Start the new year with valuable insights and learning opportunities from SPB’s Julia Jacobson and Kyle Dull, featuring key events and contributions shaping the future of technology, privacy, and law in 2025.Continue Reading Kickstart 2025 with These Exciting Insights and CLE Events
Data Privacy
Privacy World Week in Review
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Gicel Tomimbang Selected as an IAPP Advisory Board Member!
Join Us for a Strafford Webinar on Data Privacy and Security…
Join Us for a Strafford Webinar on Data Privacy and Security Programs
Join SPB’s Julia Jacobson and Sasha Kiosse for a Strafford webinar on Data Privacy and Security Programs: Policies, Practices, Requirements, Latest Developments, Compliance Updates, taking place next week on Tuesday, December 17, from 1:00 pm to 2:30 pm EST.Continue Reading Join Us for a Strafford Webinar on Data Privacy and Security Programs
Join Us for Three Upcoming Events Across Southeast Asia and the UAE
Discover cutting-edge insights and actionable strategies on cybersecurity, data privacy and legal compliance from SPB partners Scott Warren and Charmian Aw during these upcoming events in Southeast Asia and the Middle East.
Indonesia & SE Asia: 10th International Arbitration & Corporate Crime Summit
12 December 2024 | Jakarta, Indonesia
Hear from Scott Warren as…
First Tranche of Reforms to Australian Privacy Law Passed with Amendments
The first tranche of Australian privacy law reform has been passed by the Australian government and will come into effect within days. This reform further increases the range and type of penalties that Australia can enforce for non-compliance with local privacy law and introduces changes which businesses will need to action.Continue Reading First Tranche of Reforms to Australian Privacy Law Passed with Amendments
Unpacking the Proposed Data (Use and Access) Bill
The Data (Use and Access) Bill (“DUA Bill”)[1] had its second reading on 19th November 2024 after being introduced in the House of Lords on 23 October and the Bill is anticipated to enter the Lords’ Committee stage in December. According to the Department for Science, Innovation and Technology, the DUA Bill will harness the power of data to boost the UK economy by an estimated £10 billion, free up thousands of police and NHS staff time and secure the effective use of data for the public interest.[2] The DUA Bill proposes to amend both the UK General Data Protection Regulation (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECRs”), despite little weight being placed on this in the Government’s initial press release.Continue Reading Unpacking the Proposed Data (Use and Access) Bill
Data Breaches and Spreadsheets: How to Avoid Fines When Excelling
The ICO has fined the Police Service of Northern Ireland (“PSNI”) £750,000 in what it has described as the “most significant data breach that has ever occurred in the history of UK policing”[1]. The ICO imposed the largest ever fine on a public body following the unauthorised disclosure of an Excel spreadsheet containing the personal data of 9,483 police officers and staff. Given the ICO’s stated policy for public authorities is for enforcement to act as a deterrent and to remedy data breaches through reprimands and enforcement notices, with the use of fines reserved for the most egregious cases, it is, at first glance at least, surprising to see the level of fine imposed. The fine comes with a word of warning to private sector data controllers that they would not have benefited from the reduction afforded to public sector enforcement and could have faced a fine of up to £17.5 million.
Background
On 3 August 2023, the PSNI received two Freedom of Information (FOI) requests from the website WhatDoTheyKnow (WDTK) requesting details of the number of officers and staff at each rank or grade. This data was compiled by the PSNI’s Workforce Planning Team by downloading and editing existing HR Excel spreadsheets. After preparation, the responsive spreadsheet was sent to the Head of the Workforce Planning Team for quality assurance checks. Once reviewed, it was forwarded to the FOI Decision Maker, who chose to disclose the Excel file in its original format rather than convert it to a Word document, due to technical issues.Continue Reading Data Breaches and Spreadsheets: How to Avoid Fines When Excelling
Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers
2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.
Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)
- Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
- Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
- California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).
Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.) The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.
Both the 2024 State Autorenewal Laws and FTC Final Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers
SPB’s Alan Friel Speaks on Privacy Risk Assessments: Aligning Business With Compliance
SPB’s Alan Friel was recently featured in Privacy Risk Assessments: Aligning Business with Compliance, the latest episode of She Said Privacy/He Said Security, hosted by Redclover Advisors.
In this discussion, Alan delves into the requirements for data protection impact assessments under US state consumer privacy and related laws, addressing the scope of these…
When Data Breaches Cost Twice – AEPD’s Landmark Fine Shows That Being the Victim of a Cyberattack Doesn’t Excuse GDPR Failures
In a cautionary decision for companies handling personal data, the Spanish Data Protection Authority (AEPD) issued a substantial fine to a telecommunications distributor following a significant data breach. In April 2021, the company at the center of the case had been targeted by a ransomware attack using Babuk malware, which encrypted files and interrupted operations. When the company refused to pay the ransom, cybercriminals published the personal data of around 13 million individuals on the dark web, exposing affected users to serious risks of fraud and identity theft.Continue Reading When Data Breaches Cost Twice – AEPD’s Landmark Fine Shows That Being the Victim of a Cyberattack Doesn’t Excuse GDPR Failures