International Privacy Law

On March 22, 2024, following nearly six months after the publication of the Provisions on Promoting and Regulating Cross-border Data Flows (Draft for Solicitation of Comments), the Cyberspace Administration of China (“CAC”) officially released the Provisions on Promoting and Regulating Cross-border Data Flows (“the Provisions”), which came into immediate effect. In accordance with the Provisions, CAC has also issued the “Guidelines for Data Export Security Assessment Declaration (Second Edition)” and the “Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition).”Continue Reading Practical Insights from China on the Newly Issued Provisions on Cross-Border Data Transfer

In recent years, privacy and cybersecurity consistently hit the top of legal leaders’ lists of their biggest concerns. In fact, a recent Association of Corporate Counsel Chief Legal Officers Survey found that, when rating a list of items on their importance to the business, CLOs placed cybersecurity, regulation and compliance issues, and data privacy as the top three most critical issues for the business.
Continue Reading Upcoming Event! Seyfarth Privacy Salon: Roundtable on Cross-Border Data Transfers, Privacy, and Cybersecurity

The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way that complies with the GDPR processing and transfer restrictions. And it turns out that even the European Commission (EC) itself can apparently get it wrong. In a surprising turn of events earlier this month, the European Data Protection Supervisor (EDPS) concluded its nearly three year investigation into the Commission’s own deployment and use of Microsoft 365, signaling a pivotal moment in the conversation about the GDPR privacy and security requirements for cloud-based messaging and document collaboration platforms.Continue Reading Surprising Plot Twist: The European Data Protection Supervisor Reprimands the European Union for its use of Microsoft 365

On July 10th, the European Commission issued its Implementing Decision regarding the adequacy of the EU-US Data Privacy Framework (“DPF”). The Decision has been eagerly awaited by US and Europe based commerce, hoping it will help business streamline cross-Atlantic data transfers, and by activists who have vowed to scrutinize the next framework arrangement (thereby maintaining their relevance). Regardless of the legal resiliency of the decision, it poses an interesting set of considerations for US businesses, not the least of which is whether or not to participate in the Framework.

For those who followed the development and demise of the Privacy Shield program and the Schrems II case, it has been apparent for some time that the fundamental objection of the activists and the Court of Justice of the EU (“CJEU”) to the original Privacy Shield was the perception that the US intelligence community had an ability to engage in disproportional data collection without any possibility of recourse by EU residents whose personal information may be swept into an investigation. The actual functioning of the program for the certifying businesses were much less controversial.

Since the structure of the program wasn’t the primary reason for Privacy Shield’s revocation, from a business perspective, the current DPF looks a lot like the old Privacy Shield. For businesses who made the decision to participate in the Privacy Shield program in the past, the operational burden shouldn’t be much different under the new DPF, if they have already taken steps to operationalize the requirements.

What is interesting about the new DPF is how it may impact a company’s decision to choose  between the Standard Contractual Clauses (“SCCs”) and the alternative adequacy mechanism for transfers. There is also some interest vis-à-vis the DPF and its interactions with state privacy laws.Continue Reading Adequacy for the US (kind of) – But What Are the Side Effects?

Under China’s data protection regulatory framework, data processors are required to pass a security assessment conducted by the cybersecurity regulator before transferring certain categories or volumes of data out of China. This January, six months after the Cyberspace Administration of China (“CAC”) released the Measures on Security Assessment of Outbound Data Transfers (“Measures”), the Beijing counterpart of CAC reported the first two cases where the data processors passed the security assessments led by CAC, which sheds some light on the uncertainty and complexity of the security assessment.

Uncertainty of Reviewing Process and End of Grace Period

As disclosed by Beijing CAC, as of February 22, 2023, Beijing CAC has assisted more than 310 entities with their potential applications for the security assessment of outbound data transfers, and has received 48 formal applications from organizations in industries such as technology, e-commerce, healthcare, finance, automotive, and civil aviation, including multinational companies. Among many applications, CAC granted two organizations with the approval for transferring data out of China, namely the Beijing Friendship Hospital of the Capital Medical University and Air China.Continue Reading China Unveils Two Approved Outbound Data Transfer Cases

The recent Cothron v. White Castle Illinois Supreme Court decision ruled that BIPA violations accrue with each collection, leading to skyrocketing claims – and damages. It’s critical for employers to understand what this decision means, how this decision affects them, and how to avoid the risks inherent in employee data collection.  

Our March 21, 2023

As we move into 2023, Biometric Information Privacy remains a constantly evolving field, with states enacting new statutes, technology evolving, plaintiffs raising new theories, and cases being filed daily. Keeping up with biometric laws can be a daunting task for these reasons.

On February 7, 2023, we led a webinar looking at some of the

On 16 November 2022, EU Regulation 2022/2065, better known as the Digital Services Act (“DSA”), came into force. The DSA is a key development in the use of online services in the European Union (“EU”), with an impact on online services as significant as the one which the General Data Protection Regulation (“GDPR”) had upon the collection, use, transfer, and storage of data originating in the EU on 25 May 2018.

Ambit

The DSA sets out rules and obligations for digital services providers that act as intermediaries in their role of connecting consumers with goods, services, and content.  

Its goal is to regulate and control the dissemination of illegal or harmful content online, provide more consumer protection in online marketplaces, and to introduce safeguards for internet users and users of digital services. It also introduces new obligations for major online platforms and search engines to prevent such platforms being abused.Continue Reading The EU Digital Services Act: Overview and Impact

In the second program in the 2022 Trade Secrets Webinar Series, Seyfarth partners Jesse Coleman, Dan Hart, and Caitlin Lane discussed how to identify the greatest threats to trade secrets, provided tips and best practices for protecting trade secrets abroad, and covered enforcement mechanisms and remedies internationally and in the US.

As a follow up

The regulatory landscape in China around data protection and flows continues to develop. Since the 2017 Cybersecurity Law, China has been refining the legal and regulatory framework for data protection—it has implemented new laws and regulations that set comprehensive rules for data processing activities across all industries in China and cover the rules regarding cross-border