in cases where entities are acting as contractors to the U.S. Government, if enacted, it likely would be influential on IoT vendors operating in the consumer context as well. The bill is largely consistent with an ongoing multistakeholder effort led by the National Telecommunications and...

Read More

The FTC and Industry Propose Best Practices for IoT Security Updates

How do you ensure that an Internet-connected sensor or device—often inexpensive and designed for lifespans of up to 20 years or more—can be secured against not only the intrusions of today but also those of the future? This question has taken on new urgency as low-cost Internet-connected devices are increasingly being co-opted into massive networks, known as “botnets,” that are capable of causing widespread disruption. Both government regulators and industry have been working together to solve this and related questions by developing best practices for mitigating security risks from unpatched or unsupported devices. As we discussed in January, the...

Read More

FCC Privacy Rules Break New Ground

The Federal Communication Commission’s (FCC) long-awaited – and much debated – privacy rules for Internet Service Providers (ISPs) have now been adopted.  The agency approved the rules by a 3-2 vote along political party lines last Thursday. Several of the FCC requirements are particularly notable for being more restrictive than the Federal Trade Commission’s (FTC) standards for consumer online privacy.  In this post we provide an overview of some of the new FCC rules and highlight key areas where the FCC’s requirements diverge from the FTC’s framework. Requirements for ISPs Although the full text of the FCC’s decision has not yet been released, an agency fact sheet provides details on some of the key requirements: Transparency.  The rules require that ISPs, whether they offer mobile broadband or fixed broadband services, to: (1) notify customers about what types of information the ISP collects about customers; (2) specify how and for what purposes the ISP uses and shares this information; and (3) identify the types of entities with which the ISP shares this information. Consumer Choice.  ISPs must obtain opt-in consent to use and share “sensitive information” such as precise geolocation information, web browsing history, app usage history, the content of communications, and health information.  ISPs must also provide consumers an ability to opt out of the use and sharing of non-sensitive information.  Certain exceptions to these consent standards are provided,...

Read More
  • 1
  • 2