On March 22, 2024, following nearly six months after the publication of the Provisions on Promoting and Regulating Cross-border Data Flows (Draft for Solicitation of Comments), the Cyberspace Administration of China (“CAC”) officially released the Provisions on Promoting and Regulating Cross-border Data Flows (“the Provisions”), which came into immediate effect. In accordance with the Provisions, CAC has also issued the “Guidelines for Data Export Security Assessment Declaration (Second Edition)” and the “Guidelines for Filing Standard Contracts for Personal Information Export (Second Edition).”Continue Reading Practical Insights from China on the Newly Issued Provisions on Cross-Border Data Transfer
Cross Border Privacy
Upcoming Event! Seyfarth Privacy Salon: Roundtable on Cross-Border Data Transfers, Privacy, and Cybersecurity
In recent years, privacy and cybersecurity consistently hit the top of legal leaders’ lists of their biggest concerns. In fact, a recent Association of Corporate Counsel Chief Legal Officers Survey found that, when rating a list of items on their importance to the business, CLOs placed cybersecurity, regulation and compliance issues, and data privacy as the top three most critical issues for the business.
Continue Reading Upcoming Event! Seyfarth Privacy Salon: Roundtable on Cross-Border Data Transfers, Privacy, and Cybersecurity
Ransomware Attacks – Harmless Annoyances or Catastrophic Events?
Ransomware attacks have become one of the most common and pervasive cybercrimes perpetrated against U.S. companies. A bad actor, often from overseas, will gain access to upload malware onto a company’s network storage or application platforms that encrypts all files it can access. A message or text file is usually left with instructions on how to contact the attacker to pay a ransom for the decryption key. In the worst case, a ransomware attack can freeze the business operations by effectively removing access to the company’s critical systems and rendering them useless. Aside from the business impact, what legal implications are created by a ransomware attack?
Privacy
The greatest legal concern is one of privacy. By definition, ransomware attacks gain access to the internal systems maintained or owned by a business. However, not all ransomware attacks are created equal and privacy obligations differ from one attack to another.Continue Reading Ransomware Attacks – Harmless Annoyances or Catastrophic Events?
Out With the Old, In With the New: New GDPR Standard Contractual Clauses
In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.
It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.
Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses
Now Available! Seyfarth Shaw’s Data Privacy & Protection in the EU-U.S. Desktop Guide
Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series
On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%…
Europe Is Shifting, And It’s a Big Deal – The New GDPR
The clock is now ticking. On May 4th the European Parliament published the final text of the General Data Protection Regulation (“GDPR”), and the rules of the game have significantly changed – at least in the context of EU data protection law. First, the GDPR changes the underlying approach to data protection law, with a new emphasis placed on accountability and risk-based approaches. “Privacy by Design” and “Privacy by Default” have been included in the regulatory ecosystem. Second, significant changes have been made to the obligations of “controllers” and “processors”. These include specific criteria for having compliant privacy notices and vendor management contracts. Third, enforcement is now a very real, and potentially risky, thing. With the possibility of administrative fines being up to 4% of a business’ global gross revenue, private rights of action by individuals, and non-profit privacy watchdog groups (also known as “Civil Society”) having the right to complain of a company’s privacy practices directly to the local Data Protection Authorities; compliance with the GDPR will now be one of those risks that any business who touches EU data will need to seriously consider. Fortunately, the GDPR won’t go into effect until May 25th 2018. However, businesses with significant data from the EU need to start considering how to comply now.
Continue Reading Europe Is Shifting, And It’s a Big Deal – The New GDPR
Safe Harbor 2.0 – Is It Happening?
It is the beginning of 2016, and American companies are anxiously awaiting news of whether or not a new “Safe Harbor 2.0” will emerge. In October of 2015, the European Court of Justice declared invalid Safe Harbor 1.0 in the Schrems decision. This had an immediate effect on any American company collecting personal data from the EU by removing the legal basis for this kind of data transfer. As of October 2015, consumer, client, and even employee data cannot be legally transferred to the US under the Safe Harbor Framework.
Fortunately, the data protection regulators (“DPAs”)recognized the turmoil this decision created within the business community on both sides of the Atlantic. As a result, the Article 29 Working Party (which is the convention of DPAs from each of the EU Member States) issued an enforcement moratorium on enforcement actions until the end of January 2016, so that they could assess the effectiveness of data transfer tools available. As part of this moratorium, the Working Party called on “…Member States and European institutions to open discussions with U.S. authorities in order to find legal and technical solutions”; and that the “current negotiations around a new Safe Harbor could be part of the solution.”
Continue Reading Safe Harbor 2.0 – Is It Happening?
The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations
The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference:
Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations
Access By US Authorities – The REAL Reason Safe Harbor is at Risk
And now we come to the real sticking point. It actually isn’t specific to the Safe Harbor Framework. Access to data by law enforcement and intelligence assets is outside the Safe Harbor Framework. This is also the case in the EU. The proposed General Data Protection Regulation does NOT include law enforcement and intelligence activities. In some ways, this section of the “13 Recommendations” is the least connected to the Framework, as it really focuses on a country’s rights to manage its own national security and law enforcement activities. Unfortunately, this will be where the most difficulty will be in implementation – mostly because it is not directly part of the Framework, but a policy stance on national security, which has never been a part of the basis for the need Safe Harbor fulfills.
Continue Reading Access By US Authorities – The REAL Reason Safe Harbor is at Risk
Enforcement – the Next Topic to “Save” Safe Harbor
Enforcement has long been a sticking point between the US and the EU. Some of this comes from the inherent clash of juridical cultures between the civil and common law traditions. And some of this just seems to be the EU expecting the bigger and better resourced US Government to pick up some of the…