Time 2 Minute Read

On January 15, 2024, the European Commission released its “report on the first review of the functioning of the Adequacy Decisions adopted pursuant to Article 25(6) of Directive 95/46/EC” (the “Report”). The Report details the results of the European Commission’s assessment of whether 11 jurisdictions (Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay) that benefit from Adequacy Decisions adopted under the repealed Directive 95/46/EC still offer sufficient guarantees to maintain adequacy status under the EU General Data Protection Regulation (“GDPR”).

Time 2 Minute Read

On January 18, 2024, the Federal Trade Commission announced a proposed order against geolocation data broker InMarket Media (“InMarket”), barring the company from selling or licensing precise location data. According to the FTC’s charges, InMarket failed to obtain informed consent from users of applications developed by the company and its third-party partners.  

Time 5 Minute Read

On January 16, 2024, Governor Phil Murphy signed into law Bill 332, making New Jersey the 14th state with a comprehensive state privacy law. The law is set to take effect in January 2025.

Applicability

The law will apply to controllers that conduct business in New Jersey or produce products or services that are targeted to New Jersey residents, and that during a calendar year meet any of the following criteria: (1) control or process the personal data of at least 100,000 New Jersey consumers (notably excluding personal data processed solely for the purpose of completing a payment transaction); or (2) control or process the personal data of at least 25,000 New Jersey consumers and derive revenue, or receive a discount on the price of any goods or services, from the “sale” of personal data. In line with the CCPA and other state privacy laws, the New Jersey law broadly defines “sale” as the disclosure of personal data to a third party for “monetary or other valuable consideration.”

Time 1 Minute Read

On January 15, 2024, the UK Information Commissioner’s Office (“ICO”) announced that it has launched a consultation series on generative AI. The series will examine how aspects of UK data protection law should apply to the development and use of the technology, with the first chapter of the series focusing on when it is lawful to train generative AI models on personal data scraped from the web. The ICO invites all stakeholders with an interest in generative AI to respond to the consultation, including developers and users of generative AI, legal advisors and consultants working ...

Time 3 Minute Read

On January 9, 2024, in its first settlement with a data broker concerning the collection and sale of sensitive location information, the Federal Trade Commission announced a proposed order against data broker X-Mode Social, Inc. and its successor Outlogic, LLC (“X-Mode”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

Time 2 Minute Read

On January 9, 2024, the Federal Trade Commission published a blog post reminding artificial intelligence (“AI”) “model-as-a-service” companies to uphold the privacy commitments they make to customers, including promises made in Terms of Service agreements, promotional materials and online marketplaces.  

Time 2 Minute Read

On January 8, 2024, the French Data Protection Authority (the “CNIL”) opened a consultation on its draft guidance for the use of transfer impact assessments (“Guidance”). In describing the Guidance, the CNIL references the decision of the Court of Justice of the European Union in Schrems II and states that exporters relying on tools listed in Article 46(2) and Article 46(3) of the EU General Data Protection Regulation (“GDPR”) for personal data transfers are required to assess the level of protection in the designated third country and the need to put in place additional safeguards (i.e., conduct a transfer impact assessment (“TIA”)). The Guidance is intended to assist data exporters in carrying out TIAs. 

Time 3 Minute Read

On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.

Time 2 Minute Read

On December 20, 2023, the FTC issued a Notice of Proposed Rulemaking (“Notice”), which would bring long-anticipated changes to the children’s online data privacy regime at the federal level in the U.S. The Notice sets forth several important proposals aimed at strengthening the Children’s Online Privacy Protection Act Rule (“COPPA Rule”). The COPPA Rule has not been updated since 2012. The FTC received over 176,000 comments in response to its call to comment on updating the COPPA Rule.

Time 2 Minute Read

On December 18, 2023, the updated response from UK Information Commissioner John Edwards to the Data Protection and Digital Information (No 2) Bill (the “Bill”) was published on the website of the Information Commissioner’s Office (ICO). The Commissioner’s original response was published in March 2023. In the latest response, the Commissioner states that he is “pleased to note that government made some changes…in response to my comments,” specifically with regards the definition of “vexatious requests” in respect of requests made to the Information Commissioner’s Office, and the drafting of the changes to the safeguards for processing for research purposes. However, the Commissioner goes on to state that the majority of his comments currently remain unaddressed, including with regards the definition of high risk processing. 

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page