Following the CJEU’s invalidation of the EU Commission’s adequacy decision on the EU-U.S. Privacy Shield in Schrems 2.0, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) found that the Swiss-U.S. Privacy Shield does not meet the data protection standards set by the country’s Federal Act on Data Protection (FADP). READ MORE
Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days. Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux. In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president. The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021. READ MORE
On 16 July, 2020 the European Court of Justice (“CJEU”) published its decision invalidating the EU-U.S. Privacy Shield and setting out enhanced requirements for using the so-called Standard Contractual Clauses for Processors (Decision 2016/1250 – “SCCs”) (judgement C-311/18 – “Schrems II”). See our previous blog on the Schrems II decision for further details. Shortly thereafter, the European Data Protection Board (“EDPB”) adopted FAQs (see our follow-up blog post), which mainly focused on how to conduct the required risk assessment in connection with the SCCs. READ MORE
EDPB and data protection authorities’ views and statements on the “Schrems II”- decision by the CJEU
On 16 July, 2020, the European Court of Justice (“CJEU“) passed a decision invalidating the EU-US Privacy Shield and calling into question the Standard Contractual Clauses (“SCCs“) (judgement C-311/18 – “Schrems II“). The shockwaves of the decision were felt worldwide and companies are now scrambling to make sense of sometimes conflicting guidance published by various EU supervisory authorities. READ MORE
Whatever the outcome of Schrems 2.0, the key takeaway is, don’t panic.
Tomorrow, July 16, 2020, the European Court of Justice (CJEU) is expected to rule in the case of Data Protection Commissioner Ireland v Facebook Ireland Limited, Maximillian Schrems, colloquially known as “Schrems 2.0”.
The main ingredients haven’t changed much for this long-awaited sequel to the decision that invalidated the Safe Harbor regime in 2015: Austrian data protection activist Max Schrems, Facebook Ireland, Ltd, and another commonly used international personal data transfer mechanism on the chopping block for invalidation.
This time around the court is considering the validity of the Standard Contractual Clauses (SCC) adopted by the European Commission, which goes beyond EU-U.S. transfers and could affect most agreements governing data sharing between the EU and the rest of the world. Regardless of the outcome, tomorrow’s decision is going to have a profound impact on the way international data transfers are treated for years to come – but the key takeaway is not to panic. In this blog post, we have set out the three potential rulings open to the CJEU and what steps you can take to following such a ruling. READ MORE
We expect national and international privacy regulators to take a pragmatic and reasonable approach to helping organisations navigate data protection compliance during the current COVID-19 crisis. This week, both the European Data Protection Supervisor (the “EDPS”) and the UK’s Information Commissioner’s Office (the “ICO”) have shown that expected pragmatism. READ MORE
Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE
Following in California’s footsteps, Nevada has passed a new privacy law providing consumers the right to opt out of the sale of their personal information. Senate Bill 220 (SB-220), signed into law by Governor Steve Sisolak on May 29, 2019, amends Nevada’s existing online privacy statute, NRS 603A.340, to include a requirement that online operators provide consumers with a means to opt out of the sale of specific personal information collected by websites or online services. The act goes into effect on October 1, 2019 – three months ahead of the January 1, 2020 effective date of the California Consumer Privacy Act (CCPA) – which may force companies to fast track implementation efforts for opt-out requests in particular. READ MORE
Today, Orrick announced the launch of our automated CCPA Readiness Assessment Tool which helps businesses globally determine whether they are covered by the California Consumer Privacy Act (CCPA) and, if yes, their readiness to comply with the new law that is revolutionizing the United States privacy landscape. This free tool is available to all organizations and takes 10-30 minutes to complete. It segments the CCPA into five workable themes and guides users through a series of dynamic questions relating to each theme. Upon completion of the questionnaire, the tool provides a free and comprehensive readiness assessment tailored to the business’s unique positioning and individual needs.