International Privacy Law

Seyfarth Synopsis:  On May 12, 2021, President Joe Biden issued a very broad, 34 page “Executive Order on Improving the Nation’s Cybersecurity.” The Executive Order, or “EO”, can be found here. This order comes six months after the notorious SolarWinds attack, and mere weeks after other high-profile attacks have invaded our networks, and shut

There have been seminal events in the cybersecurity space since 2012, but there has likely been no event in recent times bigger than the SolarWinds attack which was first announced in December 2020. Though it likely had “nation-state” origins, the SolarWinds attack raised a number of serious issues for US companies and indeed the US

This was originally published as a Seyfarth Legal Update.

Seyfarth Synopsis: As the world progresses with COVID vaccinations, the scenario where you have to show a COVID passport before crossing a border, taking a public mode of transportation, or entering a public space like a cinema no longer seems like a scene out of a dystopian sci-fi movie. Colloquially dubbed the “COVID passport,” the concept refers to various forms of a certificate of COVID vaccination and/or negative test status recognized on a national or inter-state basis, the use of which remains a controversial topic at this juncture, giving rise to technical, legal and ethical concerns.

Having said that, some countries have already adopted or proposed adopting various versions of COVID passports on a national or inter-member states basis, such as the “Green Pass” for visiting certain premises or events within Israel[1], the “Green Health Code” for domestic travel and entry into certain premises within mainland China[2], and the proposed “Digital Green Certificate” for travelling between member countries of EU and abroad[3]. The decentralized initial approach and the practical challenges of implementing an universally recognized COVID passport remains as the world grapples with the COVID-19 pandemic.
Continue Reading Overview of Technology and Data Privacy Issues Arising from COVID Passports

Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.

While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet.
Continue Reading CJEU Invalidates EU-US Privacy Shield Framework

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.
Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more

Sedona-Conference-Header


When:           Monday, April 24, 2017
Where:          Offices of Seyfarth Shaw LLP, Chicago, IL
Sign in:          5:00 – 5:30 pm
Event:            5:30 – 6:30 pm
Reception:    6:30 – 7:30 pm

Topic: Interactive Dialogue concerning The Sedona Conference® International Litigation Principles (Transitional Edition): Practical Help for Companies with the EU General Data Protection Regulation and Privacy Shield

shutterstock_196544378Cross Posted from Carpe Datum Law.

China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license.
Continue Reading China Finalizes New Cyber Security Law

The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now.
Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR