In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor”, the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.
Continue Reading Out With the Old, In With the New: New GDPR Standard Contractual Clauses

Today, the Court of Justice of the EU has handed down its judgment in the highly-anticipated Facebook Ireland case (aka Schrems II) and invalidated the Privacy Shield Decision. For those of you who have followed this case, the CJEU took a “left turn at Albuquerque” in its decision since the primary contention of Mr. Schrems was that the Commission Decision around Standard Contractual Clauses (“SCCs”) was invalid.

While the Court did opine on the SCC issue, it didn’t stop there. The Court actually took up a broader scope and addressed the validity of the Privacy Shield decision. In a mentally acrobatic exercise, we ended up with a judgment that preserved the SCCs decision (kind of), but invalidated the Privacy Shield Decision – even after there had been multiple renewals of the adequacy finding of Privacy Shield in the past. Additionally, along with the logical gymnastics around Privacy Shield, the SCCs aren’t quite out of the woods yet.
Continue Reading CJEU Invalidates EU-US Privacy Shield Framework

While a lot of ink has been spilled on the California Consumer Privacy Act (“CCPA”) over the last 18 months, one of the things which has become quite apparent to those of us who view privacy through a lens which considers both EU and US perspectives is that the CCPA is actually not an EU-style law. Except for the right to delete data, all the consumer rights in the CCPA actually existed (albeit in a much less aggressive form) for many categories of information under prior California law. When one considers the number of carve-outs to the deletion right, the CCPA actually looks a lot like what is the more traditional approach to privacy that is prevalent under US jurisprudence.
Continue Reading Europe’s Privacy Law is Coming – Just Not Via California

On Thursday, July 11, 2019, a diverse group of trade associations spanning numerous industries, including retail, telecom, manufacturing, and food and beverage, urged Congress to enact a consumer privacy law.  In a letter to the Senate and House commerce committees, the coalition of 27 industry groups asked Congress “to act quickly to adopt a robust

At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018.  The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR.  The new law defines a category of “Personal Information” that 

Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4%

Cross-posted from Carpe Datum Law

On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?

Our experienced eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners will present a series of four 1-hour webinars in August through October of 2017. The presenters will provide a high-level discussion on risk assessment tools and remediation strategies to help prepare and reduce the cost of EU GDPR compliance.
Continue Reading Is your organization ready for the new EU General Data Protection Regulation?

The General Data Protection Regulation is coming, and along with it, a significant expectation of increased harmonization in the privacy rules across the EU. Considering the 60-plus articles which directly impose obligations on controllers and processors, this isn’t an unreasonable sentiment. However (as is often the case with the EU), reality is a bit more

shutterstock_189182636 (1)As the companies doing business in Europe are trying to get their arms around the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), but so far not making substantial headway, the European Data Protection Authorities (DPAs) are doing their own GDPR preparation by securing increased budgets and additional workforce.

Last week, the Irish Data Protection Commissioner (DPC), Helen Dixon, has “welcomed” the additional funding of €2.8 million for her office’s 2017 budget, as announced by the Government, bringing the total funding allocation to the DPC to over €7.5 million. The 2017 budget increases are in line with the increases in 2015 and 2016, representing a 59% increase on the 2016 allocation and over four times the €1.9 million provided to the DPC in 2014.

Commenting on the 2017 funding allocation, Helen Dixon stated:

“The additional funding being provided by Government in 2017 will be critical to our preparations for the implementation of the EU General Data Protection Regulation in May 2018. In 2017 we will continue to invest heavily in building our capacity and expertise, including the recruitment of specialist staff, to administer our new enforcement powers and all of our additional responsibilities under the new law.


Continue Reading Irish Data Protection Commissioner Welcomes Increases in Budget in Preparation for the GDPR Enforcement