Quebec Proposed Update to Provincial Privacy Law Includes Elements of the GDPR and Canadian Federal Law

On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada. Among the GDPR-like provisions are requirements that companies establish a person in charge of personal information: Sanctions for failures to provide notice, collection or use of personal information in violation of the act, or for failure to report a breach. The amendments would impose penalties on businesses ranging from $15,000 to 25 million or an amount corresponding to 4 per cent of worldwide annual turnover, whichever…

READ MORE

Senator Sherrod Brown Releases Draft Privacy Bill

U.S. Sen. Sherrod Brown, ranking member of the U.S. Senate Committee on Banking, Housing, and Urban Affairs, recently released a draft privacy bill, the Data Accountability and Transparency Act of 2020 Link to: US Senate Draft Privacy Bill Brown’s proposal would: Give Americans the power to hold corporations, big tech, and the government responsible for how they collect and protect personal data. The bill Rejects the “consent” model for privacy, and instead places strict limits on the collection, use, and sharing of Americans’ personal data. The bill contains Provide strong civil rights protections to ensure personal information is not used for discriminatory purposes Ban the use of facial…

READ MORE

Court of Justice of the European Union Invalidates the EU-U.S. Privacy Shield, Finds Standard Contractual Clauses Valid

The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework. This decision will require companies to re-examine their approach to transferring data between the U.S and the EU. Background In 2015 Max…

READ MORE

Belgian Data Protection Authority Imposes Fines on Non-Profit Organization

In a decision issued on May 29, 2020, the Belgian data protection authority (DPA) turned its attention to the practices of non-profit organizations when it imposed a fine for violations of the EU’s General Data Protection Regulation (GDPR).  The DPA’s decision responded to an individual who complained that he continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing. He had also requested that the organization delete his data from its database. The DPA stated that under the GDPR, unsolicited postal communications sent by non-profit organizations to promote their services and to fundraise qualify as “direct…

READ MORE

Federal Trade Commission Announces Settlements in Privacy Shield Enforcement Actions

The Federal Trade Commission sent an important message to companies participating in the EU-U.S. Privacy Shield when earlier this year, the agency announced that settlements had been finalized with five companies regarding separate allegations that they had falsely claimed certification under the framework. The EU-U.S. and Swiss-U.S. Privacy Shield frameworks make it possible for companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S. (In compliance with the EU – GDPR – General Data Protection Regulation). The FTC announcement can be found here. In individual actions the FTC had alleged that: DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc., each…

READ MORE