The EDPB has provided input about consent in its recent FAQs responding to the Schrems II invalidation of Privacy Shield. As we wrote about previously in this series, Schrems II impacted how companies transfer data from the EU to the U.S..  As background, under GDPR, consent from the individual can be relied on to transfer information from the EU to an entity outside of the EU’s borders if three conditions exist. The EDPB reminded companies of these three conditions in its FAQs, drawing on prior guidance about consent:
Continue Reading Schrems II Fallout Continued: Can Companies Rely on Consent?

Companies who transfer data from the EU to the U.S. are struggling to determine the appropriate basis under which they can make these transfers. Continuing our examination of the outcome of this decision, we think now about what companies can do for transfers of information from the EU to the U.S.
Continue Reading EU Reaction to the Fall of Privacy Shield: The Rise of SCCs?

U.S. companies are in a bind in the wake of the recent EU decision rejecting the validity of the Privacy Shield. While it is clear that the EU will not accept Privacy Shield participation as a basis for transferring data from the EU to the U.S., next steps for participants are unfortunately not clear cut. U.S. companies who participate in the Shield program face two decisions: (1) whether to continue participation in the Privacy Shield program and (2) what mechanism to rely on for data transfers from the EU to the U.S.
Continue Reading How to Rise from the Privacy Shield Ashes: A View from the U.S.

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.
Continue Reading NIST Proposes Draft Enhanced Security Requirements for Protecting CUI

On July 16, 2020, in the case colloquially known as “Schrems II,” the Court of Justice of the European Union (CJEU) struck down the EU-US Privacy Shield, finding it an invalid mechanism for transferring data from the EU to the US. The CJEU concluded that the Standard Contractual Clauses (SCCs) are valid for the transfer of personal data outside the EU (which would include transfers to the US), with certain conditions.
Continue Reading CJEU Invalidates Privacy Shield, But Upholds SCCs with Conditions

HyperBeard, the makers of several children’s mobile apps (including KleptoCats), recently settled with the FTC over failure to obtain verifiable parental consent before collecting children’s personal information online, in violation of COPPA. In its complaint, the FTC argued that the HyperBeard apps were clearly directed to children. The apps contained brightly-colored animated characters, kid-friendly language, games that were easy to play, and were promoted on kids’ websites and publications.
Continue Reading KleptoCats Maker Settles with FTC Over Failure to Get Parental Consent

As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of IoT devices, as well as a baseline level of security requirements for these devices.

Continue Reading NIST Releases Cybersecurity Guidance for Manufacturers of IoT Devices

On June 1, 2020, the California AG submitted the final text of the proposed CCPA regulations to the Office of Administrative Law (OAL). There were no changes to the final text from the last version released in March, which we previously summarized here.
Continue Reading Final Draft CCPA Regulations Submitted, Effective Date Unclear