Apple has launched, in connection with other privacy changes in iOS 14, a requirement for privacy “nutrition labels.” The labels are required for new and existing apps, and are in addition to the existing requirement of linking to the company’s long-form privacy policy. Apple will automatically generate the label based on the company’s answers to its online questionnaire. Apple is requiring companies to explain what information they -and third-party partners collect. Answers will be turned into visuals for the label (a circle “i” for example, for contact information). Companies can also include optional disclosures, like confirming that data is not being used for tracking or third-party advertising purposes (if that is accurate).
Continue Reading Apple Privacy Nutrition Labels Effective Starting Next Month

One of the methods US and EU companies rely on most frequently for the transfer of personal data from the EU to the US are standard contractual clauses. For the method to be acceptable as a valid basis for transfer of personal information, one critical step is for companies to use the version of the clauses as approved by the EU Commission. This has causes some confusion and concern, as the clauses predate GDPR and thus do not include provisions related to that 2018 law. Another area of confusion has been the recent criticism of the clauses as a valid method -alone- for transferring personal data to certain jurisdictions, including the US. (See proposed supplemental protection measures proposed by the European Data Protection Board to address this latter issue, which we discussed recently.)
Continue Reading EU Seeking Comment on Revisions to Standard Contractual Clauses

The EDPB recently published recommendations on additional security steps to take when transferring personal data out of the EU. As outlined in our previous series of posts, the EU found this summer that the EU-US Privacy Shield was an invalid mechanism for transferring personal information from the EU to the US.
Continue Reading EDPB Sheds Post-Schrems II Light on Supplementary Measures for Data Transfers

NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B

By ballot initiative, California residents recently approved Proposition 24, or the California Privacy Rights Act (CPRA), with approximately 56 percent voting in favor. CPRA significantly amends the CCPA by expanding individual rights, introducing new GDPR-style governance measures, and establishing a new enforcement agency (among other things). Importantly, CPRA does not replace or repeal CCPA, but rather augments it.  Further, no new private right of action will be added by CPRA.  The substantive provisions of CPRA do not take effect until January 1, 2023.
Continue Reading The CCPA Wheels Keep Turning: The Addition of CPRA

The California Attorney General recently released a third set of proposed modifications to the CCPA regulations. As we previously covered, the CCPA regulations were approved and went into effect on August 14, 2020. Many companies will likely be frustrated by the fact that new changes have been proposed again, just two months after the final version was approved. Companies have until October 28, 2020 to submit comments to the AG on the modifications.
Continue Reading Will CCPA Regulation Change Again?: Comment Deadline Looming

Israel’s Privacy Protection Authority recently announced that Privacy Shield can no longer be relied on for data transfers between Israel and the United States. Israel did not have a direct Privacy Shield arrangement with the U.S., instead permitting the many Israeli companies that exchange data with their American counterparts to rely on a provision of its Privacy Protection Regulations that allows for transfers of data to any country that receives data from the EU under the same terms of such transfer.
Continue Reading Israel Follows Europe’s Lead on Privacy Shield

The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.
Continue Reading Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base

After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.
Continue Reading NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53

Following lots of legislative uncertainty, Brazil has now formally enacted the country’s first general data protection law, Lei Geral de Proteção de Dados, or “LGPD.” While administrative sanctions do not go into effect until August 1, 2021, individuals and public prosecutors can now bring claims for losses and damages. Indeed, at least one public civil action has already been filed. LGPD is the first comprehensive general data protection law in Latin America. It was modeled after the EU’s GDPR. While there are many similarities, LGPD does introduce new concepts. Below are some of the key elements to keep in mind.
Continue Reading Brazil’s Comprehensive Privacy Law Now in Effect