DBR ON DATA

Security, Privacy and Information Governance

Author: Yodi Hailemariam

VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case

Share

The Federal Trade Commission announced a settlement with VTech Electronics Limited and its U.S. subsidiary in the FTC’s first case involving Internet-connected toys.

VTech had been charged with violating the FTC Act and the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining their parent’s consent, as well as failing to properly secure the data it collected.  The settlement includes a payment of $650,000 in civil penalties, injunctive relief, and the establishment of a comprehensive security program.

Background

VTech, a Hong Kong corporation, and VTech Electronics North America, advertise, market and distribute electronic learning products (ELPs).  The companies offer online games available through the ELPs and operate the Learning Lodge Navigator online service, a platform similar to an app store that allows customers to download child-directed apps, games, e-books and other online content.  As of November 2015, approximately 2.25 million parents had created accounts with Learning Lodge for nearly 3 million children, according to the FTC.

Continue reading

EU May Soon Decide “Adequate” Status for Japan

Share

The European Union (EU) may soon decide whether Japan will have “adequate” status for transfers of personal data from the EU.  Reuters reported on December 15, 2017 that the European Union is aiming to finalize a data transfer agreement with Japan by early 2018.

Set to be implemented in May 2018, the EU’s General Data Protection Regulation (GDPR) will require that EU citizens’ personal data be transferred to only countries  with an adequate data protection status, forbidding companies from storing EU citizens’ personal data in foreign countries deemed to have an “inadequate” level of privacy protection.

Under the EU’s privacy framework, the European Commission has the power to determine, based on Article 25(6) of Directive 94/46/EC, whether a foreign country has an “adequate” level of data protection under that country’s domestic laws or international commitments.  If a foreign country is deemed adequate, personal data can flow from the 28 EU countries (and three EEA member countries of Norway, Liechtenstein, and Iceland) to the foreign country without further safeguards.

The commission has so far deemed only 12 countries – Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United States (under the EU-US Privacy Shield), and Uruguay – as providing adequate protection.  The EU does not include the United States among its adequate protection countries. But Decision 2016/1250 on the adequacy of protection of the EU-US Privacy shield, commonly known as the EU-US Privacy Shield, was designed as a program whereby participating US companies or companies doing business in the US are deemed to have adequate protection.

An adequacy determination for Japan would be monumental for Japanese companies and companies doing business in Japan, with EU Justice Commissioner Vera Jourova recently stating that”[a]n adequacy decision would be great news for business as it would allow for the transfer of personal data from the EU to Japan without the need for extra authorisations.”

Human Rights Watch Denounces China’s Big Data Policing

Share

An international human rights organization is urging the Chinese government to stop building big data policing technologies that aggregate and analyze citizens’ personal information.  Though governments collecting information about its citizens is not new, China has begun pursuing newer and ambitious technologies, such as big data analytics, facial recognition, and cloud computing, to better and more quickly aggregate, mine, and leverage personal information.
Continue reading

FDA Approves First Digital Pill

Share

The U.S. Food and Drug Administration has approved the country’s first drug with a digital ingestion tracking system.

Abilify MyCite is a pill that digitally tracks whether patients have taken the medication.  The pill contains a sensor that, once ingested, sends a message to a patient’s wearable patch, which then transmits the information to a smartphone application.  This voluntary process allows patients, caregivers, and physicians to track this information through a web-based portal if the patient has given consent.  Experts believe that such digital devices could have a positive impact on public health by addressing a longstanding problem; in this case, that patients do not take their medicines as prescribed.

Continue reading

Japan’s Protection of Personal Information Amendments Go into Effect

Share

The amendments to Japan’s Act on the Protection of Personal Information went into effect on May 30, 2017. The amendments provide clarity on what types of personal information will be regulated and steps operators need to take to be in compliance.

The Act, Generally

Formulated “to protect an individual’s right and interests while considering the utility of personal information,” the Act (1) sets forth the overall vision and policy regarding the proper handling and protection of personal information, (2) clarifies the responsibilities and obligations of the central and local governments in the protection of personal information, and (3) ensures that the proper application of personal information contributes to the creation of new industries, the realization of a vibrant economic society, and an enriched quality of life for the people of Japan.
Continue reading

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy