The Colorado Privacy Act (“CPA”), Colorado’s first comprehensive consumer privacy law, came into effect on July 1, 2023. Like many new privacy laws, though, there has been uncertainty surrounding when meaningful enforcement...more
To date, US non-profit organizations have enjoyed an exemption from the state omnibus privacy laws. That’s about to change. Unlike the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA),...more
Two and a half years after the Schrems II decision invalidated the EU-US Privacy Shield, the EU and US are inching closer to a replacement data transfer mechanism for EU to US personal data transfers. On 13 December 2022, the...more
Under the PRC Cybersecurity Law, PRC Personal Information Protection Law and PRC Data Security Law, certain organisations (as well as individuals) are now required to conduct a security assessment of outbound transfers of...more
On October 7, President Joe Biden signed an Executive Order (EO) on Enhancing Safeguards for United States Signals Intelligence Activities, which is intended to move forward next steps in the EU US Privacy Shield Framework...more
10/24/2022
/ Biden Administration ,
Compliance ,
Compliance Dates ,
EU ,
EU-US Privacy Shield ,
Executive Orders ,
Foreign Intellgence ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
National Intelligence Agencies ,
National Security ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Surveillance
Unless the California legislature acts soon, the scope of information subject to the California Privacy Rights Act (“CPRA”) will include all employee or human resource-related personal information on January 1, 2023. To date,...more
6/15/2022
/ California Consumer Privacy Act (CCPA) ,
California Privacy Rights Act (CPRA) ,
Data Privacy ,
Data Subjects Rights ,
Employee Privacy Rights ,
Employer Liability Issues ,
Employer Responsibilities ,
Exemptions ,
Human Resources Professionals ,
Personal Data ,
Personnel Records ,
Risk Management
It is well known that the EU GDPR (specifically, Chapter V) restricts transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EEA) or to an international organisation. But what is meant by...more
12/2/2021
/ Consultation ,
Corporate Counsel ,
Data Controller ,
Data Processors ,
EU ,
EU Data Protection Laws ,
European Data Protection Board (EDPB) ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Multinationals ,
New Guidance ,
Personal Data ,
Standard Contractual Clauses ,
Third Country Entities (TCEs)
On 11 August, the UK Information Commissioner’s Office launched a consultation paper on “International transfers under UK GDPR”. The documents released alongside the paper include a draft International Data Transfer Agreement...more
8/16/2021
/ Consultation ,
Corporate Counsel ,
EU ,
European Commission ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Personal Data ,
Risk Assessment ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
UK
The European Commission recently adopted new standard contractual clauses (SCCs) for transfers of personal data from the EU to “third countries” (the “new SCCs”). In this post, we highlight key developments in the UK’s data...more
7/9/2021
/ Data Controller ,
Data Processors ,
EU ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK ,
UK Brexit
On 28 June, the European Commission adopted its Adequacy Decision for the UK, putting to an end (at least for now), the uncertainty surrounding EU to UK personal data flows. This averted a “cliff edge” in the shape of the 30...more
According to a press release of the data protection authority (DPA) of Lower Saxony earlier this month, nine German DPAs will participate in a coordinated audit of companies in Germany regarding their transfers of personal...more
6/30/2021
/ Audits ,
Court of Justice of the European Union (CJEU) ,
Data Controller ,
Data Processors ,
Data Protection Authority ,
EU ,
European Economic Area (EEA) ,
FISA ,
General Data Protection Regulation (GDPR) ,
Germany ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses
The European Commission published a draft Adequacy Decision for the UK on 19 February. That document remains in draft, though it is understood to have successfully cleared the last formal approval stage required....more
6/21/2021
/ Adequacy Requirement ,
Data Protection ,
EU ,
European Commission ,
European Data Protection Board (EDPB) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Member State ,
Personal Data ,
Standard Contractual Clauses ,
UK
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated in “Schrems II” the EU–U.S. Privacy Shield framework, while upholding the Standard Contractual Clauses (SCCs) as a valid mechanism for...more
6/16/2021
/ Binding Corporate Rules ,
Court of Justice of the European Union (CJEU) ,
EU ,
EU-US Privacy Shield ,
European Commission ,
European Economic Area (EEA) ,
General Data Protection Regulation (GDPR) ,
International Data Transfers ,
Personal Data ,
Schrems I & Schrems II ,
Standard Contractual Clauses ,
Trade Agreements
Colorado recently introduced a new privacy bill, the Colorado Privacy Act (CPA). The CPA has certain similarities with the well-known California Consumer Privacy Act (CCPA) and Virginia’s Consumer Data Protection Act (VCDPA)....more
The European Commission adopted revised standard contractual clauses for international transfers (the “new SCCs”) on Friday, 4 June 2021. The new SCCs incorporate a number of additional provisions intended to strengthen the...more
The current expectation is that the European Commission will issue the new SCCs in two weeks’ time (though this could be subject to delay).
On 12 November 2020, the European Commission published a revised set of draft...more
On November 3, 2020, Californians voted to pass Proposition 24, expanding and modifying the California Consumer Privacy Act (“CCPA”), which came into force on January 1, 2020. The new California Privacy Rights Act (“CPRA”)...more
Yes, provided that the “opt-out” selection is the default when the banner loads and no behavioural or analytics cookies load prior to an “opt-in” by the data subject.
A data subject’s consent to the use of analytics or...more
Probably not.
A data subject’s consent to the use of analytics or behavioural cookies must be a valid “affirmative act.” While it may be argued that the data subject is indeed performing an “affirmative act” by continuing...more
Yes.
European data privacy law distinguishes between session cookies that, for example, allow a website to function properly, and behavioural advertising cookies that are unnecessary for the functioning of the website. ...more
7/30/2019
/ Advertising ,
Behavioral Advertising ,
Cookies ,
Data Protection ,
EU ,
General Data Protection Regulation (GDPR) ,
Opt-In ,
Personal Data ,
Prior Express Consent ,
Privacy Laws ,
Web Browsers ,
Websites
Yes.
European data privacy law distinguishes between session cookies that, for example, allow a website to function properly, and analytics cookies that are unnecessary for the functioning of the website. With respect to...more
Probably not.
A cookie can qualify as “personal data” under GDPR when it can be linked to an individual person. Even in instances where a cookie cannot be linked, it is still governed by the ePrivacy Directive and...more
7/24/2019
/ Consent ,
Cookie Banners ,
Cookies ,
e-Privacy Directive ,
EU ,
EU Data Protection Laws ,
General Data Protection Regulation (GDPR) ,
Information Commissioner's Office (ICO) ,
Personal Data ,
Popular ,
Prior Express Consent ,
Privacy and Electronic Communications Regulation 2003 (PECR). ,
UK