Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

Delta Finds Reprieve in State Court, but Not Everyone Will Get to Fly the Friendly Skies

Posted in Data Compliance & Security, Mobile Privacy, Privacy Litigation, Privacy Regulation

By Cynthia Larose, Evan Nadel, and Jake Romero

California Attorney General Kamala Harris’ attempt to bring an enforcement action against Delta Air Lines, Inc. won’t be leaving the runway. California Superior Court Judge Marla J. Miller has dismissed a data privacy complaint against Delta brought by Attorney General Harris. The development comes as an unexpected bump in the road for the Attorney General’s office, which has made enforcement of state privacy regulations a top priority. Judge Miller agreed with Delta’s argument that the claim should be dismissed on federal preemption grounds.

See our Mintz Levin Privacy client advisory here for more information.

Mandatory Data Breach Notification Coming to Australia

Posted in Data Breach Notification, Privacy Regulation

Thanks to our friends at Gilbert + Tobin

Privacy law is once again on the Government’s legislation reform agenda with the introduction recently of the Privacy Amendment (Privacy Alerts) Bill 2013.
The Bill if passed will amend the Privacy Act 1988 (Cth) to introduce a new mandatory data breach notification scheme for entities regulated under the Federal Act, including public sector agencies, private sector organizations (other than small business), credit reporting bodies and credit providers.

Under current Australian privacy law, there is no legal requirement for an entity to notify either affected individuals, or the Commissioner, if personal information the entity holds is compromised. The Federal Privacy Commissioner – part of the Office of the Australian Information Commissioner – actively encourages voluntary notification by entities in accordance with the OAIC’s guide Data Breach Notification: A guide to handling personal information security breaches.

Wednesday’s introduction of the mandatory notification scheme comes approximately five years after the Australian Law Reform Commission first considered this, and myriad other issues, in its 2008 Report For Your Information: Australian Privacy Law and Practice. The ALRC recommended at the time that the Privacy Act be amended to compel entities to notify individuals where data breaches cause a real risk of serious harm. Somewhat belatedly, the Government released a discussion paper in October 2012 to canvas stakeholder views as to the introduction of a mandatory data breach scheme: submissions were closed off the following month and not made available or commented on by the Attorney-General until the day before introduction of this Bill into the Federal Parliament.
The Government’s mandatory notification scheme implements in large part the model first recommended by the ALRC. Specifically, the threshold test for notification under the new scheme reflects the ALRC’s recommendation for a high threshold based on a reasonable belief by the entity concerned that the data breach is sufficiently serious to pose a real risk of serious harm to affected individuals. The Bill, and its Explanatory Memorandum, are not particularly clear on the meaning of the term serious harm, other than to note that it includes reputational, economic, financial, physical and psychological harm, but excludes minor harm. It is expected that the Commissioner will provide further guidance on this issue.

The OAIC Guide suggests that serious harm may include identity theft, disclosure of credit card details and the stigma, embarrassment and discrimination that may result from the misuse of health information. Ultimately, entities will need to assess each data breach on a case-by-case basis to determine whether the circumstances of the breach give rise to a reasonable belief that affected individuals face a real risk of serious harm.

In the event of such a breach, the provisions of the Bill require the entity to notify each affected individual and the Commissioner as soon as practicable. The data breach notice must include:

the identity and contact details of the entity;
a description of the breach;
the kinds of personal information concerned;
recommendations about the steps that individuals should take in response to the breach; and
any other information specified in the regulations.

The Bill appears to express a preference for direct notification of affected individuals using methods of communication normally used by the entity to communicate with the individual. In the absence of a such a method, the entity must take reasonable steps to notify the individual (e.g. by email, telephone or post).

In circumstances, however, where it is impossible or impracticable to contact each affected individual, the Bill requires an entity to publish a copy of the statement on its website and in each State via publication in a generally circulating newspaper in that State. The circumstances in which such indirect notification is to be undertaken is to be prescribed in the regulations.

Where it is in the public interest to do so, the Commissioner may exempt an entity by notice from its notification obligations. Such notices may be issued upon application or on the Commissioner’s own initiative.

