Companies that Comply with GDPR Reap Benefits in Jurisdictions Beyond the EU

Companies faced with meeting the requirements of the General Data Protection Regulation face a complex task.  For businesses with limited grounding in data protection, understanding the law, mapping data, conducting risk assessment and mitigation, developing policies and protocols to govern data privacy and producing necessary documentation represents a significant investment of time and resources.  Even for companies with data governance programs in place, reviewing those programs to ensure they meet the obligation of the GDPR and making necessary adjustments is a significant undertaking. But it’s important to recognize that the steps a company takes toward GDPR compliance will yield benefits in jurisdictions well beyond the European Union. Since…

READ MORE

European Commission Publishes Draft Decision Finding UK Law Provides Adequate Protections for EU Data

On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR. The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements. It also provides for…

READ MORE

Virginia Privacy Legislation Approved by State Senate and House

Virginia may become the second state to enact major privacy legislation of general applicability, following the California Consumer Privacy Act (“CCPA”), which was enacted in 2018. The Virginia bill, if signed into law, would take effect January 1, 2023. The legislation would: establish a comprehensive framework for controlling and processing personal data of Virginia residents provide Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. include requirements with respect to data minimization, processing limitations, data security, non-discrimination, third-party contracting…

READ MORE

French Data Protection Authority Imposes Fines on Data Controller and Its Processor for Security Violation

The French Data Protection Authority (the “CNIL”) announced (in French) on January 29, 2021 that it was imposing a fine of  a €150,000 on a data controller, and €75,000 on its data processor for failure to implement adequate security measures. The CNIL found that inadequate security resulted in credential stuffing attacks on the data controller’s websites. In its decision, the CNIL did not reveal the names of the companies sanctioned. The CNIL received several dozen personal data breach notifications from a website that individuals routinely use to make online purchases. In investigations of both the company responsible for processing the data through the website (the data controller) and the…

READ MORE

EDPB and EDPS Adopt Join Opinions On Draft Standard Contractual Clauses

The European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020.  The guidance addresses both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). International SCCs The International SCCs will replace the existing SCCs companies have used to transfer personal data from within the EEA to organizations in non-EEA countries not deemed to provide an adequate level of protection for data of EU residents. In the wake of the invalidation of the EU-U.S. Privacy Shield in the Court of Justice of the European Union’s (the “CJEU’s”) Schrems II judgment, most organizations…

READ MORE