News Items Topics Internet Law Update

GDPR Guidance on a Controller's Oversight Responsibilities and Legitimate Interests

Two new instructive documents published by the European Data Protection Board (EDPB) clarify the responsibilities of controllers in verifying processers’ ability to provide adequate data protection, and when “legitimate interests” can be relied on as the legal basis for processing.

According to the EDPB's opinion on the controller's oversight responsibilities, controllers must actively verify sufficient compliance by processors and sub-processors, ...

FTC Issues "Click-to-Cancel" Rule for Simpler Cancellation of Subscriptions

The U.S. Federal Trade Commission (FTC) announced the adoption of a “click-to-cancel” rule that will require subscription sellers and service providers to make it “as easy for consumers to cancel their enrollment as it was to sign up”. The rule is set to take effect in April 2025.

The rule targets what are called “Negative option programs”, where a seller ...

Internet Access Provider Liable for Subscribers Piracy Activities

In an appeal by the Texan internet service provider (ISP) Grande Communication Networks LLC (“Grande”), a U.S. federal court of appeals upheld the lower court's decision finding the ISP liable for copyright infringements and pirating practices committed by its subscribers. However, the court of appeals dismissed the nearly $47 million dollar jury verdict of the lower court.

In the lower ...

U.S. Federal Court rules eBay not liable for harmful products sold on its platform

A federal court in New York found that the online e-commerce giant eBay bears no liability for products sold on its platform by merchants when these products are banned by federal laws. The decision was handed down in the Justice Department’s lawsuit against eBay, which alleged that eBay has been allowing businesses to use its platform to sell banned engine ...

Irish Data Protection Commission slaps €91 million fine on ‘Meta Ireland’

Following a five-year-long investigation, A €91 million fine was sanctioned by the Irish Data Protection Commission (DPC) in late September, due to Meta’s data breach incident keeping hundreds of millions of user passwords in an unencrypted, readable ‘plaintext’ format. The DPC found that Meta violated its obligations as a controller according to the GDPR, reprimanded the company, and issued a ...

U.S. Securities Commission Imposes Fines for Improper Disclosures of Data Security Risk

The U.S. Securities and Exchange Commission (SEC) charged four companies with making materially misleading disclosures regarding cybersecurity risks and intrusions. The companies have settled the SEC’s charges, paying a total of $7 million in civil penalties.

The companies, Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd, and Mimecast Limited, were victims of breaches resulting from the SolarWinds Cyber-attack ...

Israeli Privacy Protection Authority Issues Guidelines on Data Transfers

The Israeli Privacy Protection Authority (the “PPA”) published the final version of its position paper regarding international transfers of personal information. Like the draft paper in 2022, the final version recognizes the significant practical difficulties that regulations on international data transfers raise, given Regulation 3 of the Privacy Protection Regulations (Transfer of Information to Databases Outside the State’s Boards), 5761-2001 ...

U.S. Federal Courts Enjoin Three State Laws Regulating Online Content

Federal courts in Texas, California, and Utah issued preliminary injunctions blocking controversial state laws directed at social networks, focusing on provisions that the courts deemed to negatively affect the platforms’ right to free speech.

A federal court in Texas accepted industry groups’ petition and blocked several provisions of the state’s Securing Children Online Through Parental Empowerment Act (SCOPE ACT), signed ...

More News Items