The Bill also provides the Commissioner with the power to direct an entity to notify affected individuals if it has not done so. A failure to comply with the notification requirements of the Bill, as well as a direction by the Commissioner to notify, amounts to an interference with the privacy of an individual, which triggers all the Commissioner’s enforcement powers, including the investigative powers, the power to make determinations, award compensation, seek enforceable undertakings and civil penalties for serious or repeated interferences with privacy.

If passed by Parliament, the mandatory data breach notification scheme will commence at the same time as the new Australian Privacy Principles (APPs) and credit reporting scheme, 12 March 2014.

A copy of the Bill and its Explanatory Memorandum is available here:

Click here to view a brief comparative analysis of the measures in the Bill against those set out in OAIC’s Guide on voluntary notification.

Tweet Like Email linkedin
Comments Off

Massachusetts Zip Code Class Action: Take 3

Posted in Class Action Litigation

Written by Amy Malone

Another class action suit has been filed in Massachusetts in the zip code wars.  This time, the target is instrument retailer Guitar Center for allegedly requesting customers to provide their zip codes when making purchases with a credit card in contravention of Mass. Gen Laws ch. 93§ 105(a).  Zip code class action suits started in California against retail giant Williams-Sonoma, and last year they found their way to Massachusetts in a case filed against national craft retailer, Michaels Stores.   We discussed that case in some detail, here.

The Massachusetts Michaels case was dismissed from the U.S. District Court for the District of Massachusetts in January of 2013, but questions of law were sent from the federal court to the Massachusetts Supreme Judicial Court.  The big questions referred to the SJC for determination under Massachusetts law, were (1) whether a zip code is personal identification information (“PII”) under § 105 (a) and (2) whether a complainant could state a cognizable claim under that section without suffering identity theft.   The court ruled that zip codes are personal information under the law and identity theft is not a necessary element in arguing a valid claim.

The SJC ruling kicked opened the door for lawsuits in Massachusetts against major retailers that collect zip codes when processing credit cards.  Currently there are two class actions pending against Bed, Bath and Beyond (complaints are here and here) and now there this week’s filing against Guitar Center.  The Nielan_v_Guitar_Center_complaint is very similar to the Bed, Bath and Beyond complaints: claiming that Guitar Center harmed plaintiffs by unnecessarily collecting zip codes when customers completed purchases with credit cards.   Credit card companies do not require zip codes to be collected in order to process transactions.

The plaintiffs claim they suffered injury due to (1) receiving unwanted marketing material and (2) through Guitar Center’s misappropriation of their economically valuable PII without consideration.  The SJC listed receiving unwanted marketing material and the sale of a customer’s PII as two possible injuries under a merchant’s violation of §105(a).

Plaintiffs in the Bed, Bath, and Beyond cases as well as the Guitar Center litigation are requesting statutory damages of $25 per violation as well as treble damages.


First HIPAA Resolution Agreement of 2013 — and it certainly will not be the last

Posted in HIPAA/HITECH, Privacy Regulation

Written by Stephanie D. Willis


The HHS Office of Civil Rights (OCR) announced its first HIPAA Resolution Agreement of 2013 last week.  According to the press release, Idaho State University (ISU) must pay OCR $400,000 and comply with the terms of a two-year corrective action plan (CAP) to address violations of the HIPAA Security Rule, which describes the technical, administrative, and physical safeguards against unauthorized access to electronic personal health information (ePHI).

ISU self-disclosed the exposure of the ePHI of approximately 17,500 patients at one of its health system’s facilities in August 2011.  The patients’ ePHI had become compromised when ISU staff disabled firewall protections on a server for one of its 29 outpatient clinics.  ISU officials did not discover the “hole” in the system’s security for over ten months – a fact underlying OCR’s determination that “ISU’s [privacy and security] risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities.”  The Resolution Agreement summarizes OCR’s conclusions regarding ISU’s deficient privacy and security processes after it completed an in-depth investigation pursuant to the self-disclosure:

  • ISU did not conduct an analysis of the risk to the confidentiality of ePHI as part of its security management process from April 1, 2007 until November 26, 2012;
  • ISU did not adequately implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level from April 1, 2007 until November 26, 2012; and
  • ISU did not adequately implement procedures to regularly review records of information system activity to determine if any ePHI was used or disclosed in an inappropriate manner from April 1, 2007 until June 6, 2012.

