Archives: GDPR

Subscribe to GDPR RSS Feed

A Digital Advertising Primer on Preparing for the Post-Cookie World: Part Two

Photo of Gerald J. FergusonPhoto of Fernando A. Bohorquez, Jr.Photo of Yadilsa DiazBy Gerald J. Ferguson, Fernando A. Bohorquez, Jr. and Yadilsa Diaz on Posted in Cookies, Data Privacy, GDPR, Privacy
Part I: What Are Third-Party Cookies and Why they are Important — PART II — Privacy Laws And Third-Party Cookies Welcome to our second installment in our eight-part series preparing you for the post-cookie world. In our first post, we provided a deep dive into cookies for a baseline understanding of the technology and why … Continue Reading

US Facial Recognition Firm Ordered to Stop Processing UK and Australian Data and Pay Fine Over Privacy Law Violations

Photo of Jeewon SerratoPhoto of Shea M. LeitchBy Jeewon Serrato and Shea M. Leitch on Posted in AI, Biometrics, Data Privacy, GDPR, Privacy, Privacy Litigation
ICO and OAIC Find ‘Serious Breaches’ of Privacy Law On Nov. 29, 2021, the U.K. Information Commissioner’s Office (ICO) announced a provisional intent to fine Clearview AI over £17 million, alleging several privacy violations related to the company’s use of “scraped” data and biometrics of individuals. More significantly, the provisional order would require the company … Continue Reading

Are More European Standard Contractual Clauses Coming?

Photo of Andreas KaltsounisPhoto of Nichole SterlingBy Andreas Kaltsounis and Nichole Sterling on Posted in Data Protection, GDPR
On November 18, 2021, the European Data Protection Board (EDPB) adopted its new draft guidance on the interplay between Article 3 of the European Union’s General Data Protection Regulation (GDPR) and Chapter V of the same law. This new guidance specifies that personal data processing by organizations in countries outside the European Economic Area (EEA) is … Continue Reading

International Data Protection Update – Summer 2021

Photo of Nichole SterlingPhoto of Melinda L. McLellanPhoto of Andreas KaltsounisBy Nichole Sterling, Melinda L. McLellan and Andreas Kaltsounis on Posted in Data Protection, Enforcement, EU, GDPR, International Privacy Law
This update highlights some of the international data protection issues that caught our attention, and the attention of our clients, over the summer. Asia-Pacific China’s Data Security Law and Personal Information Protection Law – This summer, the People’s Republic of China passed two new data protection laws. The Data Security Law (DSL) passed in June … Continue Reading

Updated EU Standard Contractual Clauses Are Finally Here

Photo of Nichole SterlingPhoto of Andreas KaltsounisPhoto of Melinda L. McLellanBy Nichole Sterling, Andreas Kaltsounis and Melinda L. McLellan on Posted in EU, GDPR
On June 4, 2021, the European Union’s (EU) executive branch, the European Commission (EC), released their new Standard Contractual Clauses (SCCs) for compliant cross-border data transfers under the EU’s General Data Protection Regulation (GDPR), ending a long wait for revised SCCs. The new SCCs resolve certain practical issues companies faced when using the older versions but … Continue Reading

New EDPB Draft Guidance Provides Practical Scenarios for Data Breach Notification Analysis Under the GDPR

Photo of Michael FitzgeraldPhoto of Benjamin WangerBy Michael Fitzgerald and Benjamin Wanger on Posted in GDPR
In certain cases, the General Data Protection Regulation (GDPR) requires entities that experience a personal data breach to provide notice of the incident to relevant national supervisory authorities and the individuals whose personal data was compromised. The European Data Protection Board (EDPB) — a board of representative members from each of the European national supervisory … Continue Reading

European Authorities Release Back-to-Back Drafts Addressing Cross-Border Data Transfers

Photo of Melinda L. McLellanPhoto of Nichole SterlingBy Melinda L. McLellan and Nichole Sterling on Posted in EU, GDPR
Last week, both the European Data Protection Board (EDPB) and the European Commission released highly anticipated draft documents offering guidance to organizations that engage in cross-border data transfers involving EU personal data. The EDPB, an independent body responsible for consistent application of data protection rules throughout the EU, published draft recommendations on supplemental measures for transfer … Continue Reading

