Privacy & Information Security Law Blog

According to MLex, on January 6, 2020, the Seoul Eastern District Court found Kim Jin-Hwan, a privacy officer of the South Korean travel agency Hana Tour Service Inc., guilty of negligence in failing to prevent a 2017 data breach that affected over 465,000 customers of the agency and 29,000 Hana Tour employees.

On January 6, 2020, the Federal Trade Commission announced that it granted final approval to a settlement with InfoTrax Systems, L.C. and its former CEO, Mark Rawlins, related to allegations that InfoTrax failed to implement reasonable, low-cost and readily available security safeguards to protect the personal information the company maintained on behalf of its business clients.

In a January 6, 2020 blog post, the Director of the Federal Trade Commission’s Bureau of Consumer Protection reflected on how the FTC has taken action over the past year to strengthen its orders in data security cases. These orders have been a subject of focus for the FTC: in June 2018, the 11th Circuit’s LabMD decision struck down an FTC data security order as unenforceably vague, and the FTC subsequently held a hearing in the course of the FTC’s Hearings on Competition and Consumer Protection in the 21st Century on how it could improve data security orders.

Though all may be quiet on New Year’s Day, January 1, 2020, is the compliance date for the California Consumer Privacy Act of 2018 (“CCPA”). On the cusp of a new decade, we enter a new era of privacy rights.

The CCPA is now in effect, but the California Attorney General cannot begin enforcement until July 1, 2020. We want to congratulate everyone on their hard work this past year and a half.

If you watched the ball drop in New York City last night, we hope you can say that you didn’t drop the ball on CCPA compliance. They say hindsight is always 20/20. CCPA compliance can be your New Year’s ...

On December 12, 2019, the Belgian Data Protection Authority (the “Belgian DPA”) released its draft 2019-2025 Strategic Plan (the “Draft Plan”). In the Draft Plan, the Belgian DPA describes its vision for the years to come, defines its priorities and strategic objectives and lists the necessary means to achieve its objectives.

Canadian Prime Minister Justin Trudeau has signaled his intent to overhaul data privacy within Canada. Prime Minister Trudeau recently sent a Mandate Letter to Navdeep Bains, the Minister of Innovation, Science and Industry, that contained a number of mandates with respect to data privacy.

On December 19, 2019, the members of the Permanent Representations of EU Member States to the Council of the European Union (“the Council”) published a draft position on the application of the General Data Protection Regulation (“GDPR”). After the draft position has been formally adopted by the Council, it will be provided to the European Commission. This is part of the GDPR evaluation process under Article 97 of the GDPR, which requires the European Commission to publish a report on the evaluation and review of the GDPR by May 25, 2020.

On December 12, 2019, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced its second enforcement action and settlement under its HIPAA Right of Access Initiative. Under the terms of the settlement, Korunda Medical, LLC, agreed to pay $85,000 to settle a potential violation of HIPAA’s right of access.

The U.S. Department of Education and the U.S. Department of Health and Human Services released joint guidance on the application of the Family Educational Rights and Privacy Act (“FERPA”) and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule to student records. This is the first update to the agencies’ guidance since it was issued in 2008. The 27-page document includes FAQs clarifying for schools, health care professionals and families how FERPA and HIPAA apply to student education and health records. The FAQs answer which rule ...

On December 19, 2019, the Advocate General of the Court of Justice of the European Union (the “CJEU”) handed down his opinion in the so-called “Schrems II” case (case C-311/18). He recommended that the CJEU uphold the validity of the Standard Contractual Clauses (“SCCs”) as a mechanism for transferring personal data outside of the EU. Given that SCCs are the key data transfer mechanism used by many organizations to transfer personal data outside of the EU, the opinion has far-reaching repercussions and will be welcomed by businesses across the globe.