European Commission Publishes Draft Decision Finding UK Law Provides Adequate Protections for EU Data

On February 19, 2021, the European Commission published a draft decision finding that UK law provides an adequate level of protection for EU residents’ data. If the draft decision is adopted, organizations in the EU will be able to continue to transfer personal data to organizations in the UK without restriction. They also will not need to implement data transfer mechanisms, such as the EU Standard Contractual Clauses, to comply with the requirements of the GDPR. The draft decision comes after a year of review by the European Commission, which concluded that the UK’s legal and regulatory data protection regime meets EU data protection adequacy requirements. It also provides for…

READ MORE

Virginia Privacy Legislation Approved by State Senate and House

Virginia may become the second state to enact major privacy legislation of general applicability, following the California Consumer Privacy Act (“CCPA”), which was enacted in 2018. The Virginia bill, if signed into law, would take effect January 1, 2023. The legislation would: establish a comprehensive framework for controlling and processing personal data of Virginia residents provide Virginia residents with certain rights with respect to their personal data, including rights of access, correction, deletion, portability, the right to opt out of certain processing, and the right to appeal a controller’s decision regarding a rights request. include requirements with respect to data minimization, processing limitations, data security, non-discrimination, third-party contracting…

READ MORE

French Data Protection Authority Imposes Fines on Data Controller and Its Processor for Security Violation

The French Data Protection Authority (the “CNIL”) announced (in French) on January 29, 2021 that it was imposing a fine of  a €150,000 on a data controller, and €75,000 on its data processor for failure to implement adequate security measures. The CNIL found that inadequate security resulted in credential stuffing attacks on the data controller’s websites. In its decision, the CNIL did not reveal the names of the companies sanctioned. The CNIL received several dozen personal data breach notifications from a website that individuals routinely use to make online purchases. In investigations of both the company responsible for processing the data through the website (the data controller) and the…

READ MORE

EDPB and EDPS Adopt Join Opinions On Draft Standard Contractual Clauses

The European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) adopted joint opinions on the draft Standard Contractual Clauses (“SCCs”) released by the European Commission in November 2020.  The guidance addresses both international transfers (“International SCCs”) and controller-processor relationships within the EEA (“EEA Controller-Processor SCCs”). International SCCs The International SCCs will replace the existing SCCs companies have used to transfer personal data from within the EEA to organizations in non-EEA countries not deemed to provide an adequate level of protection for data of EU residents. In the wake of the invalidation of the EU-U.S. Privacy Shield in the Court of Justice of the European Union’s (the “CJEU’s”) Schrems II judgment, most organizations…

READ MORE

Data Transfers from the European Union to the United Kingdom Will Continue as EU Commission Assesses Adequacy during Six Month Transition Period

The European Commission now has an additional six months to complete its adequacy assessment of the UK’s data protection laws, thanks to an agreement in principle reached by the European Union and the United Kingdom regarding the EU-UK Trade and Cooperation Agreement (“the Agreement”). As a result, companies can – at least for now – continue to move data from the EU to the UK without putting in place additional safeguards. The UK’s transition out of the EU ended December 31, 2020, and as of January 1, 2021 it is treated as a third country for purposes of the EU General Data Protection Regulation (“GDPR”). Article 45 of…

READ MORE