As part of its two-year CAP, ISU must complete an initial compliance gap analysis regarding each Security Rule provision as well as Annual Reports summarizing any training, review measures and updates of its risk management plan and information system security measures.  All in all, the ISU resolution is a prime example of OCR Director Leon Rodriguez’s statement at last week’s NIST-OCR conference that OCR is more likely to impose monetary penalties on “ongoing violations” of sets of laws.  (Our sister blog, Health Law and Policy Matters, provides more highlights of the conference here.)

Of note, ISU is a hybrid entity because it is an institution that has components other than its health clinics that perform activities that are not subject to HIPAA.  Hybrid entities must be especially careful of properly identifying entities that must comply with HIPAA and appropriately structuring privacy and security policies that adequately meet the law’s standards.  As Dianne Bourque, a Member of Mintz’s Health Law Practice, points out, “An additional complexity for hybrid entity employees is remaining mindful of their privacy and security obligations for the covered component or components of the hybrid entity as distinct from the non-covered components.  This is difficult when the hybrid operates as a single organization. Training is critical for entities like this.”

Rx for HIPAA Compliance


Weighing in at half the length of Tolstoy’s legendary tome War and Peace, it is no surprise that the thought of the impending deadline for compliance with the 538-page  HIPAA Omnibus Rule  has left many small clinical practices feeling overwhelmed.   HHS Office of Civil Rights (OCR) and the Workgroup for Electronic Data Interchange (WEDI) are co-sponsoring four upcoming webinars to help smaller health care providers better understand HIPAA compliance and enforcement topics.  The webinars will specifically focus on practical strategies for implementing the Omnibus Rule’s new requirements within a small clinical practice.

Each of the 90-minute sessions (1-2:30 p.m. EST) is free to all registrants, and will educate participants on the following topics:

  • Friday,  June 14th – HITECH Omnibus Overview of the Rule
  • Friday, June 28th - Drill down on the new HITECH Privacy Rule
  • Wednesday, July 17th – Breach and Enforcement under the HITECH Omnibus Rule
  • Friday, July 26th – Business Associates and the HITECH Omnibus Rule

WEDI was formed in 1991 by the then-HHS Secretary, Dr. Louis Sullivan, and the organization has been an official advisor to HHS since being named to that role in the 1996 HIPAA legislation.  According to the website, ”WEDI is a coalition comprised of a cross-section of the healthcare industry: doctors, hospitals, health plans, laboratories, pharmacies, clearinghouses, dentists, vendors, government regulators and other industry stakeholders.”

Smaller providers are particularly vulnerable to HIPAA enforcement – private practices and outpatient facilities are the first and third most common provider types required to adopt corrective action in response to an OCR investigation.  And in the past year, OCR entered into its first settlement agreement regarding a breach of less than 500 individuals. Previously, to get answers tailored to their needs, these providers could consult that “Small Providers and Small Business” Frequently Asked Questions and a dedicated summary page on OCR’s website.  OCR’s and WEDI’s joint effort to target these providers is a golden opportunity for these covered entities and their business associates to educate themselves on their new increased obligations under the law and regulations.

Tweet Like Email linkedin
Comments Off

The Great Disappearing Acts: California Considers Two Bills Addressing the Removal of Online Information of Minors

Posted in Children, Legislation, Privacy Regulation

Written by Jake Romero

Do you ever find yourself worrying that, given the types of things minors deem appropriate to post on social networking Web sites like Facebook and Twitter, our country won’t be able to produce an electable candidate for president in 40 years?  If so, you’ll be glad to know that the California state legislature is in the process of considering two bills that could impact the obligations of online services operators to delete certain types of information collected from minors.  The first bill, California Senate Bill 568, would give minors an “eraser button” with respect to the content and information that they provide to Web sites and online services, while the latter, California Senate Bill 501, would require social networking sites to remove identifying information about minors from their pages if those minors or their parents request it.


California Senate Bill 568, which was introduced by Senator Darrell Steinberg and has already been passed unanimously by the Senate, would require that, at the request of a minor, the operator of any Web site, online service, online application, or mobile application remove all content or information submitted to the operator’s site or service by that minor.  If passed, S.B. 568 would also require operators of Web sites, online services, online applications and mobile applications to notify minors that they have the right to request that their information be deleted, while cautioning that such removal does not ensure “complete or comprehensive” removal of that information.  S.B. 568 would also prohibit the operators of online services that are directed to minors (or, if not directed at minors, where the operator has actual knowledge that a minor is using the service) from marketing goods or services to minors if those goods or services cannot legally be purchased by a minor.