5 Key Things to Know about the Landmark Schrems II Decision

Photo of Andreas KaltsounisPhoto of Melinda L. McLellanPhoto of Jeewon SerratoPhoto of Nichole SterlingBy Andreas Kaltsounis, Melinda L. McLellan, Jeewon Serrato and Nichole Sterling on Posted in EU-U.S. Privacy Shield Framework, GDPR
Quick Links CJEU Press Release CJEU Decision Press Releases from the Parties Irish Data Protection Commission Max Schrems U.S. Department of Commerce Electronic Privacy Information Center (EPIC) BSA The Software Alliance DIGITALEUROPE 1. Is the EU-U.S. Privacy Shield framework dead? Yes, the Privacy Shield framework has been invalidated. The Court of Justice of the European … Continue Reading

Key takeaways for app development and data protection by design from recent enforcement action

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in Application Security, GDPR, Privacy by Design
The Norwegian Data Protection Authority (DPA) recently announced a €200,000 fine against Oslo’s municipal education agency for several security flaws associated with an app the agency developed for communications between school employees, parents and pupils. At first, this may seem like an obscure case of only local importance, but the DPA’s rationale for the fine … Continue Reading

Reexamining the GDPR’s Territorial Scope

Photo of Andreas KaltsounisBy Andreas Kaltsounis on Posted in GDPR
Key Takeaways From the European Data Protection Board’s New Guidance In November 2019, the European Data Protection Board (EDPB) issued its final guidance on territorial scope of the General Data Protection Regulation (GDPR), following release of the draft guidelines in November 2018 and a lengthy public consultation period. Comparing the final and draft versions provides … Continue Reading

EU Updates: ePrivacy Regulation Inches Forward, EDPB Issues Guidance on Interplay Between GDPR and ePrivacy Directive

Photo of Melinda L. McLellanBy Melinda L. McLellan and Kyle R. Fath on Posted in GDPR
Adoption of the ePrivacy Regulation Introduced in 2017, and originally slated to go into effect with the GDPR (on May 25, 2018), it now appears the ePrivacy Regulation will not be implemented before late 2021. With the Romanian Presidency’s oversight of the Council of the European Union passing to Finland as of July 1, and … Continue Reading

Deeper Dive: GDPR a Game-Changer for Data Breach Notification

Photo of Andreas KaltsounisBy Laura E. Jehl and Andreas Kaltsounis on Posted in Data Breach Notification Laws, Data Security Incident Response, GDPR
When the EU General Data Protection Regulation (GDPR) took effect on May 25, 2018, it dramatically changed the way multinationals manage the reporting of personal data breaches. It also substantially raised the stakes: Entities found to have violated the GDPR’s data security and breach reporting obligations could face much steeper regulatory fines than those available … Continue Reading

EU Regulators Increase Focus on Cookie Practices

Photo of Jean ShinPhoto of Monique MatarBy Laura E. Jehl, Kyle R. Fath, Jean Shin and Monique Matar on Posted in Enforcement, GDPR
In the absence of cookies-related guidance and enforcement by regulators against ordinary website publishers and operators, many e-commerce sites, online publishers and other website operators have taken a “wait and see” approach with respect to implementing GDPR-compliant cookies consent procedures. Recent cookies-related regulatory guidance, however, from the Dutch data protection authority, Autoriteit Persoonsgegevens (“Dutch DPA”), … Continue Reading

California Sets Forth Further Legislation Imposing New Obligations on Companies

By Alan L. Friel and Niloufar Massachi on Posted in CCPA, Children’s Privacy, Consumer Data, GDPR
Over the past few weeks, California Republican lawmakers have introduced a new package of legislation called “Your Data, Your Way,” which would expand and strengthen consumer privacy rights beyond what is required by the new California Consumer Privacy Act (CCPA). The “Your Data, Your Way” package is comprised of bills that would impose new obligations … Continue Reading

