The EDPB and EDPS adopt joint opinions on the new draft SCCs

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors. Continue Reading

Six advertising law trends and what brands should watch out for in in 2021

In a Law360 article published last week, the top six media and advertising trends expected in 2021 are discussed. It is no surprise that data privacy and protection issues will likely continue to be a major focus for those operating in the media and advertising sectors. Two major themes identified include the potential for increased Federal Trade Commission (FTC) attention on consumer privacy and behavioral advertising under the new Biden administration and considerations for advertisers under the new requirements of the California Privacy Rights Act (CPRA). A full copy of the article is available here.

Amendments to the Electronic Transactions Act offer new opportunities for trade and commodities finance and fintechs in Singapore

The Singapore government introduced a bill into parliament to amend the Electronic Transactions Act (ETA) (Cap. 88) (ETA) on January 4, 2021. The amendments set out in the Electronic Transactions (Amendment) Bill will be of relevance to the trade and commodities finance and fintech sectors as their primary object is to achieve recognition and equivalence for transferable documents and instruments, such as bills of lading, bills of exchange and promissory notes, represented in electronic form.

Our recent client alert summarizes the key proposed changes and outlines some of the potential implications for the trade and commodities finance and fintech sectors.

New York proposes a new Biometric Privacy Act

On January 6th, the first day of the New York legislature’s 2021 session, NY lawmakers proposed Assembly Bill 27 (AB 27), the Biometric Privacy Act.  The legislative purpose of AB 27 is to provide safeguards for consumers regarding their biometric identifiers, such as fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition.  Effectively, the proposed Act would require private (non-governmental) organizations that possess a biometric identifier or biometric information (i.e., information “based on” a biometric identifier) (collectively “biometric data”) to develop a written retention policy  setting forth the time period for information containing biometric data, as well as guidelines for permanently destroying such biometric data either when: (i) the initial purpose for obtaining such information “has been satisfied,” or (ii) within three years of the individual’s last interaction with the private entity, whichever happens first.

AB 27 would also require organizations to obtain individuals’ express written consent for the collection of their biometric data prior to collecting or otherwise obtaining such data. In addition, the proposed Act would prohibit organizations from selling or otherwise profiting from the biometric data which they possess, and separately mandate organizations to provide technical and organizational safeguards around biometric data that are the same or more protective than the measures it maintains for other confidential and/or sensitive information. Continue Reading

Cookies: CNIL provides clarification on its position through three major decisions impacting worldwide online service providers

The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that has to be provided to users. Companies across sectors with interests in France should consider adapting their cookie compliance and monitor the specific French requirements. The CNIL stated it would grant a six month period to implement the new CNIL guidelines. Controllers would be required to comply with these new guidelines by the beginning of April 2021.

 Please see our recent client alert for an in-depth explanation of CNIL’s position and recent actions.

The ICO publishes a new data sharing code of practice

The UK’s supervisory authority, the Information Commissioner’s Office (ICO), published a new data sharing code of practice (Code), available here, which addresses the requirements for data sharing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection obligations when sharing personal data. The Code applies to the sharing of personal data between controllers, as well as giving access to personal data to third parties. It does not, however, apply to data sharing with a processor, nor the disclosure of data within an organisation.

The Code contains practical guidance for controllers on how they can share data fairly and lawfully and how they can meet their accountability obligations under the GDPR and the DPA 2018. It also addresses misconceptions regarding data sharing, such as clarifying that data protection laws do not prevent data sharing (as long as the sharing is lawful, fair and proportionate) and that most data sharing does not rely on consent as the lawful basis. Continue Reading

EU-UK data flows following the Brexit transition period

After a long period of negotiation, the United Kingdom (UK) and the European Union (EU) have reached a deal on the sharing of personal data, only a few days before the end of the Brexit transition period.

The agreed trade deal allows for the continued free flow of personal data from the EU to the UK for a maximum of six months after the transition period expires. During that time, the UK hopes that the European Commission will issue an adequacy decision in relation to the UK, thus allowing the free flow of personal data to continue beyond the six months. In relation to transfers of personal data outside the UK, the UK has already deemed adequate the 30 EU/European Economic Area countries and the 12 countries that have received EU adequacy decisions, as mentioned in our previous blog post (available here).

Continue Reading

The UK is preparing its adequacy decisions post Brexit

With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear.

As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to recipients in jurisdictions outside the EU/EEA, unless specific conditions are met. One such condition under the GDPR is an “adequacy decision” granted by the European Commission. If a third country is deemed adequate by the European Commission, the personal data can be transferred to that country without any additional safeguards being required.

Continue Reading

European Commission releases draft updated standard contractual clauses

On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here).

The current SCCs were adopted by the Commission before the GDPR came into force.  The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements.

The main changes introduced by the draft SCCs are summarised below.

Continue Reading

A discussion with Colorado Attorney General Phil Weiser on Colorado’s data privacy law and consumer protection

In a recent Q&A with Colorado Attorney General (AG) Phil Weiser, the first term AG discusses how he makes data privacy and cybersecurity accessible and interesting to his Colorado constituents. AG Weiser also explains the role of Colorado’s interdisciplinary Data Privacy and Security Impact Team and how its implementation has benefitted the state. Lastly, AG Weiser discusses his views on a comprehensive federal privacy law and his office’s privacy- and data security-related priorities for 2021. Read more in the IAPP Privacy Advisor article here.

LexBlog