In this week’s Privacy Tracker legislative roundup, find an in-depth report on risk in the EU General Data Protection Regulation, plus learn why Hogan Lovells thinks the EU-U.S. Privacy Shield will withstand legal challenges. Also, read about the challenges of cross-border use of U.S. cloud services by Canadians and how industry groups continue to push back against Australia’s mandatory breach notification law. In the U.S., Colorado is considering a student privacy law some say would be the toughest in the nation, Georgia is set to adopt drone regulations, and Tennessee is about to be the first state to require breach notification even when the information is encrypted.

LATEST NEWS

The Colorado legislature is considering a student privacy law that would prohibit ed-tech companies from creating profiles on students, selling data or using it to target advertising, reports CBS Local.

The Omaha legislature is debating an employee social media bill that would prohibit employers from requesting access to online accounts, reports Lincoln Journal Star.

ICYMI

IAPP Westin Fellow Gabriel Maldoff, CIPP/US, examines the EU General Data Protection Regulation's risk-based approach to data protection in this in-depth study.

Berkeley law professor Paul Schwartz writes for Privacy Perspectives about the “risk principle” is now enshrined in the EU’s General Data Protection Regulation, but adds it offers “two different approaches to the concept.”

Canadian organizations considering using American cloud services should carefully consider how to ensure legal compliance and enforce contracts regarding comparable levels of protection,” writes Wael Hassan, founder of Ki Design, for Privacy Tracker.

U.S.

Law firm Hogan Lovells has released a 60-plus-page “Legal Analysis of the EU-U.S. Privacy Shield,” whereby the report’s authors assess the likelihood the Shield will withstand legal challenge by referencing jurisprudence of the Court of Justice of the European Union.

Tennessee will be the first state in the nation requiring notification of any breach, regardless of whether the information is encrypted or not, The National Law Review reports.
Full Story

The Maryland Court of Special Appeals said in a legal opinion that state police must get a warrant before they can deploy Stingrays, and they also have to explain to the court exactly what the cell-simulator does and how it will be used, Ars Technica reports.

ASIA PACIFIC

CANADA

EUROPE

In an emergency hearing, the Court of Justice of the European Union will discuss whether massive interception of communications data violates primary human rights, could have a major impact on both U.K. surveillance law and the upcoming “Brexit” vote, Lawyer Herald reports.