On July 16, 2020, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of education administration, fundraising, and financial management software, notified users of its services that it had suffered a ransomware attack in May 2020 in relation to personal data stored on their servers. Numerous colleges, universities, foundations, and other non-profits across the U.K., U.S. and Canada were affected.

Blackbaud’s handling of the attack has raised some questions. Blackbaud has confirmed in a statement on its website that they paid the cyber-criminal’s ransom demand in return for confirmation that the stolen data had been destroyed. Paying ransom demands is not unlawful, but it goes against the official advice issued by many law enforcement agencies, including the FBI. In addition, Blackbaud has faced criticism for taking many weeks to inform its customers of the breach.

Continue Reading Blackbaud Data Breach: Do You Need to Notify Affected Individuals or EU Data Protection Authorities?

In its long awaited judgment in the Schrems II case, the ECJ has this morning invalidated the EU-US Privacy Shield citing the “limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities” in respect of personal data transferred from the European Union to the United States on the basis that such limitations do not provide the protections ensured under EU law. The ECJ’s concerns centered around certain US surveillance programs which are not limited to what is strictly necessary and EU data subjects not having effective rights of enforcement against US authorities under US laws.

Continue Reading ECJ Invalidates the EU-US Privacy Shield! How Safe is it to Use SCCs for Data Transfers from the EU to the US?

Artificial intelligence (AI) refers to the ability of a computer or a computer-enabled robotic system to process information and produce outcomes in a manner similar to the thought processes of humans in learning, decision making and problem solving.  As a result of rapid advances in AI, pre-pandemic, McKinsey Global Institute estimated that between 75 and 375 million people around the world will need to change jobs or acquire new skills by 2030.  AI both holds promise of innovation and disruption, as does the legal framework that is developing to rein in its risks without hindering its progress.

In May 2019, the US Government joined the OECD (Organisation for Economic Co-operation and Development) in setting forth principles to improve the innovation and trustworthy development and application of AI.  At the same time, the bipartisan Artificial Intelligence Initiative Act (AIIA) was introduced in the US Senate to organize a national strategy for developing AI and provide a $2.2 billion federal investment over five years to build an AI-ready workforce, accelerating the delivery of AI applications from government agencies, academia, and the private sector over the next 10 years.

Continue Reading The Evolving World of AI

Does your phone immediately unlock for use after you glance at it?  Have you visited your favorite social media platform only to find that you have been tagged in dozens of pictures?  Or how about that time you scanned your fingerprints or eyes to open your phone, gain admittance to a theme park, or pass through airport security?  These features all involve biometrics technology—the latest trend and high-growth area of technology used to help organizations provide consumers with a more effortless and interactive experience in exchange for personal information about your physical or behavioral attributes.  Companies should be mindful in collecting this data and how they use and store that information.

Biometrics include facial, fingerprint, iris, gestures, and voice recognition.  While biometrics technology is becoming more ubiquitous in daily life and being employed by more governmental agencies and service providers, new privacy considerations will continue to emerge as a result of the pieces of personal information shared by consumers to increase convenience.

Continue Reading As Biometrics Technology Permeates Everyday Life, What Laws Should Companies Be Aware Of?

If you’re like us, you’ve been anticipating an announcement from the California Attorney General about the types of companies it targeted in its initial enforcement of the California Consumer Privacy Act (the “CCPA”), the types of violations the AG is interested in, and the types of arguments it is making in enforcing the Act.  While official word from the AG is unlikely before the end of the 30-day cure period following its initial notice letters, a member of the AG’s office did confirm during a recent panel discussion that the AG sent out those letters on July 1, 2020.

The statement was part of a fascinating and informative panel put on by the International Association of Privacy Professionals (“IAPP”).  It featured Stacey Schesser, Supervising Deputy Attorney General for the State of California and part of a multi-member team of attorneys in the AG’s office charged with enforcing the CCPA.  A recording is available on the IAPP’s website, and we encourage you to check it out if you’re a member.  In terms of the details gleaned from Ms. Schesser’s comments, here is what we know about the AG’s enforcement of the CCPA to-date:

Continue Reading California Attorney General CCPA Enforcement—Make Sure You Pay Attention to What Customers Are Saying on Twitter

Update: On the evening of June 24, 2020—the same date we published the post below and the day before the original deadline for verification of signatures—the Secretary of State announced that the CPRA reached the signature verification threshold and qualified for the fall 2020 ballot.  While the Mactaggart lawsuit will now be a mere footnote in the history of the CPRA, any way you look at it, this was a successful week for Californians for Consumer Privacy.

