Stay up to date with the latest knowledge and breaking news in the privacy and compliance world. Find out about updates to global privacy regulations and GDPR, along with laws that affect the rights of individuals.
In July, the European Commission took the final steps to formally adopt formally establish the new EU-U.S. Data Privacy Framework (the Framework). After years of intense negotiation between the EU and the U.S., restoration of the Framework reduces the uncertainty about lawful data transfer that came with invalidation of the U.S-EU Privacy Shield by the Court of Justice of the European Union (CJEU) in the Schrems II case.
The European Commission’s announced in December that it has begun its process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework (the Framework). Companies seeking to transfer data from countries in the European Union to the United States will need to take steps to be in alignment with this new change.
The framework enhances protections for EU residents with respect to the activities of such agencies by restricting U.S. their processing of EU data subjects’ personal data.
While bipartisan legislation to establish a federal privacy law in the United States – the American Data Privacy and Protection Act – moves through Congress, the Federal Trade Commission (FTC) has now taken steps to address existing and emerging issues related to commercial data and to consider the possibility of updating requirements.
Companies transferring data out of China for processing should be aware of new guidance issues on June 26 by China’s National Information Security Standardization Technical Committee - the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information.
Currently, a drafted piece of data privacy legislation is going through the US Congress. After some research and discussion, we analyzed what's in the proposed bill.
As we reported last week on Twitter, the European Commission announced the launch the European Health Data Space (EHDS), an initiative designed to empower people to control and use their health data in their home country or in other member states.
Transatlantic data flows took center stage at the International Association of Privacy Professionals (IAPP) Global Privacy Summit.
Clearview AI has been investigated and sanctioned by a number of different EU data protection authorities. However, Italy’s recent sanction stood out as it also sanctioned Clearview for failure to appoint an Article 27 Representative.
The fallout from the recent decision of the Austrian data protection authority in the Google Analytics case highlights the increased risk for companies transferring data across the Atlantic, and the urgent need for an effective, practical, long-term solution for data transfers.
Companies that collect and process health related data that does not fall under the requirements of the Health Information Protection and Portability Act (“HIPPA”) will want to pay close attention to new resources published on January 21, 2022 by the Federal Trade Commission.
The Austrian data protection authority (the “Austrian DPA”) recently published a decision that could have significant implications in other EU Member States and result in a ban of Google Analytics across the EU. Achieved Compliance believes this ruling could expose any company that uses cloud-based website and application monitoring services and collects information to regulatory scrutiny. Users of Google Analytics and similar services should be aware of this important development.
Companies seeking guidance about how to understand privacy risks and to implement measures to address them should be aware of two new resources – The National Institute of Standards and Technology’s (“NIST”) draft Privacy Framework and the International Organization for Standardization’s (“ISO”) International Standard for privacy information management. These tools are designed to work alongside existing guidelines for cybersecurity and the requirements of emerging law such as the General Data Protection Regulation and the California Consumer Privacy Act.
On June 12, 2020, Quebec introduced a proposed update to its public and private sector privacy laws. The draft legislation reflects both elements of the European Union’s General Data Protection Regulation (GDPR) and aspects of federal and provincial privacy laws in Canada.
In its judgment, handed down on July 16, 2020 (ACS Blog Summary) the CJEU upheld the validity of the Standard Contractual Clauses (the “SCCs”) the European Commission issued to support the lawful transfer of personal data to data processors outside of the EU. At the same time, it struck down the EU-U.S. Privacy Shield framework. The FAQ responds to some of the many questions the Schrems II ruling raises.
The privacy activist group noyb, headed by Mr. Schrems, has filed complaints against 101 websites which it alleges are still sending data in the absence of the Privacy Shield and without the measures required by the EU’s General Data Protection Regulation.
The European Commission published a draft implementing decision on standard contractual clauses (“SCCs”) for the transfer of personal data to third countries. It also published a draft set of new SCCs. For U.S. companies, the EU General Data Protection Regulation (“GDPR) establishes SCCs as a means by which companies may lawfully transfer data from the EU to the U.S.
On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data.
But it’s important to recognize that the steps a company takes toward GDPR compliance will yield benefits in jurisdictions well beyond the European Union. Since its adoption in 2016, the GDPR has served as a model for governments around the world as they have established their own data protection regimes.
The Dutch Data Protection Authority (“Dutch DPA”) has imposed a €525,000 fine on Locatefamily.com for failure to comply with the General Data Protection Regulation’s Article 27 requirement to appoint a representative in the European Union (“EU”).
The European Commission published the final version of the implementing decision on standard contractual clauses (“SCC”) for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”). The Commission also released the final version of the new SCCs.
Colorado joins California and Virginia as it becomes the third state to enact a comprehensive data privacy law.
China’s 13th Standing Committee of the National People’s Congress passed the country’s first comprehensive data protection law, the Personal Information Protection Law (the “PIPL”). The PIPL establishes a comprehensive framework to govern the processing of personal information.
Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for its failure to meet the General Data Protection Regulation’s (“GDPR”) transparency requirements as set forth in Articles 12-14.