Court of Justice of the European Union Invalidates the EU-U.S. Privacy Shield, Finds Standard Contractual Clauses Valid

The Court of Justice of the European Union (CJEU) in a surprise decision invalidated the U.S. Privacy Shield in a case called, Schrems II – a decision important to all companies doing business in the EU and collecting personal data about its residents. It found that the Standard Contractual Clauses (SCC) issued by the European Commission to support the lawful transfer of personal data to processors established outside of the EU are valid. At the same time, the Court unexpectedly invalidated the EU-U.S. Privacy Shield framework. This decision will require companies to re-examine their approach to transferring data between the U.S and the EU. Background In 2015 Max…

READ MORE

Belgian Data Protection Authority Imposes Fines on Non-Profit Organization

In a decision issued on May 29, 2020, the Belgian data protection authority (DPA) turned its attention to the practices of non-profit organizations when it imposed a fine for violations of the EU’s General Data Protection Regulation (GDPR).  The DPA’s decision responded to an individual who complained that he continued to receive promotional materials from the organization after he had objected to the processing of his contact details for direct marketing. He had also requested that the organization delete his data from its database. The DPA stated that under the GDPR, unsolicited postal communications sent by non-profit organizations to promote their services and to fundraise qualify as “direct…

READ MORE

Federal Trade Commission Announces Settlements in Privacy Shield Enforcement Actions

The Federal Trade Commission sent an important message to companies participating in the EU-U.S. Privacy Shield when earlier this year, the agency announced that settlements had been finalized with five companies regarding separate allegations that they had falsely claimed certification under the framework. The EU-U.S. and Swiss-U.S. Privacy Shield frameworks make it possible for companies to transfer personal data lawfully from the EU and Switzerland, respectively, to the U.S. (In compliance with the EU – GDPR – General Data Protection Regulation). The FTC announcement can be found here. In individual actions the FTC had alleged that: DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc., each…

READ MORE

Be Prepared: New Tech Enables Floods of Subject Access Requests

In January 2020, a new data privacy startup, Mine, made headlines when it received $3 million in seed funds. Mine is an inevitable product of new data privacy laws that have been passed in Europe and California. The start-up based in Tel Aviv helps users identify all the companies that hold their personal data. It then allows users to submit automated subject access requests and subject erasure requests. They advertise as a service providing tools for consumers to “reclaim your data.”  Users of this service have already sent out thousands of requests emphasizing how easy it is to generate hundreds of requests. Achieved is already handling Mine requests on…

READ MORE

Issues Remain to Be Resolved as Congress Considers Comprehensive Privacy Protections in 2020

As 2020 begins, Congress continues on a path toward providing consumers with greater protections for their data, lawmakers have exhibited a rare willingness to work toward consensus on the issue. Bills introduced by members of Congress in 2019 often shared more in common than not. But a hearing (https://www.commerce.senate.gov/2019/12/examining-legislative-proposals-to-protect-consumer-data-privacy) held late in the year by the Senate Committee on Commerce, Science and Transportation revealed differences that remain to be resolved before any bill will pass. The Committee brought together a diverse panel of five witnesses that included former FTC Commissioners, Vice Presidents of major technology companies and a representative of a civil liberties organization. The panelists largely agreed…

READ MORE