The EU-U.S. Privacy Shield: feedback, and potential EU recognition of privacy laws of California and other U.S. states?

Background

On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC’s 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?

Continue Reading

EDPS, data protection and scientific research

This week the EU’s independent data protection authority (DPA), the European Data Protection Supervisor (EDPS), published a preliminary opinion on data protection and scientific research subject to the General Data Protection Regulation 679/2016 (GDPR) and Regulation 1725/2018 governing data protection in EU institutions (Preliminary Opinion). Regulation 1725/2018 is very similar to the GDPR’s provisions in this area, and the EDPS states that the Preliminary Opinion may be regarded as relevant to data processing under both regulations.

The Preliminary Opinion builds on the work of the European Data Protection Board (EDPB) in promoting a dialogue between DPAs, ethical review boards and organisations conducting scientific research.

Continue Reading

Top advertising law trends of 2020

As we look toward a new year and a new decade, advertisers will need to be a step ahead of the market, in order to keep up with changing trends, a world impacted by an increased sensitivity to privacy and the use of data, and consumers who have grown savvy to influencer marketing and product placement. This article published on Law360 by Jason Gordon and Casey Perrino notes some of the cutting-edge trends to watch in 2020, touching on topics such as new privacy legislation and tracking technologies, concerns over political advertisements, and the growing cannabis industry.

Biometric privacy: The year in review and looking toward 2020

2019 signalled significant growth in both regulatory focus and litigation involving biometric privacy. The passage of the California Consumer Privacy Act (CCPA), the addition of biometrics to numerous state data breach notification laws (including New York), and continued class action lawsuits emanating from Illinois’ Biometric Information Privacy Act (BIPA) made biometrics a trend line in 2019 that shows no signs of slowing down in 2020. State legislatures will continue to take note of BIPA’s impact in Illinois and will watch closely as the CCPA is effective as of January 1, 2020, taking cues as to whether or how to implement statutory and regulatory frameworks for biometrics in their own states. Organizations that collect and use consumer or employee biometric data should be aware of their obligations and be on the lookout for more activity on both the regulatory compliance and litigation fronts in the new year.

BIPA provides an express private right of action for consumers who claim that their biometric privacy rights have been violated. In January of 2019, the Illinois Supreme Court affirmed this right when it ruled in Rosenbach v. Six Flags Entertainment Corp. that a plaintiff need only allege a violation of BIPA, not an allegation of actual harm, in order to plead a claim under the Act. Since this decision, BIPA has continued to spawn an onslaught of biometric privacy class actions.

Continue Reading

Evaluation of the GDPR – The German supervisory authorities weigh in

The German Data Protection Authorities (German DPAs) released a “Report on the Experience Gained in the Implementation of the GDPR”, which was adopted at their conference on November 6, 2019 (Report; available in German here and English here). In this blog, we summarize the key issues that the German DPAs have raised in the Report.

Background

Under Article 97 of the EU General Data Protection Regulation (GDPR), the EU Commission is required to submit an evaluation and review report on the implementation of the GDPR by May 25, 2020 – so two years after the GDPR became applicable. The German DPAs want to share their experience to contribute to this process and have thus published the Report. The German DPAs opine that the GDPR’s regulatory concept and objectives have largely proved successful and that the heavy GDPR fines are a driver for developing broad-based awareness of data protection. However, they also acknowledge that some uncertainty remains when it comes to GDPR implementation and that there still is a need for guidance from the supervisory authorities.

Continue Reading

New year, new risks

According to experts, most New Year’s resolutions fail because sweeping change is difficult. Rather, the best results come from taking small steps. Here are five small steps to take to make sure your directors’ and officers’ (D&O) coverage can tackle potential cyber risks.

  1. Review your coverage program from last year. Endorsements, policy provisions, and pricing change from year to year to address hot market issues, such as claims regarding data security and privacy incidents. If operating globally, keep an eye out for coverage for potential crises.
  2. In addition to the primary policy, the company should review any excess and any “Side A”-only or difference-in-conditions, or “DIC,” policies. Reviewing how the company’s D&O program works as a whole is well worth the effort.
  3. Analyze whether claims that may be excluded or only partially covered under a D&O policy may be covered elsewhere. For example, how will the company’s cyber, CGL, or property coverage interact with its D&O coverage in the event of a data breach or privacy incident?
  4. Determine your company’s highest exposure activities for 2020 and map out how coverage may (or may not) respond.
  5. Pay close attention to attorney–client privilege issues in the application or renewal process. Policy applications, warranty statements, renewal information, underwriting meetings, and communications with insurance brokers and others can be potentially sensitive and impactful in the event of a claim. Managing the process and information flow with an eye toward privilege can ensure greater protection.

Members of our Insurance Recovery Group provide more information on these five steps in our recent client alert.

An FAQ guide to data breach notifications in Singapore

Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach.

As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time.

What is a data breach?

 A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.

Continue Reading

ENISA releases report detailing security guidelines for Internet of Things

On 19 November 2019, the European Union Agency for Network and Information Security (ENISA) released its report ‘Good practices for security of Internet of Things (IoT)’ (Report), providing a comprehensive analysis of security concerns surrounding IoT, secure Software Development Life Cycle (sSDLC) principles, and setting out best practices. Below, we highlight some of the key points. The Report can be read in full here.

Background

IoT refers to a network of internet-connected devices, ranging from microwaves to phones to smart homes. ENISA is tasked with improving the resilience of Europe’s critical information infrastructure and networks, and the Report focuses on establishing good practices for securing the IoT software development process. As a precursor to the Report, in 2017, ENISA released its study ‘Baseline Security Recommendations for IoT’ (here). Continue Reading

Advocate General gives opinion on Schrems II: an early Christmas present?

Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG’s opinion here.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.

Below, we take a look at the AG opinion. Continue Reading

Get your Update on IT & Data Protection Law in our Newsletter (Winter 2019 Edition)

The Winter 2019 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. ECJ decision on the use of cookies (“Planet49”) does not provide clarity
  2. ECJ: Global take-down duties of hosting providers
  3. ECJ on the territorial scope of the right to de-referencing v. operators of search engines
  4. Munich District Court: Right of access by data subject pursuant to Article 15 (1) GDPR does not include internal comments
  5. Working papers on special protection of the privacy of children
  6. EBA Guidelines apply
  7. Update on transparency requirements for influencer marketing

The newsletter also includes multiple recommendations for reading of publications of the European Data Protection Board and the German data protection authorities.

We hope you enjoy reading it.

LexBlog