The UK’s Data (Use and Access) Act received Royal Assent last Thursday, June 19th, bringing into law some significant changes to the country’s post Brexit data protection framework, among an array of other, related rules (on matters ranging from financial conduct to smart meters and “underground assets,” which is more to do with
The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way that complies with the GDPR processing and transfer restrictions. And it turns out that even the European Commission (EC) itself can apparently get it wrong. In a surprising turn of events earlier this month, the European Data Protection Supervisor (EDPS) concluded its nearly three year investigation into the Commission’s own deployment and use of Microsoft 365, signaling a pivotal moment in the conversation about the GDPR privacy and security requirements for cloud-based messaging and document collaboration platforms.Continue Reading Surprising Plot Twist: The European Data Protection Supervisor Reprimands the European Union for its use of Microsoft 365
On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by activists who have vowed to scrutinize the next framework arrangement (thereby maintaining their relevance). Regardless of the legal resiliency of the decision, it poses an interesting set of considerations for US businesses, not the least of which is whether or not to participate in the Framework.
For those who followed the development and demise of the Privacy Shield program and the Schrems II case, it has been apparent for some time that the fundamental objection of the activists and the Court of Justice of the EU (“CJEU”) to the original Privacy Shield was the perception that the US intelligence community had an ability to engage in disproportional data collection without any possibility of recourse by EU residents whose personal information may be swept into an investigation. The actual functioning of the program for the certifying businesses were much less controversial.
Since the structure of the program wasn’t the primary reason for Privacy Shield’s revocation, from a business perspective, the current DPF looks a lot like the old Privacy Shield. For businesses who made the decision to participate in the Privacy Shield program in the past, the operational burden shouldn’t be much different under the new DPF, if they have already taken steps to operationalize the requirements.
What is interesting about the new DPF is how it may impact a company’s decision to choose between the Standard Contractual Clauses (“SCCs”) and the alternative adequacy mechanism for transfers. There is also some interest vis-à-vis the DPF and its interactions with state privacy laws.Continue Reading Adequacy for the US (kind of) – But What Are the Side Effects?
On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.
Ambit
The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.
Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.Continue Reading The EU Digital Services Act: Overview and Impact
In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.
It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.
Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses
There have been seminal events in the cybersecurity space since 2012, but there has likely been no event in recent times bigger than the SolarWinds attack which was first announced in December 2020. Though it likely had “nation-state” origins, the SolarWinds attack raised a number of serious issues for US companies and indeed the US
Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.
While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet.
Continue Reading CJEU Invalidates EU-US Privacy Shield Framework
While a lot of ink has been spilled on the California Consumer Privacy Act (“CCPA”) over the last 18 months, one of the things which has become quite apparent to those of us who view privacy through a lens which considers both EU and US perspectives is that the CCPA is actually not an EU-style law. Except for the right to delete data, all the consumer rights in the CCPA actually existed (albeit in a much less aggressive form) for many categories of information under prior California law. When one considers the number of carve-outs to the deletion right, the CCPA actually looks a lot like what is the more traditional approach to privacy that is prevalent under US jurisprudence.
Continue Reading Europe’s Privacy Law is Coming – Just Not Via California
On Thursday, July 11, 2019, a diverse group of trade associations spanning numerous industries, including retail, telecom, manufacturing, and food and beverage, urged Congress to enact a consumer privacy law. In a letter to the Senate and House commerce committees, the coalition of 27 industry groups asked Congress “to act quickly to adopt a robust
On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%