On August 18, 2023, the Fourth Circuit decertified approximately 20 million putative class action claims arising out of a 2018 data breach involving Marriott Hotels. See here. The Fourth Circuit reversed the district court’s certification and required it to consider in the first instance whether all of the putative plaintiffs waived their claims by signing class action waivers when they registered to be part of the Starwood Preferred Guest Program (“SPG”). The SPG waiver specifically stated that “Any disputes arising out of or related to the SPG Program or the[] SPG Program Terms will be handled individually without any class action ….”
ECJ Allows National Competition Authorities to Consider Non-Competition Law Violations in Dominance Abuse Cases
Please click here to access the source post from our Global Regulatory Enforcement Law Blog.
In this blog, the authors delve into a significant decision by the German Federal Cartel Office (FCO) four years ago, accusing a major technology company of abusive behavior due to alleged violations of the General Data Protection Regulation (GDPR). Recently
Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers
On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.
ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems
On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.
The EDPB makes its mind up about transfers
If you can remember as far back as December 2021, we published a blog post announcing that the European Data Protection Board (EDPB) published draft guidelines on the interplay between the territorial scope of the GDPR and the international transfer requirements. Following what must have been an extensive consultation, we are pleased to report that those guidelines were finally finalised on 14 February 2023 (here) and, are even more pleased to report that they contain some very useful illustrations to help you make sense of the concept of international data transfers.
A sigh of relief? EU-US data transfers
At the end of 2022, the European Commission published its draft adequacy decision on the EU-US transfers of personal data. The draft contains an assessment of the US legal framework around state surveillance. Once in place, EU data transfers to the US under the new Data Privacy Framework (“EU-US DPF”) will be free. However, there are still some steps to take.
ICO provides an alternative to the EDPB transfer impact assessment
On 17 November 2022, the UK Information Commissioner’s Office issued updated guidance on international personal data transfers. The guidance is to be used for transfers of personal data from the UK to third countries. The ICO added a template transfer risk assessment (TRA) to the guidance, which is required when organisations rely on a transfer tool under Article 46 of the UK GDPR, e.g. the ICO’s International Data Transfer Agreement (the UK version of the EU SCCs); the Addendum to the EU SCCs, or the Binding Corporate Rules. The requirement to carry out transfer impact assessments stems from Article 46(1) of the UK GDPR, which states that the transfer mechanisms can be used “on condition that enforceable data subject rights and effective legal remedies for data subjects are available” confirmed by the CJEU’s Schrems II judgement.
The ICO’s TRA offers an alternative approach to the EDPB’s transfer impact assessments (TIA), to assist data exporters with carrying out their analysis to check that that protections under the transfer tool are not undermined by the laws and practices of the recipient third country.
Continue Reading ICO provides an alternative to the EDPB transfer impact assessment
Transatlantic Data Flows – Chapter 3: The EU-U.S. Data Protection Framework: A Summary of the U.S. Executive Order issued on Oct. 9 and its immediate and future effects
At a Glance:
On Oct. 7, 2022, U.S. President Joe Biden issued Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ (“Executive Order” or “EO”). It is described by the U.S. as “a durable and reliable legal foundation” and “that the new ’robust’ commitments contained in the executive order ’fully addresses’ the issues raised in the [EU] Court of Justice’s decision on Privacy Shield” (the “Schrems II ruling”). This Executive Order will form the basis for a new EU-U.S. Data Privacy Framework, aka Safe Harbor Framework v3 or Privacy Shield 2.0.
The issuance of the EO was a central part of the agreement in principle reached between the EU and the U.S. to address the issues raised in the Schrems II ruling. While most of the world waited for this Executive Order, we now all wait for the EU’s response as to whether or not this EO, once its requirements are implemented, suffices to lift the U.S. to an adequate level of data protection within the meaning of Art. 45 GDPR. Even before full implementation of the procedural aspects of the EO, the Executive Order will have a positive impact on data transfers given that the surveillance must be conducted in a proportionate manner that takes into account the impact to privacy and civil liberties of all persons, assuming the EU will be designated as a “qualifying state” by the U.S. Attorney General under the EO.
A conversation with New York Attorney General, Letitia James
In the October edition of IAPP’s Privacy Advisor, Divonne Smoyer, Hubert Zanczak, and Stuart Cobb speak to New York State Attorney General, Letitia James, about her view of consumer privacy, her work to date in enforcing existing laws and her thoughts about the future of privacy in New York and the country.
M365 Accessibility: Considerations and Risks Associated with Vision Related Tools
Almost 20 million Americans — 8 percent of the U.S. population — are blind or have visual impairments. Accordingly, organizations and businesses in nearly every industry stand to benefit from the use of vision related accessibility tools, which can increase employee productivity and provide a more inclusive user experience. To address this need, M365 incorporates a slew of tools and features – such as screen readers, text-to-speech, and color filters – that make it easier for end users with visual impairments to access, use, and benefit from M365 products. However, because these tools may collect and store user data in ways that may not be immediately apparent, businesses employing them must remain cognizant of the potential downstream risks associated with their use. Listen to our latest Tech Law Talks podcast episode, M365 accessibility: Vision-specific tools, as we discuss.
Continue Reading M365 Accessibility: Considerations and Risks Associated with Vision Related Tools