If S.B. 568 is passed in its current form, it could require operators of online services to make a number of changes to their data collection and retention policies.  First, operators should note that S.B. 568 expands and deviates from the protections provided by the federal Children’s Online Privacy Protection Act (“COPPA”), as amended.   COPPA permits parents of a child under the age of 13 to contact the operator of an online service to request that any information their child has provided be deleted. Our blogposts about the latest amendments to COPPA (effective July 1, 2013) can be found here.  S.B. 568 not only raises this age to 18, but also puts the power directly in the hands of the minor, rather than the parent or guardian.  The bill does provide for certain exceptions to the removal requirement where the content or information was submitted to the online service by a third party (rather than directly by the minor) or where any provision of state or federal law requires the operator to maintain such information.

As currently drafted, S.B. 568 would create a number of potential pitfalls for online operators by not providing clear guidance on a number of key aspects of the bill.  For example, there is no definition for what constitutes “content or information submitted to or posted on the operator’s website.”  Depending on how broadly this is interpreted, an operator may have a difficult time removing all such information in response to requests.  S.B. 568 also does not provide guidance with respect to what actions are sufficient to constitute “removal” of content or information or what online services would be deemed to be directed toward minors.

If passed, S.B. 568 will become effective as of January 1, 2015.


Like S.B. 568, Senate Bill 501, which was introduced by Senator Ellen Corbett and has been passed by a majority in the California Senate, expands the obligations of certain online service operators with respect to the removal of information related to minors.  In its current form, S.B. 501 would require social networking sites to remove personal identifying information of any registered user under the age of 18 within 96 hours of the receipt of any request from that minor or his or her parent or guardian and imposes a civil penalty of $10,000 for each failure to do so.

S.B. 501 does include limitations on the obligations of social media operators.  Social networking sites are permitted under S.B. 501 to require that any request submitted to remove information include the following statement:

“I attest that the information in this request is accurate, that I am the registered user or the parent or legal guardian of the registered user to whom the personal identifying information in this request pertains, and that I am authorized to make this request under the laws of the State of California.”  

Also, (similar to the restriction contained in S.B. 568) social networking sites are not required to remove information where state or federal law requires that it be maintained.

To the surprise of no one, social networking sites have taken issue with S.B. 501’s requirements.  As reported in the L.A. Times, a coalition that includes Facebook, Google, Zynga and Tumblr have banded together to opposed S.B. 501.  In a letter to Senator Corbett, the Applications Developers Alliance claims on behalf of its members that the 96 hour deadline for removal of information is unworkable, as it does not permit sufficient time to verify requests before removing data.  In addition, the Applications Developers Alliance also argues in its letter that S.B. 501 infringes the privacy rights of users under the age of 18, because it permits a parent or guardian to unilaterally request that information be deleted.


Online service operators will need to begin considering what actions will need to be taken if, as seems likely, one or both of S.B. 501 and 568 are signed into law.  Here are some important questions to ask:

  • • Does your online service collect information from users under the age of 18?  If so, do you have full and complete understanding of what information is collected, and how and where it is stored?
  • • If requested, are you able to separate out a minor’s information and remove it?  How long would this process take?
  • • Do you have a point-of-contact in place for requests to delete information?  Do you have policies in place regarding how to respond to such requests, and have you trained your employees to respond appropriately?
  • • Is there any aspect to your online service that can be considered to be directed toward minors?
  • • Do you sell goods or services that minors cannot legally purchase?  If so, are your marketing practices solely targeted toward adults?
  • • Does your online service constitute “social networking”?  (As defined in Section 62(d) of S.B. 501, a “social networking Internet web site” would mean “an Internet Web-based service that allows an individual to construct a public or partly public profile within a bounded system, articulate a list of other users with whom the individual shares a connection, and view and traverse his or her list of connections and those made by others in the system.”)

Ultimately, if either or both of S.B. 501 and S.B. 568 are signed into law, online service operators may have to reassess the cost-benefit analysis of collecting certain types of data from minors.  The collection of user data can yield substantial monetary benefits for online operators.  However, there is no clear way to know how often requests would be made under either of these statutes, and whether the aggregate cost of responding to such requests would outweigh the benefits of collecting certain types of user data.

