As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?Continue Reading DPA 101: Do You Know Where Your Data Is?

This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify of a data breach. Without a lead supervisory authority, all supervisory authorities where there are data subjects would be able to participate.Continue Reading EDPB Provides Guidance on Determining Primary Supervisory Authority

The Court of Justice of the European Union (CJEU) clarified in two judgments in the last month of 2023 (Deutsche Wohnen, ECLI:EU:C:2023:950 [DW] and Nacionalinis visuomenės sveikatos centras, ECLI:EU:C:2023:949 [NVSC]) the conditions under which data protection authorities across the EU may impose fines on companies for violations of the GDPR. Specifically, when those violations were committed either by unidentifiable employees at a company (DW) or by third parties (NVSC).Continue Reading CJEU Decision Will Have Impact on Potential Fine Setting Under GDPR

The European Council recently approved a final version of the EU Data Act. The Act applies to manufacturers of connected devices. Among other things, it gives consumers certain rights about the information those devices collect. The Act is viewed as part of an overall data strategy by the EU, and complements both GDPR and the Data Governance Act.Continue Reading Connected Devices: Eyes on EU Data Act

The French Data Protection Authority announced a €600,000 fine against Groupe Canal+ over concerns with the media company’s direct marketing activities. According to the CNIL, the company sent users email marketing without getting consent, in violation of both GDPR and French privacy law. In particular, the CNIL noted, the company sent marketing emails to individuals who had provided their personal information not to Canal+, but instead to one of its partners. When doing so, they were not told by the partner that the information would be share with -and used by- Canal+ for Canal+’s marketing activities. Canal+ should have ensured that the partners had gotten appropriate consent, according to the CNIL.Continue Reading CNIL Fines Canal+ Over Marketing and Data Security Concerns

Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other words, for BCRs or SCCs.Continue Reading Considerations for Participation in the EU-US Data Privacy Framework

The EU Commission adopted today an adequacy decision for the EU-US Data Privacy Framework. As we indicated last month, this has been an area closely watched by those transferring data from the EU to the US. The issue has been a contentious one. Concerns in particular have been raised on the EU side regarding US surveillance agencies’ ability to access non-US individuals’ personal information. These concerns led to the downfall of both of the Framework’s predecessors: Safe Harbor and Privacy Shield. Continue Reading EU Adopts Adequacy Decision for EU-US Data Privacy Framework

As those in the privacy world await the outcome of the EU-US privacy framework negotiations, the EDPB was in the news recently for a different mechanism for data transfers: Binding Corporate Rules. Namely, it adopted recommended standard forms for BCR applications by controllers and recommendations for the application process.Continue Reading EDPB Adopts Binding Corporate Rules Recommendations

The French Data Protection Authority capped off 2022 by terminating an investigation into Lusha Systems, Inc.’s compliance with GDPR. CNIL concluded that the law did not apply to the US company’s activities. As many know, since GDPR was passed US companies have been concerned about the extent the law applies outside of the EU: it applies not only to those entities with operations in the EU, but also those outside of the region who are either offering goods or services to people in the EU or monitoring individuals in the EU. Here, CNIL concluded that Lusha was not offering goods or services to those in the EU, nor was it monitoring those in the EU.Continue Reading CNIL Weighs in On GDPR Applicability to US Company

The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of the EU-US Privacy Shield program. Continue Reading EU’s Initial Response to US Proposed Data Transfers Framework