holds by embedding social media plug-ins in website you may become a joint data controller with the social media provider

  On July 29, 2019, the Court of Justice of the European Union (ECJ) published its judgement in case C-40/17, holding – like Advocate General Bobek (see here) suggested – that an organization who embeds a Facebook “Like” button on its website may be considered a data controller. In this case, a German fashion online retailer embedded a Facebook’s ‘Like’ button in its website. As a result, when users landed on the retailer’s website, information about those users’ Read more [...]

CNIL adopts new guidance on cookies

On July 4, 2019, the Commission Nationale de l’informatique et des Libertés (CNIL), the French Data Protection Authority (DPA) adopted new guidelines on cookies and other tracking devices (“Guidelines”). According to the press release, the scrolling down or swiping through a website or application is no longer viewed as a valid expression of consent to the implementation of cookies; tracking services will have to prove that they have obtained consent. The CNIL adopted the Read more [...]

Devices security measures legislation passed in Oregon

  On May 30, 2019, Oregon Governor signed HB 2395 containing security measures required for devices that connect to the Internet and that are assigned an Internet Protocol address or another number that identifies the connected device. The manufacturer shall equip the connected device with “reasonable security features”, which may consist of means for authentication from outside a local area network and compliance with federal law requirements that apply to security measures for Read more [...]

Update: oral hearing before the ECJ on Model Clauses preliminary ruling

On July 9, 2019, the European Court of Justice (CJEU) heard oral arguments on a landmark case concerning Facebook's transfer of personal data from the EU to the US on the basis of the currently utilized “standard contractual clauses” (SCCs) mechanism. The CJEU's decision -- will have tangible consequences for businesses performing data transfers from the EU to the US -- is expected in December 2019. Background By way of background. In 2013 Mr. Schrems demanded the suspension of data flow Read more [...]

Maine adopts what is considered the strictest privacy law in the US for internet service providers

  On June 6, 2019 Maine’s governor signed into law LD 946, “An Act To Protect the Privacy of Online Customer Information.” The Act applies to broadband internet service providers (ISPs) defined as any “mass-market retail service by wire or radio that provides the capability to transmit data to and receive data from all or substantially all Internet endpoints.” ISPs are prohibited from using, disclosing, or selling their customers personal information, which includes the Read more [...]