Data v. Privacy

Tennessee Information Protection Act (TIPA) Introduced in 2023 State Legislature

March 5, 2023 by Eric Reagan Leave a Comment

The Tennessee Information Protection Act (TIPA) was introduced for the session in January 2023 as companion bills in both the Senate (SB73) and the House (HB1181). As of this writing, it has been referred to committee in both the House and Senate. Last year’s version of the TIPA failed to make it out of committee in either chamber. Reports suggested that concerns about small and medium business impact, along with compliance costs were the key problems with the 2022 version.

The bill amends Title 47, Chapter 18, of the Tennessee Code Annotated with an entirely new part 32 for the TIPA. Chapter 18 is where the consumer protection parts are located – with part 1 devoted to the Tennessee Consumer Protection Act.

If the TIPA happens to pass this session, the current effective date would be July 1, 2024.

[Read more…]

Colorado Privacy Act Adds Another Log to the US Privacy Legislation Campfire

November 30, 2021 by Eric Reagan Leave a Comment

bonfire surrounded with green grass field — Photo by Vlad Bagacian on Pexels.com

Governor Jared Polis signed the Colorado Privacy Act (CPA) as SB 190 into law on July 7, 2021. It goes into effect on July 1, 2023.

With the CPA, Colorado becomes the third state to enact comprehensive privacy legislation. We’re starting to see trends form as state legislatures have success in passing these laws – limited/no private right of action is a common theme. In Colorado’s case, the CPA offers no private right of action.

[Read more…]

EDPB Hints at the Need for Post-Quantum Cryptography in New Data Transfer Recommendations

June 26, 2021 by Eric Reagan Leave a Comment

The European Data Protection Board (EDPB) issued its final recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data last week, which provides additional guidance for international transfers to countries without an Article 45(3) adequacy finding.

Appropriate Safeguards and Technical Supplementary Measures

Getting to the heart of Schrems II and Article 46 transfers subject to appropriate safeguards, the EDPB notes “[a]n essentially equivalent level of protection to that guaranteed within the EU must accompany the data when it travels to third countries outside the EEA to ensure that the level of protection guaranteed by the GDPR is not undermined, both during and after the transfer.” EDPB Recommendations 01/2020 at 9.

As we’ve learned, standard contractual clauses and other Article 46 transfer tools are not bulletproof alternatives to an adequacy finding. Even when using SCCs and other transfer tools containing “appropriate safeguards,” the EDPB points out the other “supplementary measures” may be required “to ensure an essentially equivalent level of protection.” Id. at 13.

[Read more…]

Supreme Court Refuses to Extend CFAA to Employer’s Computer Policies in Van Buren v. United States

June 10, 2021 by Eric Reagan Leave a Comment

The Computer Fraud and Abuse Act of 1986 (CFAA) has been used for 35 years to prosecute cybercriminals and recover damages in civil suits. Those bad actors under the CFAA have more and more commonly been employees who violated company policies by accessing information that the technical controls placed on their employer-issued credentials allowed them to access.

The distinction between such employees and other bad actors is that their employers’ policies prohibited them from using the information in a manner that the employer didn’t like. Unlike the third-party hackers that come to mind when you think of computer fraud and cybercriminals, the employees were given credentials to use their employers’ computer systems in order to access the files within.

The core behavior at issue in Van Buren was whether a computer user who has authorized access to the computer system (in a technical sense) runs afoul of the CFAA if the user’s purpose in accessing the data is prohibited by the terms of their computer use policy.

[Read more…]

Apple iOS 14.5 and the Power of Privacy by Default

May 23, 2021 by Eric Reagan Leave a Comment

Apple made sweeping changes to the privacy settings available to users in iOS 14.5, dubbed App Tracking Transparency (“ATT”). The new operating system has been publicly available since April 26, 2021 and has advertisers and app makers losing their collective minds at the reality of losing the ability to track users.

While iPhone users have previously had a degree of control over which apps on their phones can track them across the web, iOS 14.5 moves from the Opt-Out design to an Opt-In design. The difference is staggering and gives us a taste of the privacy benefits that we receive when our ubiquitous devices adapt a privacy by default framework.

[Read more…]