In the last year, we continued to see a shift in the privacy landscape of the United States, including the passage of comprehensive privacy legislation in both Virginia and Colorado, while other states still have bills under...more
On 28 January 2022 (Data Protection Day), the UK’s International Data Transfer Agreement (“IDTA”) and International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses (the “EU Addendum”) were...more
Organizations experiencing a security incident must grapple with numerous competing issues simultaneously, usually under a very tight timeframe and the pressure of significant business disruption. Engaging qualified service...more
In the last year, we continued to see a shift in the privacy landscape of the United States, including the passage of comprehensive privacy legislation in both Virginia and Colorado, while other states still have bills under...more
1/21/2022
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
COPPA ,
Covered Entities ,
Data Collection ,
FERPA ,
GLBA Privacy ,
Health Insurance Portability and Accountability Act (HIPAA) ,
International Data Transfers ,
Personal Information ,
Prior Express Consent ,
Proposed Legislation
The security incident response process inevitably brings a myriad of challenges for a company unfortunate enough to experience one. Although implementing an appropriate communication strategy may not be at the top of the list...more
On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”)...more
It is well known that the EU GDPR (specifically, Chapter V) restricts transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EEA) or to an international organisation. But what is meant by...more
12/2/2021
/ Consultation ,
Corporate Counsel ,
Data Controller ,
Data Processors ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
New Guidance ,
Personal Data ,
Standard Contractual Clauses ,
Third Country Entities (TCEs)
What is a data protection impact assessment (DPIA)?
A data protection impact assessment or data protection assessment (DPIA) is a form of risk assessment that is designed to help organizations identify, analyze and...more
On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”)...more
On 11 August, the UK Information Commissioner’s Office launched a consultation paper on “International transfers under UK GDPR”. The documents released alongside the paper include a draft International Data Transfer Agreement...more
8/16/2021
/ Consultation ,
Corporate Counsel ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Personal Data ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK
In short, no. It is not necessary to use both the new SCCs and the new Article 28 clauses at the same time....more
This depends on whether you are looking at (a) entering into new data transfer agreements or (b) repapering existing ones. The longstop date for repapering existing agreements is 27 December 2022; however, the new EU SCCs...more
On July 7, 2021, Governor Jared Polis officially signed the Colorado Privacy Act (“CPA”) into law, after the bill had passed both the Colorado House and Senate in June. The effective date of the CPA is July 1, 2023....more
The European Commission recently adopted new standard contractual clauses (SCCs) for transfers of personal data from the EU to “third countries” (the “new SCCs”). In this post, we highlight key developments in the UK’s data...more
7/9/2021
/ Data Controller ,
Data Processors ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK ,
UK Brexit
On 28 June, the European Commission adopted its Adequacy Decision for the UK, putting to an end (at least for now), the uncertainty surrounding EU to UK personal data flows. This averted a “cliff edge” in the shape of the 30...more
Session Replay Software is a type of software typically utilized by businesses with consumer-facing websites. These businesses are typically very interested in making their website more interactive and responsive to consumer...more
According to a press release of the data protection authority (DPA) of Lower Saxony earlier this month, nine German DPAs will participate in a coordinated audit of companies in Germany regarding their transfers of personal...more
6/30/2021
/ Audits ,
Court of Justice of the European Union (CJEU) ,
Data Controller ,
Data Processors ,
Data Protection Authority ,
EU ,
European Economic Area (EEA) ,
FISA ,
General Data Protection Regulation (GDPR) ,
Germany ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The European Commission published a draft Adequacy Decision for the UK on 19 February. That document remains in draft, though it is understood to have successfully cleared the last formal approval stage required....more
6/21/2021
/ Adequacy Requirement ,
Data Protection ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK
This article explores the topic of appointed representatives under Article 27 of the GDPR. What are they? When do you need one? How is regulatory enforcement starting to play out in the EU and in the UK on this issue?...more
6/21/2021
/ Appointed Public Officials ,
Data Controller ,
Data Processors ,
Data Protection ,
Data Protection Authority ,
Enforcement Authority ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Registered Representatives ,
Regulatory Requirements ,
UK
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated in “Schrems II” the EU–U.S. Privacy Shield framework, while upholding the Standard Contractual Clauses (SCCs) as a valid mechanism for...more
6/16/2021
/ Binding Corporate Rules ,
Court of Justice of the European Union (CJEU) ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Trade Agreements
Colorado recently introduced a new privacy bill, the Colorado Privacy Act (CPA). The CPA has certain similarities with the well-known California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA)....more
The European Commission adopted revised standard contractual clauses for international transfers (the “new SCCs”) on Friday, 4 June 2021. The new SCCs incorporate a number of additional provisions intended to strengthen the...more
The current expectation is that the European Commission will issue the new SCCs in two weeks’ time (though this could be subject to delay).
On 12 November 2020, the European Commission published a revised set of draft...more
The last few years have witnessed remarkable changes in the privacy world. The GDPR, the CCPA, the invalidation of the EU-US Privacy Shield framework and the related obligations resulting from the Schrems II decision - to...more
5/7/2021
/ Binding Corporate Rules ,
California Consumer Privacy Act (CCPA) ,
Data Controller ,
Data Processors ,
EU ,
EU-US Privacy Shield ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
Importers ,
International Data Transfers ,
Privacy Laws ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses
On March 15, 2021, California Attorney General, Xavier Becerra, announced additional California Consumer Privacy Act (CCPA) regulations. These new changes went into effect on March 15, 2021....more