Data Privacy

International Transfers at Risk – The EDPB’s Guidelines on International Transfers Post-Schrems II

On November 11, 2020, the European Data Protection Board (EDPB) published its long-awaited guidance on what parties to international data transfers should be doing to perform such transfers in a manner compliant with the Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) in light of the European Court of Justice’s (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Schrems II).

Unfortunately, the draft guidelines provide no panacea for companies engaged in international data transfers of personal data from the EEA to third countries. Instead, organizations face 55 pages of guidance that provide few workable solutions for international data transferors—apart from a lengthy protocol for conducting risk assessments. READ MORE

Exemplary and Record-Breaking: After a Two-Year Investigation, the UK’s ICO Issues British Airways with Its Largest Fine to Date (£20m)

When British Airways (“BA”) suffered a significant personal data breach in September 2018, just months after the coming into force of the EU General Data Protection Regulation (“GDPR”), all eyes were on the UK’s Information Commissioner’s Office (“ICO”). Would the ICO use the UK’s flagship airline as a “poster child” for post GDPR enforcement? Was this the moment that much-hyped fines of up to 4% of global turnover come to pass? READ MORE

Sedona Conference Proposes Legal Test for “Reasonable Security”

The legal risks associated with cybersecurity continue to increase, as regulators and plaintiffs’ lawyers become more and more aggressive in bringing cybersecurity claims under existing laws and as legislatures continue to enact new ones. A key element of many of the cybersecurity claims brought under these laws is a requirement to show that the company in question failed to implement “reasonable” security for personal information. California’s new Consumer Privacy Act (“CCPA”), for instance, allows consumers to sue businesses for statutory damages when specified types of personal information are subject to unauthorized access and exfiltration, theft, or disclosure because of a failure to implement and maintain “reasonable” security measures and the business has not cured the alleged violation within the CCPA’s pre-suit period. Cal. Civ. Code § 1798.150. Even though consumers often suffer no injury in a data beach, the CCPA provides for statutory damages of $100–$750 per consumer per incident. READ MORE

Have EU Employees? Beware: H&M Slapped with Massive GDPR Fine for Wrongful Processing of Employee Data, Despite Cooperation

On October 1st, 2020, the Data Protection Authority of Hamburg (“DPA”) announced that it issued a massive EUR 35.3 million fine against the clothing company H&M Hennes & Mauritz Online Shop A.B. & Co. KG (“H&M”) for the alleged wrongful collection of data of a couple of hundred employees which related to their private life (the English press release can be accessed here). This is the highest fine that has ever been issued in Germany, sending a strong signal to companies to ensure they comply with the data protection law when they process employee data. READ MORE

UK National Data Strategy: A Step in the Wrong Direction for EU Data Adequacy?

In September 2020, the UK government published its National Data Strategy (“NDS”), aiming to use data to boost the UK economy and to “unlock the power of data for the UK,” particularly in light of Brexit. The NDS is intended to set out the UK’s government focus on data, following the recent announcement that responsibility for government use of data will move from the Department for Digital Culture Media and Sport to the Cabinet Office. READ MORE

SWISS-U.S. PRIVACY SHIELD: SCHREMS 2.0’S LATEST VICTIM?

Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on  September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE

Brazil’s LGPD Poised to Take Effect in a Matter of Days

Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days.  Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux.  In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president.  The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021. READ MORE

CA Businesses Poised to Have CCPA Compliance Deadline Extended for B2B and Employee Data

The California legislature has passed AB 1281 to the Governor’s desk for signature and, given the absence of legislative opposition, it appears the bill is now well positioned to be signed into law.  AB-1281 extends by one year the expiration date of the business-to-business (“B2B”) and employee-related exemptions provided for under the California Consumer Privacy Act (“CCPA”) (previously discussed here).  If signed into law, it will give California businesses at least one more year to work on folding employee and B2B data into their existing CCPA compliance programs, a welcome reprieve for California employers facing a resurgence of coronavirus cases in workplaces around the State.  READ MORE

German Supervisory Authority Publishes First Substantive Guidance on International Data Transfers in the Post Schrems 2.0 Era

On 16 July, 2020 the European Court of Justice (“CJEU”) published its decision invalidating the EU-U.S. Privacy Shield and setting out enhanced requirements for using the so-called Standard Contractual Clauses for Processors (Decision 2016/1250 – “SCCs”) (judgement C-311/18 – “Schrems II”). See our previous blog on the Schrems II decision for further details. Shortly thereafter, the European Data Protection Board (“EDPB”) adopted FAQs (see our follow-up blog post), which mainly focused on how to conduct the required risk assessment in connection with the SCCs. READ MORE

Final CCPA Regulations Effective Immediately With Last-Minute Revisions

On August 14, 2020, the California Office of Administrative Law (“OAL”) approved the final implementing regulations pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). This final and approved version of the CCPA regulations went into effect immediately and contains a last round of revisions to language that has been refined across several iterative drafts.[1] While the majority of the changes are grammatical in nature and will have no effect on CCPA compliance requirements, there were a few substantive changes that could impact certain businesses. READ MORE