Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.

How to Get Your Desktop Guide:

To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:

GDPR Webinar Series

Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.

For updates and insight on GDPR, we invite you to click here to subscribe to Seyfarth’s Carpe Datum Law Blog and here to subscribe to Seyfarth’s The Global Privacy Watch Blog.

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance. Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more complicated than what the expectations reflect.

The reason for the retained level of complexity even under the GDPR are what are known as “opening clauses”. These clauses permit a Member State to modify the provisions of the Article in which the clause resides. In effect, the opening clauses permit the Member State to introduce a more restrictive application of the GDPR obligation via local legislation.

These opening clauses are particularly important to note as there are a number of them (around 30% of the directly applicable Articles have opening clauses), and many of them address an already complicated area of data protection law – employment. While there are a number of companies who have a large consumer impact in the EU, there are just as many (if not more) who have workers in the EU, or have clients who have workers in the EU. As a consequence, the implementation of the GDPR doesn’t fully mitigate the patchwork quilt of local law when it comes to labor & employment law. This is both because of the opening clauses in a number of related Articles, as well as the plain text of Article 88.

The lack of consistency in HR-related data protection is particularly concerning with the advances in workforce management, monitoring, and the use of personal devices in the workplace (e.g. Bring Your Own Device, or “BYOD” environments). One of the ways that the regulators have attempted to address this very real issue around inconsistent GDPR obligations is with an update to the 2001 Article 29 Working Party opinion on data protection of employees. The new opinion, published on 23 June 2017, provides an update to the recommendations which were put in place prior to the age of social media and pervasive computing (i.e. Internet of Things).

While not mandatory, the Opinion does operate somewhat as a roadmap to the way regulators in the EU will consider enforcement – both in breach situations, as well as in accountability situations (i.e. when an entity has to “show” how they are compliant). The Opinion is also instructive as much of the analysis revolves around the concept of “proportionality”.

This balancing of the legitimate interests between employees and employers was not a commonly used method of legitimizing processing under Directive 95/46/EC and its local implementing legislation. However, it seems that this is the direction the Working Party is taking.  This may be seen as both a good and bad situation. On one hand, it indicates that the regulators are starting to understand the complexity of the modern workplace, and how rigid bright-line rules won’t really work. On the other hand, it would seem to require a significant amount of analysis by data protection experts (which is subsequently documented) showing the balance of interests doesn’t harm the employee.

In any event, at least in the realm of employment law, the GDPR isn’t going to be quite the panacea that many of us were hoping for. It is still going to be a complex, difficult to manage, area of law for the foreseeable future.

The annual conference of the world’s data protection regulators is a three day exercise, with half of the conference being “closed door” for the regulators only, and the other half being a series of side meetings and presentations, which report out to interested attendees the results of the closed door meetings. This is a good meeting to gain insight in the next year’s trends in data protection regulation and enforcement across the globe. While this conference happens every year, the events in the European Court of Justice and the impending completion of the new General Data Protection Regulation (“GDPR”) made this year’s conference particularly interesting. Here are some of the insights which were developed during the conference: Continue Reading The 37th International Conference of Data Protection & Privacy Commissioners – Some Observations

The CJEU’s judgment against Google has been hailed as a “Landmark Ruling“. I agree that this judgment is a landmark ruling – however, not for the reason everyone else is making it out to be. As noted earlier, the “Right to be Forgotten” isn’t really in the holding of the judgment. Further, the “long-arm” application of EU law isn’t something new (at least to US attorneys). What is new is the reason for allowing a right of deletion against a search engine and not the underlying publisher of the original facts. Continue Reading The CJEU’s Judgement Against Google: What It Does Mean

The Court of Justice for the European Union (“CJEU”) issued a judgment in the case Google v. AEPD which has garnered a significant amount of attention. The two primary reasons for this attention (besides it is a case against Google – which usually is newsworthy) are 1) the seeming expansion of EU law into extra-territorial reach, and 2) the recognition of the “Right to be Forgotten”. Several authors have taken it upon themselves to spill quite a bit of ink on this judgment. And, there is some trepidation that business will be negatively impacted in a new and significant way under this judgment. A careful reading of both the Advocate General’s Opinion as well as the CJEU’s judgment in this matter does show how the EU is progressing in the matter of cross-border privacy protections. However, this judgment may not be as far reaching as some commentators have thought. Continue Reading The CJEU’s Judgment Against Google: What It Doesn’t Mean

To continue my prior post on the Article 29 Working Party’s Opinion 6/2014, it is important to take a closer look at the specifics of the notion of a Controller’s “Legitimate Interests”

Unlike all the other criteria for lawful processing, Article 7(f) is the only one which specifically articulates the idea that commercial interests should have weight in the calculus of “fair and lawful” processing. In each of the other criteria, if the criteria is met, the grounds for processing are considered a priori legitimate. In Article 7(f), each purpose for processing will need to have the balancing test engaged. This is going to require a bit more analysis than the other criteria. However, because of the fact that this analysis is internal to the business, it may well be less onerous than other options would be (e.g. having the DPA opine as to the legitimacy of the processing). Continue Reading Legitimate Interests – Alternative to Notice & Choice?