Companies are struggling to understand how to comply with rapidly changing and sometimes conflicting privacy obligations. For entities outside of the US seeking to do business in the States, approaching and understanding the patchwork of state and federal privacy laws can be daunting, especially since US privacy laws vary depending on the type of activities in which companies engage, the individuals from whom they gather or use information, and the industry in which the company operates. While there are some “general” privacy laws (notably in California and Virginia) those are the exception rather than the rule.

Continue Reading Tools for Understanding Global Privacy Obligations

The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.

Continue Reading Free Data Flow to the UK May Continue – EU Adopts Adequacy Decision

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU

The Portuguese data protection authority issued a recent resolution ordering the Portuguese National Institute of Statistics (or INE) to stop sending personal census information to any countries outside of the EU that do not provide “adequate” levels of data protection. Among those countries are the United States.
Continue Reading Portugal Puts Halt on Data Transfers Between INE and Cloudflare

The Dutch Data Protection Authority recently imposed a €475,000 fine ($558,000) against the hotel website Booking.com for waiting longer than 72 hours to report a data breach. According to the Dutch DPA press release, Booking.com learned of the breach on January 13, 2019 and reported it to the DPA on February 7, 2019. The DPA did not make it clear in that release whether Booking.com had, in fact, determined on January 13, 2019 that a security breach impacting personal information of Dutch citizens had occurred or whether January 13, 2019 was date that Booking.com was first alerted to suspicious activity.

Continue Reading Booking.com Fined By Dutch DPA For Breach Notice Delay

Many supervisory authorities across Europe have reported increasing numbers of data breach notifications since the introduction of GDPR. While most companies are now familiar with the 72-hour reporting obligation for controllers to supervisory authorities, whether such obligation has been triggered continues to present unique and complex questions in each specific security event. To help aid companies sorting through these potential legal notification obligations in the aftermath of a security event, the EDPB recently released draft guidance, which is open for comment until 2 March 2021.
Continue Reading Companies Have Until March to Comment on EDPB Data Breach Notification Guidelines

Many in the world have been watching the Brexit deal closely, including privacy lawyers and others who deal with global data transfers. Under the recently-announced deal, a temporary solution will allow companies to continue to transfer data between the UK and European Economic Area (EEA) as normal during a short post-Brexit transition period. As many know, transfers of personal data are restricted out of the EEA to third countries unless certain steps are taken or exceptions apply. One of those mechanisms being an EU determination that the country to which data is being transferred is “adequate.” With the current transition period set to expire December 31, 2020, and no adequacy decision for the UK issued yet from the Commission, companies have been worrying about how to receive data from the EEA into the UK given its impending status as a “third country.”
Continue Reading New Year, Same Transfers (for now): Temporary Brexit Deal Keeps EEA-UK Data Flowing

There has been much scrutiny of artificial intelligence tools this year. From NIST to the FTC to the EU Parliament, many have recommendations and requirements for companies that want to use AI tools. Key concerns including being transparent about the use of the tools, ensuring accuracy, and not discriminating against individuals when using AI technologies, and not using the technologies in situations where it may not give reliable results (i.e., for things for which the  was not designed). Additional requirements for use of these tools exist under GDPR as well.
Continue Reading 2020 In Review: An AI Roundup

Throughout 2020 we saw many enforcement actions brought by EU and U.S. regulators. Whether for allegations of deception (misleading privacy representations) or unfairness (failure to protect information), COVID did not appear to slow down regulatory action. Laws that many companies forget about -or don’t know as well- were enforced by regulators, as well as through class action lawsuits. This included the Children’s Online Privacy Protection Act, Illinois’s Biometric Information Privacy Act, and the Telephone Consumer Protection Act.
Continue Reading 2020 In Review: Ongoing Enforcement Actions and a Patchwork of Privacy Laws

As 2020 comes to a close, we take this opportunity to look back at some of the more significant developments that we discussed in the blog this year. The first is the EU Court of Justice’s Schrems II decision, finding that the EU-U.S. Privacy Shield was not a valid mechanism for transferring personal data from the EU to the U.S. Related decisions came out of Switzerland and Israel.
Continue Reading 2020 In Review: Dealing With Schrems II Fallout