On June 19, 2020, the Superior Court for Sacramento County, California issued a ruling providing relief to the promoters of the California Privacy Rights Act ballot initiative (the “CPRA”).  We wrote here about the potential problem with the timing of the signature verification process required for the CPRA to qualify for the Fall 2020 ballot, but that issue now appears to be resolved.

The specifics are to be ironed out in a further order to be jointly proposed by the parties, but suffice it to say that the procedural issue with the timing of signature verification will not prevent the CPRA from appearing on the Fall 2020 ballot.  For now, the Court ordered as follows:

Continue Reading CPRA Back on Track Following Court Order

The Court of Justice of the European Union (ECJ) has announced that it will deliver its judgment in what has become known as the Schrems II case (Case 311/18 Facebook Ireland and Schrems) on 16th July 2020. The judgment will determine the validity of the Standard Contractual Clauses (or Model Clauses) (SCCs) as a transfer mechanism under the GDPR. This case arose following a complaint from Max Schrems, a lawyer and data privacy campaigner to the Irish Data Protection Commissioner (DPA) about transfers of his personal data from Facebook Ireland to Facebook US using SCCs. Mr. Schrems’s position is that Facebook is violating the EU data protection laws by allowing US intelligence authorities to access his personal data. The DPA issued proceedings in the Irish High Court in relation to the matter, which were stayed in 2018, with various questions raised by the DPC relating to SCC referred to the ECJ for determination.

Continue Reading ECJ to Deliver Judgment on the Validity of SCCs on 16th July 2020

On May 14, California Secretary of State Alex Padilla announced that the California Privacy Rights Act of 2020 (the “CPRA”) had obtained sufficient raw signatures to qualify for the November 3, 2020 ballot.  Those signatures are currently being verified by the counties in which they were obtained.  However, based on a complaint filed June 8 by Alastair Mactaggart and other members of Californians for Consumer Privacy—the proponents of the CPRA—it appears that the verification process may not be completed in time for the CPRA to appear on the ballot this Fall.

The lawsuit, Alastair Mactaggart, et al. v. Padilla, filed in Sacramento County Superior Court, alleges that Secretary of State Padilla failed to adhere to a provision of the California Elections Code requiring his office to “immediately” notify county officials to begin the verification process upon receipt of a sufficient number of raw signatures.  Here is a brief timeline of the events alleged in the Complaint:

Continue Reading A Day Late, but Will it Fall Short? CPRA Ballot Initiative May Not Appear on Fall Ballot

Zoom’s video communications platform service and its data privacy issues and security vulnerabilities have been a very hot topic of late, covered by numerous media outlets and in our recent Password Protected post.  Due in part to the COVID-19 pandemic and resulting “stay-at-home” orders, as well as Zoom’s user-friendly set up and ability for large numbers of people to join a meeting for free, Zoom use has grown exponentially, from 10 million daily meeting participants pre-pandemic, to over 300 million daily meeting participants in April 2020. In an April 23, 2020 executive letter, Zoom touted use of its platform by over 100,000 schools and universities, U.S. and foreign governments, and numerous companies, including many Fortune 500 companies, located in over 226 countries and territories around the world.

Continue Reading Are We (Finally) Ready to Zoom?

On June 1, 2020, the California Attorney General submitted the final text of the CCPA Regulations to the California Office of Administrative Law (the “OAL”).  This was the last step the AG needed to take before the Regulations become enforceable.  But whether enforcement will still start on July 1, 2020 as set forth in the CCPA remains uncertain.

What does this mean for the timing of CCPA enforcement?

Some have questioned whether the AG’s delay in submitting the Regulations following the end of the last comment period in March signaled an intent by the AG to delay enforcement of the CCPA.  So far, however, there is no indication of any intended delay in either the AG’s press announcement regarding submission of the Final Regulations or his prior comments reiterating his intention to keep enforcement on track despite COVID-19.  Indeed, the AG requested expedited review of the Regulations by OAL in order to meet the July 1 deadline.

Continue Reading AG Submits Final CCPA Regulations—Is Enforcement Still on Track for July 1, 2020?