Colorado Privacy Act Signed by Governor

As part of the continued movement towards increased privacy regulation, Colorado joins California and Virginia as it becomes the third state to enact a comprehensive data privacy law.  On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law. The Act will go into effect on July 1, 2023, with some specific provisions taking effect at later dates. The Act applies to companies conducting business in Colorado or that produce or deliver commercial products or services targeted to Colorado residents.  These include those that either (1) control or process the personal data pertaining to at least 100,000 consumers during a calendar year;…

READ MORE

European Commission Publishes Final Version of Standard Contractual Clauses, Imposes Obligations on Data Controllers and Processors

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”).  The Commission also released the final version of the new SCCs. (LINK) The new version of the SCCs is in part a response to the decision in the Schrems II case, which raised questions about whether they provide necessary protections for the trans-Atlantic transfer of data. The European Commission’s release in November 2020 of draft versions of the implementing decision and the SCCs was discussed previously in this blog. The guidance makes clear that…

READ MORE

Dutch Data Protection Authority Imposes €525,000 Fine for Failure to Appoint Article 27 Representative

The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”). Locatefamily.com publishes contact details (including telephone numbers and addresses) of individuals on its online platform. According to the Dutch DPA, individuals often did not register to be listed on the platform and did not know how their personal information found its way to the platform. The Dutch DPA had received numerous complaints from individuals about Locatefamily.com. In a decision issued May 12, 2021 found that the online platform had failed to comply…

READ MORE

Companies that Comply with GDPR Reap Benefits in Jurisdictions Beyond the EU

Companies faced with meeting the requirements of the General Data Protection Regulation face a complex task.  For businesses with limited grounding in data protection, understanding the law, mapping data, conducting risk assessment and mitigation, developing policies and protocols to govern data privacy and producing necessary documentation represents a significant investment of time and resources.  Even for companies with data governance programs in place, reviewing those programs to ensure they meet the obligation of the GDPR and making necessary adjustments is a significant undertaking. But it’s important to recognize that the steps a company takes toward GDPR compliance will yield benefits in jurisdictions well beyond the European Union. Since…

READ MORE

European Commission Publishes Draft Decision Finding UK Law Provides Adequate Protections for EU Data

On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR. The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements. It also provides for…

READ MORE