French Data Protection Authority Fined Medical Software Provider for GDPR Violations

On April 21, 2022, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced its decision to fine medical software company Dedalus Biologie €1.5 million following a data breach that exposed health information of nearly 500,000 people. The CNIL noted the company violated several GDPR obligations,…

Read More

New Federal Law Mandates Cyber Incident and Ransomware Payment Reporting for Critical Infrastructure Industries

After years of lengthy debates, Congress passed and the President signed into law a bipartisan bill requiring entities in sectors deemed to constitute “critical infrastructure” to report certain cyber incidents and ransomware payments. Currently, companies may and often do voluntarily report cyber incidents to the FBI or other federal agencies,…

Read More

Ninth Circuit: Web Scraping Does Not Violate CFAA

In a decision that is certain to reverberate through the big data community, the U.S. Court of Appeals for the Ninth Circuit ruled that the primary legal tool that companies tried to use to limit scraping of their websites – the criminal statute Computer Fraud and Abuse Act (“CFAA”) –…

Read More

New Data Protection Rights Coming Soon to Saudi Arabia – Just Not as Soon as Expected

The Kingdom of Saudi Arabia (“Saudi Arabia” or the “Kingdom”) has enacted the Personal Data Protection Law (“PDPL”), the country’s first comprehensive data protection law. The PDPL was scheduled to become effective on March 23, 2022 but full implementation was recently delayed until March 17, 2023, a positive development for…

Read More

U.S. and EU Reach Political Agreement On a New Trans-Atlantic Data Privacy Framework: The Implications for Businesses

On March 25, 2022, President Biden and the President of the European Commission (“EC”) von der Leyen announced that the US and EU reached an agreement in principle on a new Trans-Atlantic Data Privacy framework for transatlantic data flows (the New Framework). The parties now need to translate the consensus…

Read More

Utah Passes Comprehensive Consumer Privacy Legislation

On March 24, 2022, Utah became the fourth U.S. state to adopt consumer data privacy legislation after Utah Gov. Spencer Cox signed the Utah Consumer Privacy Act (“UCPA”).  The UCPA is largely based on the Virginia Consumer Data Protection Act (“VCDPA”). It regulates how a controller (defined by the UCPA…

Read More

UK Data Transfer Mechanism Comes Into Force

The International Data Transfer Agreement (“IDTA”), the long awaited mechanism for international transfers of personal data originating from the United Kingdom (“UK”), is now in force as of March 21, 2022, along with a separate addendum to the EU standard contractual clauses (“UK Addendum”). These transfer mechanisms were introduced by…

Read More

SEC Proposes Expanded and Accelerated Cybersecurity Disclosure by Public Companies

As a significant step in its ongoing initiatives on the disclosure, management and oversight of cybersecurity risks and incidents, on March 9, 2022 the U.S. Securities and Exchange Commission (SEC) proposed new rules that would significantly increase cyber-related disclosures by public operating companies. The proposed rules would: Require disclosure in Form 10-Q…

Read More

U.S. Senators Introduce New Bill to Protect Minors Online – The Kids Online Safety Act

As President Biden calls for stronger online privacy protections for children, Congress has been busy at work to answer the bell. On February 16, 2022, Senators Richard Blumenthal (D-CT) & Marsha Blackburn (R-TN) introduced their highly anticipated bill aimed at protecting children’s health and well-being online – the Kids Online…

Read More