New EDPB Draft Guidance Provides Practical Scenarios for Data Breach Notification Analysis Under the GDPR

In certain cases, the General Data Protection Regulation (GDPR) requires entities that experience a personal data breach to provide notice of the incident to relevant national supervisory authorities and the individuals whose personal data was compromised. The European Data Protection Board (EDPB) — a board of representative members from each of the European national supervisory authorities — previously endorsed the February 2018 guidelines on personal data breach notification. On Jan. 19, 2021, the EDPB published draft Guidelines 01/2021 on Examples regarding Data Breach Notification (the “draft Guidelines”) to complement the initial notification guidelines. The draft Guidelines provide 18 sample data breach scenarios and offer guidance as to how data controllers should respond to such incidents and analyze potential notification obligations.

The draft Guidelines begin by reiterating core notification principles from the 2018 guidelines. Article 4(12) of the GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Three types of personal data breaches trigger a notification obligation: (a) “confidentiality breaches,” which occur when there is an unauthorized or accidental disclosure of, or access to, personal data; (b) “integrity breaches,” which involve the unauthorized or accidental alteration of personal data; and (c) “availability breaches,” which involve the unauthorized or accidental loss of access to, or destruction of, personal data. Notice is required to be given to appropriate supervisory authorities within 72 hours after controllers become aware of a personal data breach, unless the breach is unlikely to create a risk to a data subject’s rights and freedoms. The draft Guidelines state controllers should make this risk assessment when they become aware of the breach and should not wait for a detailed forensic examination before assessing the breach’s impact. Continue Reading

Virginia Poised to Enact the Consumer Data Protection Act, the Nation’s Second Comprehensive Consumer Privacy Law

Having passed both houses of the Virginia General Assembly, the proposed Consumer Data Protection Act (CDPA) may become the second comprehensive consumer privacy bill to be enacted in the United States. However, to reach the governor’s desk, it would need three more readings in the Senate and two more readings in the House, prior to the end of the session, which will be no later than March 1. If the CDPA reaches Governor Northam this session, he will have seven days to approve, amend or veto the bill. Should he take no action, the bill would become law at the end of seven days per the Virginia Constitution, but would not become effective until Jan. 1, 2023, the same day as the operative date of the California Privacy Rights Act (CPRA), which substantially amends the California Consumer Privacy Act (CCPA).

Alternatively, the governor could return the bill to the Legislature for reconsideration on April 7, 2021, when it reconvenes for the purpose of considering bills that may have been returned by the governor with recommendations for their amendment and bills and items of appropriation, including the general appropriation act, that may have been returned by the governor with his objections. We will be watching Richmond to see what happens.

Read more.

AdTech Under the CCPA and CPRA

Please join us for a follow-up discussion on AdTech Under the CCPA and CPRA, originally presented as part of the PrivacyOC Privacy Week Forums 2021. Speakers Alan Friel and Kyle Fath will discuss four seemingly overlapping consumer rights under the CPRA: 1) Do Not Sell, 2) Do Not Share, 3) Do Not Profile, and 4) Limit the Use of My Sensitive Personal Information.

Click here to RSVP

Virginia Likely to Become Second State with Comprehensive Privacy Legislation

With a special session scheduled to begin Feb. 10, Virginia is poised to become the second state to pass comprehensive consumer privacy legislation. The Consumer Data Protection Act (CDPA) passed the Virginia Senate on Friday, Feb. 5, and has been referred back to the Virginia House to be reconciled. Seeing that the House previously passed an identical version of the CDPA on Jan. 29, reconciliation should proceed without event and we can expect to see the bill on the governor’s desk this month. The governor has seven days to act once the bill is presented to him. The governor can (1) sign the bill into law, (2) amend the bill and return it to the General Assembly for approval, (3) veto the bill, or (4) take no further action and let the bill automatically become law without his signature. The CDPA is both CCPA- and GDPR-inspired. It would grant consumers rights to access, correct, delete, and obtain a copy of personal data and to opt out of the sale of personal data, processing of personal data for the purposes of targeted advertising, and profiling (automated decision-making).

The CDPA would become effective on Jan. 1, 2023, the same date as the operative date of most provisions in the California Privacy Rights Act, which substantially amends the CCPA.

Stay tuned for a deeper, substantive dive into the CDPA.

For additional articles covering state privacy legislation updates, the CCPA, the CPRA or the recent Schrems II decision, including our 2020 year-in-review article, visit BakerHostetler’s Data Counsel blog and our Consumer Privacy Resource Center.