Washington State Proposes Sweeping Privacy Legislation

Photo of Andreas KaltsounisPhoto of Shea M. LeitchBy Andreas Kaltsounis and Shea M. Leitch on Posted in GDPR, State Legislation
On Jan. 17, 2019, a new privacy law was proposed in the Washington state Senate. If passed, the Washington Privacy Act would impose far-reaching responsibilities on companies to protect the privacy of “personal data.” Lifting many provisions almost entirely from the text of the European Union’s General Data Protection Regulation (GDPR), the legislation would arguably … Continue Reading

Racing to Meet the 72-hour Deadline to Report a Personal Data Breach in the EU? A GDPR Resource Is Available

By Laura E. Jehl and Jaime B. Petenko on Posted in GDPR, International Privacy Law
Companies face substantial challenges in complying with breach notification requirements under Article 33 of the General Data Protection Regulation (GDPR). Article 33 requires a data controller to report a personal data breach to European Union (EU) supervisory authorities within 72 hours of becoming aware of the breach if it is likely to result in a … Continue Reading

Advocate General Opinion Supports Limiting the “Right to be Forgotten” to the EU

Photo of Nichole SterlingBy Laura E. Jehl, Emily R. Fedeles and Nichole Sterling on Posted in GDPR, International Privacy Law
On January 10, Advocate General Maciej Szpunar released an opinion recommending that Google and other search engines should not be forced to apply the EU’s “right to be forgotten” beyond the EU.  The advocates general assist the judges of the Court of Justice of the European Union (CJEU), providing independent legal solutions to issues presented … Continue Reading

Brazil Enacts Measure Creating a Data Supervisory Authority; Delays Implementation of the LGPD

By Laura E. Jehl and Brian P. Bartish on Posted in GDPR, International Privacy Law
While the inauguration of a polarizing new president dominated the news of Brazil around the beginning of the new year, outgoing President Michel Temer, before leaving office, issued an executive order that has important ramifications for Brazil’s recently enacted General Data Protection Regulation (Lei Geral de Proteção de Dados or LGPD). Provisional Measure No. 869/2018 … Continue Reading

New FTC Provides Insights Into Its Plan for a Balanced Approach to Data Privacy and Security

Photo of Carolina AlonsoBy Alan L. Friel, John Busch and Carolina Alonso on Posted in Federal Legislation, GDPR, Online Privacy
This year brought unprecedented focus on consumer privacy – the rollout of the European Union General Data Protection Regulation (GDPR), the Cambridge Analytica controversy and Congressional hearings, a GDPR-light law coming out of California, more and bigger security incidents, and multiple proposals for an omnibus federal data protection law. The Federal Trade Commission (FTC or … Continue Reading

New Guidance on GDPR Data Processing Contracts Published by the UK ICO

By David M. Brown on Posted in GDPR
The U.K. Information Commissioner’s Office (ICO) recently published guidance on contracts between controllers and processors. This new guidance provides a more in-depth and detailed discussion of the key issues than did a previously released primer published by the ICO, which set out key points along with helpful checklists. The new guidance discusses (1) when a … Continue Reading

Cookies and Consent Under the EU GDPR

By David M. Brown on Posted in Enforcement, GDPR, Online Privacy
According to a recent story published by The Register, the U.K. data privacy watchdog, the Information Commissioner’s Office (ICO) has issued a warning to the U.S.-based newspaper The Washington Post (WaPo) about obtaining consent under the EU General Data Protection Regulation (GDPR) and allowing its readers to switch off tracking and cookies. Article 6(1) of … Continue Reading

The Weekly Privacy Rewind

By Aaron Lancaster on Posted in GDPR, Weekly Privacy Rewind
Class Actions Pennsylvania Supreme Court Declares Employers Have Affirmative Duty to Protect Employee Personal Information • According to a recent opinion by the Pennsylvania Supreme Court, “an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.” • The putative … Continue Reading

GDPR Spurring Legal Reforms in South America With New Legislation in Brazil

By Brian P. Bartish and Laura E. Jehl on Posted in Breach Notification, GDPR, Privacy Litigation
As organizations continue to grapple with the requirements of the EU General Data Protection Regulation (GDPR) even months after its effective date, one thing is clear: The impact of the regulation extends far beyond an organization’s European operations. The global effects of the GDPR are even more apparent when one surveys new and proposed data … Continue Reading
LexBlog