July 15, 2019

July 15, 2019

Subscribe to Latest Legal News and Analysis

Weekly Data Privacy Alert – 1 April 2016

France

OpposeTel Appointed to Protect Against Unwanted Telemarketing Calls

As of 1 June 2016, OpposeTel will replace Pacitel as the appointed service to control the list of data subjects that do not wish to receive telemarketing phone calls. This is almost the final building block of the new regulation to prohibit professionals from direct telemarketing (article L 121-34 of the French Consumer Code). Calling data subjects on the list for telemarketing purposes can result in a fine of €15,000 for individuals and €75,000 for corporations.

Press Release (in French)

Article L 121-34 of the French Consumer Code (in French)

CNIL Fines Google €100,000

The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has issued a €100,000 fine following Google’s refusal to comply with the CNIL’s injunction to extend delisting to all of its search engine domain name extensions.

Press Release

Germany

Positive Views of the General Data Protection Regulation in the German Parliamentary Committee

In a public hearing of the Bundestag committee “Digitale Agenda“, German data protection experts from the state, the industry and academia have taken an overall positive view of the coming General Data Protection Regulation (GDPR).

The Federal Data Protection Officer, Andrea Voßhoff, stated that in spite of her detailed critique the GDPR would ensure a high level of protection. Data-based business models would remain possible, although their legality needed to be assessed in every individual case.

Dagmar Hartge, the Brandenburg Data Protection Officer, complimented the principle of lex loci solutionis (law of the place where relevant performance occurs) contained in the GDPR as it will bind non-European companies to the EU data protection law and foster fair competition.

The representative of the internet industry criticized the GDPR for not creating incentives for the use of pseudonymised data. The representative of academia found that the GDPR was lowering German data protection standards. This could, however, be compensated for by the wide scope that the GDPR leaves for member state implementation.

Press Release (in German)

German Association for Data Protection Heavily Criticizes Privacy Shield

The German Association for Data Protection (Deutsche Vereinigung für Datenschutz – DVD) has expressed immense disappointment with the recently presented material of the EU-US Privacy Shield. According to the DVD, the attempt to get the US Government to conform to the requirements of the European Court of Justice has completely failed. The DVD appealed to the European Parliament and the Article 29 Working Party to reject the intended adequacy decision by the European Commission.

Press Release (PDF) (in German)

UK

Swansea Dubbed “UK’s Cold Call Capital”

The Information Commissioner’s Office (ICO) has dubbed Swansea “UK’s cold call capital” after it fined two further companies in the city. The two companies that were recently fined were Flacon and Point, which made automated calls about PPI, and Direct Choice Home Improvements Ltd, which traumatised people by asking to speak to deceased relatives. In total, the ICO has fined six Swansea based companies since 2013.

ICO News Report

US

Three Separate Class Action Cyber Breach Lawsuits Filed Against 21st Century Oncology

Three weeks ago, 21st Century Oncology announced that medical records of at least 2.2 million current and former patients had been illegally obtained due to a security breach. As a result, last week, three separate class-action lawsuits were filed against 21st Century Oncology. The lawsuits assert the company failed to take adequate security measures in protecting electronic medical records, resulting in a cyber breach exposing them to “substantial financial and other injury and damage.” Plaintiffs are seeking more than US$15 million from 21st Century, accusing the company of multiple violations including negligence, unjust enrichment and breach of implied covenant of good faith and fair dealing. The lawsuit claims the FBI informed 21st Century of the security breach in December 2015, one month after investigators believe the intrusion occurred, but the company did not notify the Security and Exchange Commission until March 4 2016, and current and former patients did not receive letters notifying them the breach until mid-March.

US Office of Management and Budget Annual Cybersecurity Report Notes 77,000 Cyber Incidents Against US Government in 2015

The Office of Management and Budget (OMB) released the annual report mandated by the Federal Information Security Modernization Act (FISMA) of 2014, on March 18, 2016. The report, which evaluates Federal agencies’ information security policies and practices, indicates that during 2015 there were 77,000 cyber incidents aimed at the government, including network breaches or data infiltration – a 10% increase from 2014. The report also notes that most federal agencies lack information security, and that while several initiatives to address the personnel challenge exist, “implementation and awareness of these programs is inconsistent.”