If S.B. 501 and/or S.B. 568 are adopted they will bring with them considerable change to the online marketplace.  In the meantime, you can find comfort in two fact:  (1) many more of our children could become president someday, and (2) your Mintz Levin privacy team is always available to help with any questions you may have.

July 1 COPPA Compliance Deadline is Approaching

Posted in Children, Federal Trade Commission, Privacy Regulation

Written by Julia Siripurapu

Today, the FTC sent more than ninety (90) “educational” letters to domestic and foreign businesses whose Web sites and online services (including mobile apps) appear to collect personal information from children that are 12 years old and under, in an attempt to help the businesses come into compliance with the amendments to the Children’s Online Privacy Protection (COPPA) Rule (the “Amendments”), going into effect on July 1. Our prior blogposts about the Amendments can be found here.

Copies of each one of the four (4) form letters may be found below:

  • Letter to Domestic Companies That May Be Collecting Images or Sounds of Children
  • Letter to Domestic Companies That May Be Collecting Persistent Identifiers from Children
  • Letter to Foreign Companies That May Be Collecting Images or Sounds of Children
  • Letter to Foreign Companies That May Be Collecting Persistent Identifiers from Children

The FTC urged letter recipients “to review your apps, your policies, and your procedures for compliance.”

The agency also hinted that it will give credit to companies just for making an effort. “As with all our enforcement activities, the Commission will exercise its prosecutorial discretion in enforcing the COPPA Rule, particularly with respect to small businesses that have attempted to comply with the Rule in good faith in the early months after the Rule becomes effective,” the letter stated.

The FTC also set up and maintains an , where companies can ask FTC staff questions about how to comply with the Amendments.

The penalties for violating COPPA can be steep. In February 2012, social networking app Path agreed to pay $800,000 to settle FTC allegations that it wrongly collected personal information from children. And in October 2012, Artist Arena, the operator of fan websites for music stars such as Justin Bieber shelled out $1 million to settle FTC charges that it improperly collected personal information from children without parental consent.

Other prior COPPA penalties include $1 million paid by  Sony BMG Music Entertainment in 2008, and $1 million by social networking Web site in 2006.

As we move towards July 1 and the COPPA compliance deadline, please contact any member of the Mintz Levin privacy team with questions regarding your company’s compliance efforts.

Warrantless Cell Phone Searches – A Look at the Case Law

Posted in Uncategorized

Written by Bridget M. Rohde and Sara J. Crasson, CIPP/US

When a person is arrested with a cell phone, law enforcement officers will likely want to search the phone’s contents.  Today’s smart phones are a treasure trove of contacts, calendars, voice and text messages, e-mail, videos, photographs, internet use records, GPS and cell phone tower location tracking data, and information captured by all kind of additional applications, which may include sensitive personal data, like banking and medical information.  The exception to the warrant requirement for a search incident to arrest was intended to allow law enforcement officers to prevent the loss or destruction of evidence and to seize weapons or materials that could be used to escape custody.  Courts differ on how it applies to a cell phone.

Recently, in United States v. DiMarco, the Southern District of New York suppressed photographs found on the defendant’s cell phone.  2013 U.S. Dist. LEXIS 16279 (S.D.N.Y. February 5, 2013).  When DiMarco was arrested in possession of a firearm, ammunition, and a silencer, his cell phone was seized.  A Special Agent from the Bureau of Alcohol, Tobacco, Firearms and Explosives (“ATF”) inspected his phone several hours later at the police station.  She used her own mobile phone to take photographs of the pictures on DiMarco’s phone.  Later, the Government attempted to use the ATF agent’s photographs as evidence.  The Court suppressed the results of the ATF agent’s search after it determined the search was not performed incident to the arrest because of the delay between the arrest and the search, and because the agent’s motivation for searching the phone was to look for evidence against DiMarco, rather than to stop evidence from being destroyed or to eliminate a potential physical threat to the officers.

