It has been almost two years since the Privacy Shield was struck down as a valid data transfer mechanism in Schrems II. Many have been wondering “what’s next”? Will there be a replacement framework? When will that be released? Will the replacement be invalidated? Well, the European Commission and US recently announced an “agreement in principle” to replace the EU-US Shield Privacy Shield. The EDPB also recently released a statement welcoming the announcement, but reminding companies that the announcement is not actually a legal framework. Thus, nothing has changed… yet.

Continue Reading Waiting on a new EU-US Privacy Shield

The Belgian Data Protection Authority (APD) recently released a draft decision imposing a €250,000 fine ($285,000) on the provider of a consent mechanism that operates within a real-time ad bidding program. The ad bidding program, OpenRTB, allows advertisers to place online ads through an automated online auction of available ad space. Thousands of advertisers can bid on space in real time, through a fairly complex process involving many different entities (a schematic of the process was included by the ADP in its decision on page 9). The case first arose in 2019, and after several interim decisions the ADP has now held in this draft decision, among other things, a two month deadline for IAB Europe to present a remediation plan to the ADP. The case was one with cross-Europe impact, and thus the ADP’s decision has been sent to its European counterparts for feedback.

Continue Reading Interactive Advertising Bureau of Europe Fined By Belgian DPA for GDPR Violation

Following a similar case from Austria, the French data protection authority recently concluded that certain use of cookies placed by US data analytics tools violated GDPR. The case came before the CNIL as the result of a complaint filed by “None of Your Business,” the non-governmental organization created by Max Schrems.

Continue Reading CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.
Continue Reading Portugal Puts Halt on Data Transfers Between INE and Cloudflare

Throughout 2020, companies have been negotiating with their business partners the issue of “selling” under CCPA. Is the partner a service provider? A third party? Is there an exchange of consideration? These issues will not likely go away in 2021, especially as we turn to addressing the CCPA modification, CPRA.
Continue Reading 2020 In Review: Exchanging Data With Business Partners

The EDPB recently issued guidelines about how to use health data during the current pandemic in compliance with GDPR. Given the COVID-19 pandemic, there have been many research efforts in place to fight against the virus.  The EDPB’s guidelines shed light on the special rules for processing health data for scientific research, which apply in the context of the COVID-19 pandemic:
Continue Reading Using Health Data in Europe During COVID-19

Following its 20th plenary session on April 7, the European Data Protection Board (EDPB) selected geolocation and health data to focus on in its upcoming COVID-19 guidance. This follows in response to the EDPB’s earlier broad statement on the processing of personal data in the context of COVID-19.
Continue Reading EDPB Announces Scope of COVID-19 Guidance

As many who have been tracking CCPA are aware, the law requires training employees who handle consumer inquiries, and ensuring that employees understand how to help consumers exercise their rights. Since most of those rights requests are arriving by web page, email, and phone, it is unlikely that rights requests will slow in the face of COVID-19. Indeed, it is possible that they may increase. Employees will thus still need training, something many companies had anticipated doing in-person.

Coronavirus

Continue Reading Turn On the Camera Part Three: Fulfilling CCPA Training Obligations in the Face of COVID-19

As companies brace for the impact of COVID-19, the last thing on everyone’s mind may be proactive privacy compliance obligations. Certainly, companies may be thinking about privacy obligations that relate specifically to their COVID-19 response. What types of employee information can be disclosed, for example, especially in European offices? (On this, see guidance from the French, Italian and Irish data protection authorities.) But companies can think more broadly, in particular about how they will continue the proactive operations of the privacy team during this time. Some questions companies can ask themselves now include:
Continue Reading Turn on the Camera Part One: Keeping Your Privacy Compliant Efforts Moving Forward in the Face of COVID-19

As we get settled into the reality of living with both CCPA and GDPR, companies are looking for new approaches for keeping their privacy houses in order. CCPA reminds us that there is no end to new legislation: proposals are already coming in from states as varied as Nebraska, New Hampshire and Virginia. Similar legislative trends exist around the globe. How can companies be prepared to address this ever shifting legislative landscape? There are a few essential steps privacy officers can take, including (1) aligning the privacy team’s efforts with the underlying corporate mission, (2) having a clear understanding of both the company’s data and its use practices, and (3) having infrastructure in place that will allow for updates to notices and rights.
Continue Reading Getting Prepared for a Decade of Privacy