OMB Annual Cybersecurity Report (PDF)

Privacy Laws on the Horizon for Autonomous Vehicles

In mid-March the Senate Commerce Committee held a hearing to learn more about the advancements in autonomous technology and to discuss a cohesive national policy on how companies can use personal data collected by autonomous vehicles. Representatives from Lyft, Google, General Motors, Delphi Automotive, Mary Louise Cummings and the Director of the Humans and Autonomy Laboratory at Duke University testified at the mid-March hearing. Given autonomous vehicles will collect large amounts of personal information about their passengers, lawmakers are concerned about how, if at all, data collection ought to be regulated. Lawmakers are concerned that they stay involved in the regulation of the autonomous vehicles. Senator Bill Nelson (D-FL) expressed this concern noting: “You can imagine what would happen to get an autonomous vehicle hacked out on the road….One small defect could end up with a massive safety crisis. So no more cover-ups, no more head-in-the-sand approaches to safety.”

In January 2016, Secretary of Transportation Anthony Foxx announced he is giving the Department of Transportation six months to draft comprehensive rules governing how autonomous cars should be tested and regulated. Currently several states including California, Nevada, Michigan, Florida and Washington DC have adopted laws regulating the testing and sale of autonomous vehicles.

© Copyright 2019 Squire Patton Boggs (US) LLP

TRENDING LEGAL ANALYSIS


About this Author

Annette Demmel, Information Technology Attorney, Squire Patton Boggs Law Firm
Partner

Dr. Annette Demmel is a partner in our Data Privacy & Cybersecurity Practice Group in Berlin. For 20 years, Annette has advised national and international businesses in privacy law, technology law, telecommunications law, intellectual property law, media law and competition law.

In particular, she leads the implementation of privacy compliance programs and centralized software systems, and provides advice on policy and regulatory issues arising in the electronic communications and internet sectors. Annette also advises clients on legal...

+49 30 72616 8226
Stephanie Faber Attorney Squire Patton Boggs Paris
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs

  • Data breach management and notification

  • Database creation, international transfers (Privacy Shield, BCR and Model clauses), cloud, HR data (including employee monitoring), marketing usage, health data, financial-related services, etc.

  • Whistleblowing (including new mandatory requirement effective 1 January 2018)

  • Contract negotiations

  • Relations and registrations with the French data protection authority, the CNIL

The Intellectual Property & Technology Practice of the Paris office encompasses advising on, drafting and negotiating contracts in the following areas:

  • Commercial contracts, including distribution agreements, services and supply agreements, advertising agreements, logistic agreements, general conditions of sales and sponsoring agreements

  • Joint ventures, transfer of businesses, assets or licenses

  • French regulations applying to commercial businesses, including e-commerce such as consumer protection, competition, advertising, product liability, abrupt termination of ongoing commercial relationships, distance sales, on or offline gaming and lotteries, and use of French language

  • IT, media and telecom contracts and outsourcing

  • Communication and media regulations

  • French anticorruption regulation (including compliance programs required since 2017), UKBA and FCPA

  • Relationship with regulators such as the DGCCRF (in charge of consumer protection and competition in France) and the CSC (Commission of Safety for Consumers), as well as the ARCEP (French regulator of the electronic communications and postal sectors)

Her commercial practice also includes conflicts and pre-litigation situations.

Stephanie also provides vocational and client training on regulatory or contractual matters. She is a speaker at the Law School of University of Paris II Panthéon-Assas for its “Diplôme d'université de la protection des données – Data Protection Officer (DPO)” (Data protection – DPO university degree) aimed at training future DPOs under the new European General Data Protection Regulation (GDPR). The degree is open to professionals who already have a first experience.

Stephanie is a member of IAPP, French Privacy associations AFCDP and ADPO and ICC’s Commissions on Digital Economy and Corporate Responsibility and Anti-corruption.

33 1 5383 7400
Caroline Egan Lawyer Squire Patton Data Protection
Consultant

Caroline has extensive experience in commercial and information technology matters. Her particular specialism is UK and crossjurisdictional data protection and privacy law and UK freedom of information law. She regularly advises global clients on international transfers of data, and UK clients on complex and sensitive data protection and freedom of information issues. She also advises on major IT procurement and outsourcing projects.

Caroline lectures on domestic and cross-jurisdictional data protection issues, and was named a notable...

+44-121-222-3386