Other courts have allowed cell phone searches incident to arrest, sometimes for different reasons.  In United States v. Finley, the Fifth Circuit allowed the warrantless search of a cell phone where law enforcement officers seized the phone when they arrested its owner at a traffic stop and searched the phone’s contents at the home of a co-defendant, stating that the search was still incident to arrest because “the administrative processes incident to the arrest and custody [had] not been completed.”  477 F.3d 250, 259 (5th Cir. 2007).  The Tenth Circuit came to a similar conclusion when it allowed a warrantless search of an arrestee’s cell phone in Silvan W. v. Briggs, holding that “[b]ecause . . . warrantless arrests were constitutionally permissible, so too were the contemporaneous searches of their persons for weapons and evidence.  Further, the permissible scope of a search incident to arrest includes the contents of a cell phone found on the arrestee’s person.”  309 Fed. Appx. 216, (10th Cir. 2009).  In People v. Diaz, the Supreme Court of California held an arrestee had no reasonable expectation of privacy in his cell phone when he was arrested with it on him.  244 P.3d 501, 505 (Cal. 2011).

This line of thinking was rejected by the Supreme Court of Ohio, in Ohio v. Smith, which noted that cell phones “are capable of storing a wealth of digitized information wholly unlike any physical object found within a closed container,” rejected all analogies to containers and devices courts had previously found searchable, and held that “because an individual has a privacy interest in the contents of a cell phone that goes beyond the privacy interest in an address book or pager, an officer may not conduct a search of a cell phone’s contents incident to a lawful arrest without first obtaining a warrant.”  124 Ohio St. 3d 163 (2009).

The law in this area could develop in several ways.  For example, the California legislature passed a bill in 2011 requiring a warrant to search a cell phone, but California Governor Jerry Brown vetoed the bill.  Also, the Supreme Judicial Court of Massachusetts raised a new issue when it allowed a warrantless cell phone search incident to arrest, but restricted the decision to the facts of the case, explicitly noting that it did not “suggest that the assessment necessarily would be the same . . . in relation to a different type of intrusion into a more complex cellular telephone or other information storage device.” Commonwealth v. Phifer, 979 N.E.2d 210, 216 (Mass. 2012).  Future courts may develop distinctions based on the kind of data being searched in a cell phone.


For more information, see “No Clear Rule On Warrantless Cellphone Searches” by Bridget M. Rohde and Sara J. Crasson at

Tweet Like Email linkedin
Comments Off

Enter, the APPS Act

Posted in Mobile Privacy, Privacy Regulation

Written by Amy Malone

U.S. Rep. Hank Johnson, a Democrat from Georgia, has introduced a mobile privacy bill that if passed will require mobile application developers to maintain privacy policies, obtain consent from consumers before collecting data, and securely maintain the data they collect.

The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,” also requires app developers to establish a data retention policy and allows users to request app developers to stop collecting their data and delete any stored information about the user.  App developers are charged with taking “reasonable and appropriate” measures to prevent unauthorized access to personally indefinable and de-identified information collected by the app.

Over the last year, the public was able to express their concerns and suggestions regarding mobile privacy through a web-based project called  AppRights started by Rep. Johnson.  In a press release Rep. Johnson said that more than 80% of AppRights participants wanted Congress to protect consumers’ privacy on mobile devices by imposing regulations that require app developers to tell users what information is being collected and how it is being used, to secure user information and to make controls easy to implement on mobile devices.

Under the APPS Act, enforcement will be provided by the Federal Trade Commission and state attorneys general can bring civil actions on behalf of residents to enforce the regulation and obtain damages.  There is also a safe harbor provision that allows app developers to satisfy the requirements of the Act by adopting and following a code of conduct for privacy that is established using a multistakeholder process facilitated by the National Telecommunications and Information Administration.

Tweet Like Email linkedin
Comments Off

EU Data Protection Regulation: and the horizon recedes again . . .

Posted in European Union, Legislation, Privacy Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) We recently wrote that a crucial committee vote on the new EU Data Protection Regulation had been pushed back until May 29-30.   The vote has been delayed again until an unspecified future date, although Jan Phillip Albrecht, the MEP who is one of the leading advocates for the Regulation, still thinks that a committee vote will be possible before the European Parliament’s July recess.  This may be overly optimistic, given that the European Parliament still needs to sift through over three thousand amendments to the Regulation.

Delays to complex EU Regulations are nothing new – and the delay does not mean that the draft Regulation has hit any fatal roadblocks.   Interested organizations will no doubt see the delay as a useful opportunity to extend their lobbying for changes to the draft Regulation.