Photo of Salha El-Shwehdi

Salha is an associate in Taft's Intellectual Property group focusing on privacy. She earned her J.D. from the University of Dayton School of Law and her B.A. in international studies and political science, magna cum laude, from Wright State University.

The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.

Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.

Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.

Continue Reading Colorado AG Publishes CPA Proposed Rules

Once again, California is setting trends in the world of privacy laws. On September 15, 2022, California’s Governor signed the first comprehensive state law to protect children’s online safety. A week later, on September 23, 2022, the New York Senate introduced a similar bill.

New York’s newly introduced Bill, S9563, the Child Data Privacy and Protection Act (“Bill”), largely mirrors the newly passed California law but has some added protections and procedures that online products targeting children must follow if the law is enacted.
Continue Reading From Coast to Coast: New York Introduces New Bill Aiming To Enhance Protections For Children Online a Week After California Enacts Similar Law