The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way that complies with the GDPR processing and transfer restrictions. And it turns out that even the European Commission (EC) itself can apparently get it wrong. In a surprising turn of events earlier this month, the European Data Protection Supervisor (EDPS) concluded its nearly three year investigation into the Commission’s own deployment and use of Microsoft 365, signaling a pivotal moment in the conversation about the GDPR privacy and security requirements for cloud-based messaging and document collaboration platforms.Continue Reading Surprising Plot Twist: The European Data Protection Supervisor Reprimands the European Union for its use of Microsoft 365

This blog has been cross-posted on the Consumer Class Defense site.

Anyone following trends in consumer class action litigation will know that consumer privacy was a primary focus of the plaintiff’s bar in 2023. And there are no signs this uptick in consumer privacy claims is slowing any time soon. Although the claims center around use of tracking technology or analytics functions on consumer facing websites, several different statutes and claims have been asserted, including violations of state wiretap statutes and the Video Privacy Protection Act (“VPPA”).  

Although these cases are largely at the motion to dismiss stage, and therefore there is little insight into how certain key defenses will play out, some recent decisions surrounding VPPA claims have shifted the landscape in certain defendant’s favor.Continue Reading Is the Video Privacy Protection Act Losing its Allure?

Employers looking to enhance their suite of employee benefit programs, and focused on lessons learned during the pandemic on wellbeing, are interested in providing greater access to wellness tools. And, the vendors who support those tools are more than happy to provide them. Global spend in the health and wellness market would be around $24.8 billion in 2023 according to a study by Kilo Health. Wellness apps and wearables abound in all sorts of areas — from counting steps to nutrition to mental health to physical fitness to financial fitness. These tools are relatively inexpensive to provide and easily accessible to the workforce – many times with just a simple download to a smartphone. And, best of all they’re completely private with no middle man, and only the employee seeing their own data and progress. Right? Well — not so fast.Continue Reading Wellness Apps and Privacy

With so many companies being hauled into court in California based on claims that the functionalities on their website and use of service providers for marketing or analytics purposes violate consumer privacy rights, it is important to exhaust all possible defenses available to defendants. Late last year, the Ninth Circuit issued a ruling upholding a dismissal based on a lack of personal jurisdiction over a web-based payment company. Companies operating interactive websites may be able to take advantage of this ruling as part of their defense strategy in 2024.Continue Reading Ninth Circuit Opinion Supports Personal Jurisdiction Defense for Interactive Websites

On October 5, 2023, Seyfarth offered a Masterclass, hosted by Lexology, which was designed to familiarize in-house counsel and privacy professionals, in and out of Washington state, with the My Health My Data Act legislation. Portions of the Act are already in effect and go into further effect on March 31, 2024.

We explored its

As organizations begin renewing and entering into new contractual relationships for 2024, an oft-forgotten aspect of the contracting process is determining whether a Business Associate Agreement (a “BAA”) is required. Under HIPAA, health care providers, health plans and health care clearinghouses (“Covered Entities”) are required to enter into BAAs with any vendor (“Business Associate”) that may have access to Protected Health Information (“PHI”). Many organizations operate under a misconception that they are not subject to HIPAA if they are not in the health care industry but, in fact, HIPAA’s reach is much broader than that. For example, organizations that sponsor health plans, including employers that sponsor self-funded plans, are responsible for their health plans’ compliance with HIPAA, including the requirement to enter into BAAs with plan vendors. As another example, information technology organizations providing services to employers that offer health plans may be asked to sign a BAA as a Business Associate if they have access to data on the employer’s systems that may constitute PHI.Continue Reading Top 5 Reasons to Remember Your Business Associate Agreements This Fall

Thursday, October 5, 2023
1:00 p.m. – 2:00 p.m. ET
12:00 p.m. – 1:00 p.m. CT
11:00 a.m. – 12:00 p.m. MT
10:00 a.m. – 11:00 a.m. PT

REGISTER HERE

About the Program

Seyfarth is pleased to offer this Masterclass, hosted by Lexology, which is designed to familiarize in-house counsel and privacy professionals, in and

By this point, most people in the employee benefits space have heard about the MOVEit and Retirement Clearing House (RCH) cyber incidents, which could directly impact employers’ benefit plans. The MOVEit file transfer application is used by a number of vendors, including those that locate missing plan participants or find information regarding deceased plan participants (e.g., PBI Research Services).  RCH is often used by retirement plans to facilitate benefit transfers, including for IRA rollovers. Other plan vendors/subcontractors  may also use the MOVEit software application or subcontract with RCH for their plan services.  Actual and potential victims have included state and federal government agencies as well as companies across a variety of industries (and their benefit plans) who were using MOVEit or RCH, or who engaged with service providers who used these tools.Continue Reading Multiple Cyber Incidents Impact Employee Benefit Plans and Participants

2023 has brought several states into the privacy limelight. On June 18, Governor Abbott signed the Texas Data Privacy and Security Act (“TDPSA”) into law, making the Lone Star state the eleventh in the U.S. to pass a comprehensive data privacy and security law. The Act provides Texas consumers the ability to submit requests to exercise privacy rights, and extends to parents the ability exercise rights on behalf of their minor children.

The Texas Act provides the usual compliment of data subject rights relating to access, corrections, data portability, and to opt out of data being processed for purposes of targeted advertising, the sale of personal information, and profiling where a consumer may be significantly or legally effected. It also requires that covered businesses provide a privacy notice and other disclosures relevant to how they use consumer data.Continue Reading Texas Joins the Privacy Party

Seyfarth Synopsis: The U.S. District Court for the Northern District of Illinois recently denied Plaintiff’s motion to reconsider a prior dismissal of his privacy action due to untimeliness.  In a case titled Bonilla, et al. v. Ancestry.com Operations Inc., et al., No. 20-cv-7390 (N.D. Ill.), Plaintiff alleged that consumer DNA network Ancestry DNA violated the Illinois Right of Publicity Act (“IRPA”) when it uploaded his high school yearbook photo to its website.  The Court initially granted Ancestry’s motion for summary judgment, finding Plaintiff’s claims to be time-barred under the applicable one-year limitations period.  Upon reconsideration, Plaintiff  – unsuccessfully – made a first-of-its-kind argument that the Court should apply the Illinois Biometric Privacy Act’s five-year statute of limitations to the IRPA.Continue Reading Federal Court Rejects Application of BIPA Statute of Limitations to Privacy Act Violations