New Guidance for Companies that Transfer Data from the EU to the U.S.

The Article 29 Working Party has recently released several new documents of interest to companies that collect and process data about EU residents and who move data from the EU to the United States. First, the Working Party released “Recommendations on the Standard Application for Approval of Data Controller or Processor Binding Corporate Rules for the Transfer of Personal Data.” Binding Corporate Rules (often referred to as BCRs) are one mechanism available to companies to support the legal transfer of data outside the European Economic Area. Article 45 of the GDPR requires that data transferred to a country which has not been deemed to provide an adequate level of data…

READ MORE

Not Just for Large Multinationals: U.K. Information Commissioner’s Office and Article 29 Working Party Issue GDPR Guidance for Small Businesses

Smaller companies take note – the U.K. Information Commissioner’s Office (ICO) and the Article 29 Working Party have highlighted that all companies must comply with the General Data Protection Regulation (GDPR) regardless of size, and recently issued special guidance for smaller businesses. The GDPR, a law that places new obligations on organizations that collect and process data about European residents, comes into effect May 25, 2018. In a recently published set of FAQs, the ICO addresses key issues raised by the GDPR in the context of small businesses, including criteria for imposition of monetary sanctions; security; determining whether your organization is a processor or controller under the terms…

READ MORE

Singapore Joins the Accountability-based APEC System

While companies work to comply with the General Data Protection Regulation (GDPR), the European law that takes effect on May 25, it is important to remember that countries in other parts of the world also are adopting new approaches to information privacy protection. Companies that plan to do business in new markets should take note of these and understand that the steps they take to comply with the GDPR – particularly with respect to accountability – can lay the groundwork for compliance in other regions. On March 6, 2018, Singapore’s Ministry of Communications and Information announced that Singapore has joined the APEC Cross-border Privacy Rules (CBPR). The APEC CBPR system…

READ MORE

FTC Settles Complaint Against Venmo

On February 27, the Federal Trade Commission (FTC) reached a settlement with Paypal, Inc. relating to the privacy and security practices of Venmo, Paypal’s peer-to-peer payment service. The FTC alleged that Venmo failed to adequately disclose to its users that transfers of funds from their Venmo balances to external bank accounts were subject to review, and such funds could be frozen or removed in cases of suspected fraud. The FTC’s complaint also charges that Venmo misled users about the scope of Venmo’s “bank grade security systems,” as well as the extent to which users could control the visibility of their transactions. Venmo allows individuals to send and receive…

READ MORE

New Guidance about Transparency: Notices Must Be Accurate, Clear and Easy To Locate

Important guidance about the General Data Protection Regulation’s (GDPR) transparency requirements has been released from Europe. The Article 29 Working Party, an advisory body that oversees data protection in the EU, issued a paper that provides practical guidance and clarity about the obligations of data controllers with respect to informing individuals about the collection, use and protection of their data. The GDPR requires that notices must: be concise, transparent, intelligible and easily accessible (Article 12.1); use clear and plain language (Article 12.1); the requirement for clear and plain language is of particular importance when providing information to children (Article 12.1); be provided in writing “or by other means, including where…

READ MORE

Preparing for May 25th, 2018: GDPR Compliance Requires More Than Technology Solutions

Whether you are in the IT department or on the legal team, in recent weeks you’ve no doubt received announcements and advertisements offering technology solutions that promise to help you “achieve GDPR readiness.” While these products can help address certain compliance issues, it’s important to understand their limitations – and that GDPR compliance requires more than technology solutions. Before any tool can be useful, GDPR demands a combination of review, risk analysis and thoughtful decision-making on the part of your company. While software solutions can help with discrete tasks – data mapping, controlling and monitoring who has access to data, and managing consent, to name a few –…

READ MORE

CFTC Imposes $100,000 Penalty for Failure To Supervise IT Provider

On February 12, 2018, the Commodity Futures Trading Commission (CFTC) issued an order requiring AMP Global Clearing, a registered Futures Commission Merchant (FCM), to pay a civil penalty of $100,000 due to its failure to diligently supervise its IT provider in implementing AMP’s Information Systems Security Program. The order came after a third party was able to gain access to AMP customer records without authorization through a vulnerability in AMP’s network. The vulnerability had not been detected in three consecutive quarterly network risk assessments, despite the fact that security breaches resulting from similar vulnerabilities—including a number that occurred on network devices manufactured by the same manufacturer as AMP’s—had…

READ MORE

U.S. Regulators Convene Workshop on Privacy Risks and Harms

Compliance with the European Union’s General Data Protection Regulation (GDPR), scheduled to take effect in May 2018, has taken center stage for companies. But it is important to remember that regulators in the U.S. continue their own work to protect the privacy interests of consumers. The Federal Trade Commission (FTC) took the spotlight on December 12, 2017, when it hosted a one-day workshop titled “Informational Injury” in Washington DC. The event brought together a variety of stakeholders – including industry representatives, consumer advocates, academics and government researchers – to discuss issues related to the injuries consumers suffer when information about them is misused. In opening remarks, Acting FTC Chairwoman…

READ MORE

EU Releases Guidance About the Requirements for Obtaining Valid Consent Under GDPR

Last month, companies working toward compliance with the European Union’s General Data Protection Regulation (GDPR) received guidance about the new law’s consent requirement. The Article 29 Working Party, the advisory body that oversees data protection in the EU, issued a paper that provides practical advice about steps companies must take to ensure the consents for data processing they obtain from consumers are valid under the GDPR. The GDPR provides that for consent to be valid, it must be freely given, specific to the stated purpose for the processing, informed, and based on a clear, affirmative indication given by the data subject. The document provides advice about how regulators interpret…

READ MORE