California AG Becerra Tweets Endorsement for a Universal Opt-Out Tool

On Jan. 28, California Attorney General Becerra tweeted his support for a newly developed privacy tool that may function as a means for universal opt out.

“#CCPA requires businesses to treat a user-enabled global privacy control as a legally valid consumer request to opt out of the sale of their data. CCPA opened the door to developing a technical standard, like the GPC, which satisfies this legal requirement & protects privacy.”

GPC stands for Global Privacy Control, a browser extension that can be downloaded and is compatible with a few commercial browsers, but it does not currently have integrations with browsers that have the greatest market share. Instead of having to submit opt outs on each website a user visits, the GPC would allow a user to enable a “do not sell” switch on supported browsers that operates across all websites they visit without the need for them to take any additional actions.

Multiple ad industry groups came together to oppose this endorsement (this includes the Association of National Advertisers, American Association of Advertising Agencies, Interactive Advertising Bureau and the American Advertising Federation) and have stated that they intend to ask Attorney General Becerra to reconsider.

Welcome to the Digital Transformation and Data Economy Newsletter – February 2021 Issue

Across the economy, businesses are using digital technology to pivot into innovative service lines, accelerate growth and transform. A business’s digital strategies and data assets play an important role in its success. Digital transformation means, among other things, deploying the latest technologies – including artificial intelligence (AI) and automated decision-making. However, advances in AI raise fundamental legal and ethical questions. Not surprisingly, there is much debate on how and when to regulate the use of AI. While there is no comprehensive “AI law” in the U.S., there are many current and proposed laws related to the use of AI. It is important for businesses to understand this evolving landscape so they can identify risks during digital transformation – particularly in the areas of notice, transparency and data privacy.

In this issue, we are highlighting Stanton Burke and how his practice advises clients on the legal requirements and ethical considerations when using these technologies.

Read more.

Podcast: BakerHostetler Blockchain University: Beyond Cryptocurrency – Non-Financial Use Cases for Blockchain

The fourth episode in the series provides an overview of how Blockchain is being used today in non-financial applications. Topics discussed include using blockchain in various sectors, including the food supply and pharmaceutical industries, maritime shipping, the cobalt supply chain, self-sovereign identity, credentialing and records management.

Questions & Comments: rmusiala@bakerlaw.comvreynolds@bakerlaw.com

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Podcast: The Digital Health Ecosystem

The healthcare industry is rapidly changing, and digital health acumen is becoming crucial to success. 2020 has led to significant changes in healthcare delivery, and healthcare organizations are turning to data-driven solutions to address industry challenges. As we look ahead, it is important for stakeholders to understand the opportunities and challenges with big data, AI and other technologies. Janine Anthony Bowen discusses the digital health ecosystem and how the industry is rapidly adopting and adapting to digitization and automation.

Questions and Comments: jbowen@bakerlaw.com

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript

Court Finds HHS Had No Lawful Basis Under HIPAA for a $4.3 Million Civil Money Penalty: What Does This Mean for Future HHS Enforcement Actions?

The United States Court of Appeals for the Fifth Circuit recently found that the United States Department of Health and Human Services (HHS) lacked a lawful basis for a $4.3 million civil money penalty order that it issued to a healthcare provider for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Covered entities and business associates should take note of the court’s decision to provide guidance on their HIPAA compliance efforts and response to enforcement actions taken by HHS. This decision could significantly impact future HHS enforcement actions.

Background

Between 2012 and 2013, the healthcare provider notified HHS of three incidents involving stolen and lost devices containing electronic protected health information (ePHI). HHS investigated the incidents and then assessed the healthcare provider $4,348,000 in civil money penalties for alleged violations of the HIPAA provisions that address encryption and disclosures of PHI (45 CFR §§164.312(a)(2)(iv) and 164.502(a)).

The healthcare provider then unsuccessfully appealed the decision to an administrative law judge (ALJ) and to HHS’ Departmental Appeals Board. The healthcare provider then appealed the decision to the Fifth Circuit for review. Continue Reading

Podcast: AD-ttorneys@law: False Advertising or Just Puffing?

Absolute truth in advertising is something of a rarity, but not every untrue statement is false advertising. In this episode, BakerHostetler partner Randy Shaheen is going to ply you with pointers on avoiding puffery’s promotional pitfalls and potential problems.

Questions and Comments: rshaheen@bakerlaw.com

Listen to the episode.

Subscribe to BakerHosts
Apple Podcast | Google Podcast | iHeartRadio | Spotify | Stitcher | TuneIn
Download Episode Transcript
LexBlog