On April 29, 2021, the national legislator in China released the second draft of the Personal Information Protection Law (“PIPL”) to collect public comments until May 28, 2021. The updated draft substantially follows the framework of the first draft, which marks China’s comprehensive system for the protection of personal information, sets forth general rules for the processing and transferring of personal information across China’s borders, and echoes certain mechanisms under the EU’s General Data Protection Regulation (“GDPR”), including application of extraterritorial jurisdiction, with which China would use long-arm jurisdiction to regulate the concerned entities across borders. This approach reflects China’s position that privacy law is an important component of China’s long term strategy on the international stage. In fact, the PIPL expressly contemplates China’s engagement with other jurisdictions (at both the country and regional levels) to try to create “interoperability” with these other privacy systems. Below we summarize key terms of the updated draft PIPL. Continue Reading China Released Second Draft of Personal Information Protection Law
In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.
It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form. Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses
There have been seminal events in the cybersecurity space since 2012, but there has likely been no event in recent times bigger than the SolarWinds attack which was first announced in December 2020. Though it likely had “nation-state” origins, the SolarWinds attack raised a number of serious issues for US companies and indeed the US Government itself.
We don’t have all the answers but we have some. Join us on Wednesday, May 26, 2021 from 12 p.m. to 1:15 p.m. CT, when this all-star panel will discuss critical issues raised by the attack like: patch management, software development, third party vendor risk management, and vulnerability management. The panel will also discuss strategies to increase cyber-risk and systemic-risk communications between the board, C-Suite and IT so that issues are both raised, appreciated, and dealt with on a timely basis. Cybersecurity is a team sport, and indeed likely one of the most important ones of our generation. We hope you can join us for this event.
Paul A. Ferrillo, Privacy & Cybersecurity Partner, Seyfarth
Jerry Bessette, Senior VP, Booz Allen’s Cyber Incident Response Program
Chris Cummiskey, CEO, Cummiskey Strategic Solutions, LLC
Kate Fazzini, CEO, Flore Albo LLC
Robert Zukis, CEO, Digital Directors Network
If you have any questions, please contact Morgan Coury at email@example.com and reference this event.
*This webinar is accredited for CLE in CA, IL, NJ, and NY. Credit will be applied for as requested for TX, GA, WA, NC, FL and VA. The following jurisdictions accept reciprocal credit with these accredited states, and individuals can use the certificate they receive to gain CLE credit therein: AZ, CT, ME, NH. The following jurisdictions do not require CLE, but attendees will receive general certificates of attendance: DC, MA, MD, MI, SD. For all other jurisdictions, a general certificate of attendance and the necessary materials will be issued that can be used in other jurisdictions for self-application.
This was originally published as a Seyfarth Legal Update.
Seyfarth Synopsis: As the world progresses with COVID vaccinations, the scenario where you have to show a COVID passport before crossing a border, taking a public mode of transportation, or entering a public space like a cinema no longer seems like a scene out of a dystopian sci-fi movie. Colloquially dubbed the “COVID passport,” the concept refers to various forms of a certificate of COVID vaccination and/or negative test status recognized on a national or inter-state basis, the use of which remains a controversial topic at this juncture, giving rise to technical, legal and ethical concerns.
Having said that, some countries have already adopted or proposed adopting various versions of COVID passports on a national or inter-member states basis, such as the “Green Pass” for visiting certain premises or events within Israel, the “Green Health Code” for domestic travel and entry into certain premises within mainland China, and the proposed “Digital Green Certificate” for travelling between member countries of EU and abroad. The decentralized initial approach and the practical challenges of implementing an universally recognized COVID passport remains as the world grapples with the COVID-19 pandemic. Continue Reading Overview of Technology and Data Privacy Issues Arising from COVID Passports
Seyfarth Synopsis: Both Portland and New York City have followed the example set by Illinois’ Biometric Information Privacy Act (“BIPA”), a statute that has spawned thousands of cookie-cutter class action suits regarding the alleged collection of biometric information. Like BIPA, these new ordinances create a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Businesses in these cities should carefully review these new ordinances as well as any technology they be using that has the potential to collect biometric information.
Cross-posted from Seyfarth’s Workplace Class Action Blog.
Seyfarth Synopsis: Following in the footsteps of New York, Maryland recently introduced a standalone biometric information privacy bill, House Bill 218, that mirrors Illinois’ highly litigious Biometric Information Privacy Act (740 ILCS § 14/1 et seq., “BIPA”) in many respects. Most notably, as presently drafted, Maryland’s proposed bill, like Illinois’ BIPA, provides for a private right of action, statutory penalties, and plaintiffs’ attorneys’ fees – which has spawned thousands of class actions in the Land of Lincoln. If enacted, the Maryland bill would become only the second biometric privacy act in the United States to provide a private right of action and plaintiffs’ attorneys’ fees for successful litigants. This represents a significant development for companies and employers operating in Maryland in light of the explosion of class action litigation that has arisen from Illinois’ BIPA in recent years. Moreover, the recent introduction of such bills in Maryland and New York signal that states are increasingly modeling proposed biometric privacy litigation on Illinois’ BIPA. Employers must take notice and monitor such developments to avoid being subject to a class action lawsuit – particularly as the purposes for utilizing such technology continue to expand. Continue Reading Maryland Joins Growing Number Of States Introducing Biometric Information Privacy Bills With Potential To Spur Class Action Litigation
Cross-posted from Seyfarth’s Workplace Class Action Blog.
Seyfarth Synopsis: The New York state legislature recently introduced a standalone biometric information privacy bill, AB 27, that mirrors Illinois’ Biometric Information Privacy Act (740 ILCS § 14/1 et seq., “BIPA”), which has spawned thousands of class actions in the Land of Lincoln. If enacted, The New York bill would become only the second biometric privacy act in the United States to provide a private right of action and plaintiffs’ attorneys’ fees for successful litigants. This represents a significant development for companies and employers operating in New York in light of the explosion of class action litigation over workplace privacy issues. Continue Reading Employers Take Note – New York Introduces A Biometric Information Privacy Bill Identical To The Illinois BIPA
California has once again decided it needed to pass privacy legislation to protect the residents of the great state from the nefarious actions of Big Tech. However, this time they did it with a ballot initiative and not via the thoughtful (mostly) mechanism of the legislative process. The proponents of the California Privacy Rights Act of 2020 (“CPRA”) touted this as an improvement over the CCPA – but is it really? To listen to the proponents of the CPRA, it aims to strengthen California consumer privacy rights, while for the most part, avoiding the imposition of overly-burdensome requirements on a business, particularly those businesses that are already CCPA compliant. So, what’s changed, really? Continue Reading California Prop 24 – Is the New Privacy Law Really New (Or Is the Sky Falling)
Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.
While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet. Continue Reading CJEU Invalidates EU-US Privacy Shield Framework