On January 17, 2024, the European Data Protection Board (“EDPB”) published its report on the 2023 Coordinated Enforcement Framework (“CEF”), which examines the current landscape and obstacles faced by data protection officers (“DPOs”) across the EU.  In particular, the report provides a snapshot of the findings of each supervisory authority (“SA”) on the role of DPOs, with a particular focus on (i) the challenges DPOs face and (ii) recommendations to mitigate and address these obstacles in light of the GDPR.  This blog post summarizes the key findings of the EDPB’s 2023 CEF report.

California-Flag

On April 2, the Enforcement Division of the California Privacy Protection Agency issued its first Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests.”  The Advisory highlights certain provisions of and regulations promulgated under the California Consumer Privacy Act (“CCPA”) that “reflect the concept of data minimization” and provides two examples that illustrate how businesses may apply data minimization principles in certain scenarios.

A federal judge in the Southern District of California recently granted Hwareh.com’s motion to dismiss a proposed class action claiming that third-party source code on its website unlawfully routed information about consumer information to that third party.  See Zarif v. Hwareh.com, Inc., No. 3:23-cv-00565-BAS-DEB (S.D. Cal.).  The court found that the plaintiff—whose claims included asserted violations of the Federal Wiretap Act, 18 U.S.C. § 2510 et seq., and the California Invasion of Privacy Act, Cal. Pen. Code § 631—failed to establish that the court had personal jurisdiction over Hwareh.com, an online pharmacy.  Hwareh.com is incorporated in Delaware and maintains its principal place of business in Missouri, but the plaintiff alleged that its website was available in California and that it maintained a non-resident pharmacy license in the state.  The court’s decision is the latest in a series of decisions clarifying personal jurisdiction in the context of privacy claims.

https-www-insideeulifesciences-com-wp-content-uploads-sites-48-2023-04-amazon-river-scaled-e1682677070594-770x297-jpg

Today, the European Parliament approved a new (recast) Urban Wastewater Treatment Directive (“UWWTD”) that will impose new additional costs on producers marketing pharmaceutical and cosmetic products in the European Economic Area by the end of 2027.  Some studies suggest that the costs that producers would have to collectively pay could be around €1 billion per

On April 3, at the International Association of Privacy Professionals’ global privacy conference, California Privacy Protection Agency (“CPPA”) Executive Director Ashkan Soltani gave remarks on his agency’s priorities with respect to rulemaking and administrative enforcement of the California Consumer Privacy Act (“CCPA”).  Below we provide a few key takeaways:

In Elegant Massage, LLC v. State Farm Mutual Automobile Insurance Co., 95 F.4th 181 (4th Cir. 2024), the Fourth Circuit took the unusual step of exercising interlocutory appellate jurisdiction over an order denying a motion to dismiss.  Having granted a petition for interlocutory review under Federal Rule of Civil Procedure 23(f) of a class certification order, the court concluded that its review of the class order required it also to review the district court’s earlier denial of the defendant’s motion to dismiss. 

On April 4, 2024, Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel released a draft of the agency’s long-anticipated Safeguarding and Securing the Open Internet Order (Open Internet Order), which would reclassify broadband Internet access service as a telecommunications service under Title II of the Communications Act of 1934, as amended.  The FCC is expected to consider and vote on the draft at its next Open Commission Meeting scheduled for April 25, 2024.  The FCC is expected to adopt the Open Internet Order now that Democrats hold a 3-2 majority at the agency.

Last month, the Federal Communications Commission (“FCC”) raised the fixed broadband speed benchmark from 25/3 megabits per second (“Mbps”) to 100/20 Mbps and concluded that “advanced telecommunications capability is not being deployed to all Americans in a reasonable and timely fashion.” As a consequence, the FCC concluded that “section 706 [of the Telecommunications Act of 1996] requires [it] to ‘take immediate action to accelerate deployment of such capability by removing barriers to infrastructure investment and by promoting competition in the telecommunications market.’”

In early March 2024, the EU lawmakers reached agreement on the European Health Data Space (EHDS).  For now, we only have a work-in-progress draft version of the text, but a number of interesting points can already be highlighted.  This article focusses on the obligations of data users; for an overview of the EHDS generally, see our first post in this series.

We expect the final text of the EHDS to be adopted by the European Parliament in April 2024 and by the EU Member States shortly thereafter.