Verkada, a manufacturer and retailer of security cameras, has settled FTC accusations of lax security measures. The company sells its products to businesses, including schools and medical facilities. It markets its products as “plug and play:” the cameras connect to the cloud and allow customers’ remote access into both live and archived video footage. Among other features, the cameras have a “people analytics” tool that lets users “search images through facial recognition or face-matching technology.” A review of the settlement raises many reminders for companies about (1) security claims in privacy policies and marketing, (2) remediation concerns following a breach, (3) adherence to the Privacy Shield, and (4) a reminder about related (and often overlooked) laws like CAN-SPAM.Continue Reading Camera Company Will Pay $2.95 Million to Settle Security Claims

As more and more states enact laws that mirror aspects of GDPR, and as companies begin to get used to the EU’s new standard contractual clauses, now may be a good opportunity for a refresh on data sharing agreements. As most in the privacy space are well aware, the laws in many states -and countries- call for certain oversight in these situations. And many require specific content to be included in contracts. What might you want to include in your contract roadmap?Continue Reading DPA 101: Do You Know Where Your Data Is?

This month the EDPB shed light on the question of lead supervisory authorities. The issue arose in response to a question late last month from the French supervisory authority. Some background. As most international organizations are aware, GDPR provides for a “lead” supervisory authority where companies have their “main establishment” in that location. In the event, for example, if an investigation into a company’s violation of a particular provision of GDPR, the lead supervisory authority would be the sole authority to pursue the problem. This question can also come up when companies are trying to determine what authority to notify of a data breach. Without a lead supervisory authority, all supervisory authorities where there are data subjects would be able to participate.Continue Reading EDPB Provides Guidance on Determining Primary Supervisory Authority

Now that the EU has adopted its adequacy decision for the EU-US Data Privacy Framework (DPF), many companies are assessing whether participation makes sense. Participation by a US entity is a mechanism -but not the only mechanism- for two parties (one EU and one US) to transfer personal data from the EU to the US. Other transfer methods include Binding Corporate Rules or Standard Contractual Clauses. As we wrote recently, when the EU determined that the program was “adequate,” it noted that the safeguards developed by the US for the DPF applied to all methods of transfer. In other words, for BCRs or SCCs.Continue Reading Considerations for Participation in the EU-US Data Privacy Framework

The EU Commission adopted today an adequacy decision for the EU-US Data Privacy Framework. As we indicated last month, this has been an area closely watched by those transferring data from the EU to the US. The issue has been a contentious one. Concerns in particular have been raised on the EU side regarding US surveillance agencies’ ability to access non-US individuals’ personal information. These concerns led to the downfall of both of the Framework’s predecessors: Safe Harbor and Privacy Shield. Continue Reading EU Adopts Adequacy Decision for EU-US Data Privacy Framework

As those in the privacy world await the outcome of the EU-US privacy framework negotiations, the EDPB was in the news recently for a different mechanism for data transfers: Binding Corporate Rules. Namely, it adopted recommended standard forms for BCR applications by controllers and recommendations for the application process.Continue Reading EDPB Adopts Binding Corporate Rules Recommendations

The EU released its draft adequacy decision for the EU-US Data Privacy Framework, but all is not smooth sailing. As we wrote in October, the US developed the proposed new framework in response to the declared inadequacy of the EU-US Privacy Shield program. Continue Reading EU’s Initial Response to US Proposed Data Transfers Framework

President Biden signed a new executive order on Friday, with a framework that seeks to replace the existing Privacy Shield program. That program was found to be an invalid mechanism for transferring personal data between the EU and the US in 2020 (the Schrems II decision). Since then, companies have struggled to establish an appropriate mechanism for transfer of information from the EU to the US.Continue Reading EU To Review New EU-US Data Transfers Framework

As we have written in the past, APEC’s Cross-Border Privacy Rules (CBPR) program is intended to help companies more easily transfer personal data across borders. Participating companies complete self-assessments and participate with their local countries’ “accountability agent.” There are currently seven participating economies, which include the US, Canada, Japan. Those participating economies recently announced the development of a “Global CBPR Forum.” The Forum is tasked with, inter alia, creating an international certification system, reviewing members’ privacy standards, and ensuring that the program is “interoperable with other data protection and privacy frameworks.”
Continue Reading Formation of CBPR Forum Signals Continued Movement