Photo of Damian Privitera

Damian Privitera advises clients on the design and implementation of data privacy and cybersecurity compliance strategies. He regularly counsels businesses across sectors on data breach identification, investigation and response, internal policy and procedure development, contracting procurement, and website privacy policies and terms of use. Damian helps clients comply with specific data privacy and cybersecurity rules including the GDPR, New York DFS cybersecurity regulations, and HIPAA. His privacy and cybersecurity-related interests include data subject rights, workforce education and compliance, and international data collection, use and transfer. Damian's complete biography can be found here.

In what can be seen as growing unease with the use of facial recognition and other biometric identification, at least by the government, the San Francisco Board of Supervisors voted Tuesday to ban city agencies’ use of facial recognition software, including law enforcement agencies. The move, the first for a U.S. city, came as part of an ordinance that added public oversight to the city’s procurement and deployment of surveillance technology more broadly. While the ordinance does nothing to regulate private individuals’ or companies’ development, use or sale of facial recognition technology, privacy advocates are nevertheless praising the move as a stand against growing government surveillance, and the opening salvo in the regulation of what some see as a currently flawed and potentially discriminatory technology.
Continue Reading

Last week, the Supreme Court remanded a privacy class action settlement to the Ninth Circuit over concerns about the named plaintiffs’ standing. Specifically, the Court ordered the Ninth Circuit to conduct a Spokeo analysis to determine whether any of the three named plaintiff’s suffered a concrete injury as a result of Google’s alleged violation of the Stored Communications Act. As a brief reminder, the Court held in Spokeo v. Robbins in 2015 that a technical or procedural violation of a statute is insufficient to meet the “concrete injury” requirement of Article III standing absent actual harm to the plaintiff. Even in cases where Congress has created a private right of action for plaintiffs to pursue violations of a statute, the Court held that does not mean the plaintiff has automatically suffered actual harm or an actual injury due to a statutory violation. In the case at bar, the Court said it could not rule on the validity of the class action settlement before these standing issues presented by Spokeo were addressed by the Ninth Circuit, which issues it also declined to decide.

In another branch of government, freshman Representative Katie Porter highlighted the Spokeo standard without naming it last month in a hearing of the Financial Services Committee, and also seemed to call its conclusion into question. During a round of questioning of a CEO facing a data breach class action lawsuit, Rep. Porter asked him why the company’s lawyers were arguing in court filings that the data breach did not cause harm to consumers, when the CEO himself was clearly uncomfortable with the idea of sharing his own personal information with the Committee.
Continue Reading

Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.

The first alleged violation feeds the second alleged violation here, as the CNIL said users’ consent to ads personalization could not be sufficiently informed when the information presented to them was dispersed over several documents requiring “sometimes up to 5 or 6 actions.” Thus, it isn’t that Google does not provide enough information, but that it does not present the information in one place for the about 20 services that are being offered. And the CNIL stated that the purposes of processing are too vague, meaning a user cannot tell if Google is relying on his or her consent or Google’s own legitimate interests as the legitimate basis of processing. Last, the CNIL found certain of Google’s ads personalization options were pre-checked, although GDPR views unambiguous consent as coming only from an affirmative action such as checking a non-pre-checked box, and that Google’s non-pre-checked boxes for accepting its Privacy Policy and Terms of Service were all-or-nothing consents for all processing activities, whereas GDPR requires specific consent for each purpose.
Continue Reading

After eleven years of litigation, including two decisions by the Connecticut Supreme Court, Byrne v. Avery Center for Obstetrics and Gynecology, P.C. has finally reached a verdict. Last month, the jury awarded the plaintiff $853,000 in damages in connection with her physician practice’s 2005 release of medical records in response to a non-HIPAA compliant subpoena.

A little more than six months after that day in May when privacy policy updates flooded our inboxes and the GDPR came into force, a new study of small business owners in the UK has found that many people and businesses remain essentially “clueless” about the law and its requirements. Commissioned by Aon, the study found that nearly half of the 1,000 small business owners polled are confused about the privacy and security requirements of the law, which could lead many businesses to be in breach of the GDPR without even realizing it. Some examples of potential violations reported by the businesses included paper visitor books logging all visitors to the business and viewable to subsequent visitors, training materials featuring full details of real-life case studies, the use of personal devices by employees for work purposes, and inadequate storage and disposal of paper records. The study also found that business owners were not clear on what constitutes a data breach – thinking the term did not apply to paper records or personal data that was mistakenly posted or sent to the wrong person by email or fax – nor were they clear on the notification requirements, either to the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), or to affected individuals. These small business owners should avail themselves of the ICO’s recent insight into its GDPR enforcement approach from earlier this month, which indicates that ignorant non-compliance likely won’t be looked at favorably.
Continue Reading

As of November 1, consumer credit reporting agencies Equifax, Experian and TransUnion are now subject to the New York DFS cybersecurity regulations that first went into effect back in March 2017. In October 2017, following Equifax’s 2017 data breach and smaller breaches suffered by Experian years earlier, DFS passed new proposed regulations applicable to consumer credit reporting agencies, which went into effect in June of this year. These regulations at 23 NYCRR 201 require consumer credit reporting agencies to register with DFS, outlines prohibited practices of consumer credit reporting agencies, and requires consumer credit reporting agencies to comply with DFS’ cybersecurity regulations at 23 NYCRR 500. Consumer credit reporting agencies were required to register with DFS either by September 15, or within 15 days of becoming subject to the regulations, and as with the Part 500 regulations, the Part 201 regulations have phased-in effective dates for compliance with the cybersecurity regulations, which began on November 1. Unlike the Part 500 regulations, consumer credit reporting agencies have less time between the first compliance date and the second, and less time overall from the first compliance date to the fourth and final compliance date on December 31, 2019.
Continue Reading

Last week, four different settlement agreements were announced with four different Massachusetts hospitals to settle claims that they had violated HIPAA and state consumer protection and data security laws, by either not obtaining proper patient authorizations before allowing a television documentary to be filmed in the hospital or failing to investigate reports of inappropriate access

As the lazy days of summer wind down slowly at first, and then all at once, now is a good time for a reminder that your own employees returning to work full steam may pose the biggest threat to your cybersecurity. According to the U.S. Department of Health and Human Services Office for Civil Rights,

Members of Shipman & Goodwin’s Privacy and Data Protection team join their health law colleagues in explaining how health centers can protect their client data as health care transforms with the use of tools like patient portals and telemedicine in the breakout session The Digital Era: Ensuring Data Privacy in the Age of Transformation.

Nielsen, famed global information and measurement company, was hit last week with a shareholder lawsuit in the Southern District of New York alleging that the EU’s new privacy regulation is to blame for missed targets in its Q2 earnings report, and that Nielsen should have known the hit was coming. The proposed class action claims