Regulatory

Subscribe to Regulatory

In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year

The Summer 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. Update on international data transfers
  2. State Labour Court of Baden-Württemberg: No claim for damages for transferring personal data to the United States on

After Germany became the last EU member state to transpose Article 5(3) of the Directive 2002/58/EC, amended by Directive 2009/136/EC (ePrivacy Directive) into national law, the use of cookies in the EU must meet one of the following requirements:

  • The user’s consent, or
  • The cookie must be strictly necessary in order to provide the service explicitly requested by the user (Strictly Necessary Cookies).

The category of Strictly Necessary Cookies was previously interpreted rather narrowly. There must be a clear link between the strict necessity of the cookie and the delivery of the service. It is not sufficient that the cookie is merely necessary from an economic perspective to run a website. The Article 29 Working Party in WP194 regarded shopping cart, user authentication, security, load balancing, or multimedia player as use cases for Strictly Necessary Cookies.

The legal basis for so-called Reach Measurement Cookies has been heavily debated. Reach Measurement Cookies are statistical audience measurement tools for websites used to estimate the number of unique users, track the users’ interaction with the website and track down navigation issues. Typically, they have not been regarded as Strictly Necessary Cookies because websites can be provided to the users without measuring the users’ interactions with the websites. At the same time, Reach Measurement Cookies only provide useful findings if every users’ interactions with the websites are tracked.

In this context, the French data protection authority (CNIL) has provided guidelines (Guidelines) under which the Reach Measurement Cookies may be considered as Strictly Necessary Cookies and thus benefit from the consent exemption.Continue Reading When are Reach Measurement Cookies exempt from the consent requirement?

The German Constitutional Court issued a landmark decision with implications for many companies doing business in Europe on July 9, 2021. For decades, the European Commission and EU member states strived to create a pan-European Unified Patent Court (UPC). After overcoming many hurdles, any sensible commentator will be cautious in making statements about the future

Catch up on our Tech Law Talks podcast series for practical observations on technology and data legal trends, from product and technology development to operational and compliance issues that practitioners encounter every day.

What’s new in data protection in the EU

It has been a busy few weeks in the EU for all things data protection, particularly data transfers. Cynthia O’Donoghue and Andy Splittgerber walk us through the new Standard Contractual Clauses (SCCs) for international transfers and for controllers to processors, the newly issued EDPB Supplementary Measures Recommendations, and the UK adequacy decision. (18 mins)

M365 in 5: Compliance and governance in M365

E-Discovery consultant Lighthouse returns to our M365 in 5 series for a discussion about the importance of compliance and governance in M365 and collaboration among stakeholders to balance risk and business needs. Reed Smith’s Anthony Diana and Therese Craparo join Lighthouse’s John Holliday to discuss implementing controls and managing data to mitigate risk. (8 mins)Continue Reading Tune in for the latest updates on our Tech Law Talks podcast

There is news for social media network providers operating in the European Union regarding prevention of hate speech and crimes:  Austria enacted a law against hate and crime on social networks, the Communication Platform Act (KoPl-G). Following the German Network Enforcement Act (NetzDG), both laws are intended to make the deletion procedure simpler, more transparent and shift responsibility to the social network provider.  A unified European Law, the Digital Service Act (DSA), could soon replace these local country rules.

1. The German Network Enforcement Act

The German Parliament just recently passed the law amending the NetzDG which involves some changes for social networks providers. The NetzDG, enacted in 2017 in Germany, was the first in Europe to go against hate speech and crimes on social networks (more about the provision of the NetzDG on our previous blog).

The newest amendment, which was first proposed in April 2020 (more on our previous blog) contains the simplification of the reporting channels for the complaints procedure and added information obligations for half-yearly transparency reports of the platform operators. A direct right to information against the platform operator shall be created in the Telemedia Act (TMG) for victims of illegal content in networks. The amendment for the NetzDG provides that the user may request a review of the platform provider’s decision to remove or retain reported content and has a right to have the content restored. This shall prevent the so-called “overblocking”, i.e. when legal content is removed, and strengthen the freedom of opinion of users. The network provider is now obligated to obtain comments from concerning parties and give individual reasons for each decision. Video sharing-platforms are also subject to the NetzDG according to the new Sec. 3 (e) NetzDG but only in case of user-generated videos and broadcasts.

Colorado’s recently passed privacy act, the Colorado Privacy Act (CPA), is scheduled to take effect on July 1, 2023, if signed into law by Governor Jared Polis. While the CPA is a comprehensive privacy act which provides certain rights to consumers regarding their personal data, it does not include a private right of action. It

Germany is among the world’s leading patent jurisdictions. However, several years after the implementation of the EU Enforcement Directive, the government felt that the Patents Act (PatG) needed updating. Following lengthy consultations and many changes, the reform bill passed the German federal parliament (Bundestag) very early this morning (June 11, 2021). The second chamber of

The U.S. Department of Labor (DOL) announced in April new cybersecurity guidance (the Guidance) for protecting ERISA-covered plan data from internal and external cybersecurity threats. This Guidance is the first of its kind from the DOL and supplements DOL regulations that govern electronic records and disclosures to plan participants and beneficiaries.

The Guidance recognizes that

The Spring 2021 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:

English version

German version

In this edition we cover the following topics:

  1. New cookie rules in Germany will apply as of December 1, 2021
  2. German data protection authorities conduct coordinated audits on international data transfers