Virginia Privacy Legislation Approved by State Senate and House

Virginia may become the second state to enact major privacy legislation of general applicability, following the California Consumer Privacy Act (“CCPA”), which was enacted in 2018. The Virginia bill, if signed into law, would take effect January 1, 2023. The legislation would: establish a comprehensive framework for controlling and processing personal data of Virginia residents provide Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. include requirements with respect to data minimization, processing limitations, data security, non-discrimination, third-party contracting…

READ MORE

French Data Protection Authority Imposes Fines on Data Controller and Its Processor for Security Violation

The French Data Protection Authority (the “CNIL”) announced (in French) on January 29, 2021 that it was imposing a fine of  a €150,000 on a data controller, and €75,000 on its data processor for failure to implement adequate security measures. The CNIL found that inadequate security resulted in credential stuffing attacks on the data controller’s websites. In its decision, the CNIL did not reveal the names of the companies sanctioned. The CNIL received several dozen personal data breach notifications from a website that individuals routinely use to make online purchases. In investigations of both the company responsible for processing the data through the website (the data controller) and the…

READ MORE

EDPB and EDPS Adopt Join Opinions On Draft Standard Contractual Clauses

The European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020.  The guidance addresses both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). International SCCs The International SCCs will replace the existing SCCs companies have used to transfer personal data from within the EEA to organizations in non-EEA countries not deemed to provide an adequate level of protection for data of EU residents. In the wake of the invalidation of the EU-U.S. Privacy Shield in the Court of Justice of the European Union’s (the “CJEU’s”) Schrems II judgment, most organizations…

READ MORE

Data Transfers from the European Union to the United Kingdom Will Continue as EU Commission Assesses Adequacy during Six Month Transition Period

The European Commission now has an additional six months to complete its adequacy assessment of the UK’s data protection laws, thanks to an agreement in principle reached by the European Union and the United Kingdom regarding the EU-UK Trade and Cooperation Agreement (“the Agreement”). As a result, companies can – at least for now – continue to move data from the EU to the UK without putting in place additional safeguards. The UK’s transition out of the EU ended December 31, 2020, and as of January 1, 2021 it is treated as a third country for purposes of the EU General Data Protection Regulation (“GDPR”). Article 45 of…

READ MORE

2020 Developments in Privacy Law Create New Obligations for Companies, Foreshadow More Changes in 2021

While Covid-19 and national and state governments’ efforts to respond to the impact of the disease took center stage in 2020 among lawmakers, the year still brought significant changes in privacy and data protection law. Companies will need to take measures to meet new obligations created by court decisions and legislation and to prepare for more changes expected in 2021. Invalidation of Privacy Shield – On July 16, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, an agreement between the European Commission and U.S. Department of Commerce to facilitate the legal movement of data from the EU to the U.S. Invalidation of…

READ MORE