On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by activists who have vowed to scrutinize the next framework arrangement (thereby maintaining their relevance). Regardless of the legal resiliency of the decision, it poses an interesting set of considerations for US businesses, not the least of which is whether or not to participate in the Framework.

For those who followed the development and demise of the Privacy Shield program and the Schrems II case, it has been apparent for some time that the fundamental objection of the activists and the Court of Justice of the EU (“CJEU”) to the original Privacy Shield was the perception that the US intelligence community had an ability to engage in disproportional data collection without any possibility of recourse by EU residents whose personal information may be swept into an investigation. The actual functioning of the program for the certifying businesses were much less controversial.

Since the structure of the program wasn’t the primary reason for Privacy Shield’s revocation, from a business perspective, the current DPF looks a lot like the old Privacy Shield. For businesses who made the decision to participate in the Privacy Shield program in the past, the operational burden shouldn’t be much different under the new DPF, if they have already taken steps to operationalize the requirements.

What is interesting about the new DPF is how it may impact a company’s decision to choose  between the Standard Contractual Clauses (“SCCs”) and the alternative adequacy mechanism for transfers. There is also some interest vis-à-vis the DPF and its interactions with state privacy laws.Continue Reading Adequacy for the US (kind of) – But What Are the Side Effects?

On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.

Ambit

The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.  

Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.Continue Reading The EU Digital Services Act: Overview and Impact

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.
Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses

There have been seminal events in the cybersecurity space since 2012, but there has likely been no event in recent times bigger than the SolarWinds attack which was first announced in December 2020. Though it likely had “nation-state” origins, the SolarWinds attack raised a number of serious issues for US companies and indeed the US

Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.

While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet.
Continue Reading CJEU Invalidates EU-US Privacy Shield Framework

While a lot of ink has been spilled on the California Consumer Privacy Act (“CCPA”) over the last 18 months, one of the things which has become quite apparent to those of us who view privacy through a lens which considers both EU and US perspectives is that the CCPA is actually not an EU-style law. Except for the right to delete data, all the consumer rights in the CCPA actually existed (albeit in a much less aggressive form) for many categories of information under prior California law. When one considers the number of carve-outs to the deletion right, the CCPA actually looks a lot like what is the more traditional approach to privacy that is prevalent under US jurisprudence.
Continue Reading Europe’s Privacy Law is Coming – Just Not Via California

On Thursday, July 11, 2019, a diverse group of trade associations spanning numerous industries, including retail, telecom, manufacturing, and food and beverage, urged Congress to enact a consumer privacy law.  In a letter to the Senate and House commerce committees, the coalition of 27 industry groups asked Congress “to act quickly to adopt a robust

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.
Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more