Ireland Data Protection Commission Fines WhatsApp Ireland $266 Million for GDPR Transparency Violations

On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for its failure to meet the General Data Protection Regulation’s (“GDPR”) transparency requirements as set forth in Articles 12-14. The investigation of WhatsApp began after the DPC received complaints from individuals regarding WhatsApp’s data processing activities and a mutual assistance request from the German Federal Data Protection Authority about WhatsApp’s compliance with EU data protection law. The investigation focused on whether WhatsApp, which was acquired by Facebook in 2014, complied with its transparency obligations under Articles 12-14 of the GDPR, particularly regarding the sharing and processing of…

READ MORE

China Passes Personal Information Protection Law

On August 20, 2021, China’s 13th Standing Committee of the National People’s Congress passed the country’s first comprehensive data protection law, the Personal Information Protection Law (the “PIPL”). The law is modeled, in part, on other jurisdictions’ omnibus data protection regimes, including the EU General Data Protection Regulation (“GDPR”). When it comes into effect on November 1, 2021, The PIPL will govern personal information processing activities carried out by companies or individuals within China. Like the GDPR, the PIPL also will apply to a company’s processing activities conducted outside of China.  A company not established in China is also covered by the law if it processes personal information about…

READ MORE

Colorado Privacy Act Signed by Governor

As part of the continued movement towards increased privacy regulation, Colorado joins California and Virginia as it becomes the third state to enact a comprehensive data privacy law.  On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law. The Act will go into effect on July 1, 2023, with some specific provisions taking effect at later dates. The Act applies to companies conducting business in Colorado or that produce or deliver commercial products or services targeted to Colorado residents.  These include those that either (1) control or process the personal data pertaining to at least 100,000 consumers during a calendar year;…

READ MORE

Data Transfers from the European Union to the United Kingdom Will Continue as EU Commission Assesses Adequacy during Six Month Transition Period

The European Commission now has an additional six months to complete its adequacy assessment of the UK’s data protection laws, thanks to an agreement in principle reached by the European Union and the United Kingdom regarding the EU-UK Trade and Cooperation Agreement (“the Agreement”). As a result, companies can – at least for now – continue to move data from the EU to the UK without putting in place additional safeguards. The UK’s transition out of the EU ended December 31, 2020, and as of January 1, 2021 it is treated as a third country for purposes of the EU General Data Protection Regulation (“GDPR”). Article 45 of…

READ MORE

2020 Developments in Privacy Law Create New Obligations for Companies, Foreshadow More Changes in 2021

While Covid-19 and national and state governments’ efforts to respond to the impact of the disease took center stage in 2020 among lawmakers, the year still brought significant changes in privacy and data protection law. Companies will need to take measures to meet new obligations created by court decisions and legislation and to prepare for more changes expected in 2021. Invalidation of Privacy Shield – On July 16, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, an agreement between the European Commission and U.S. Department of Commerce to facilitate the legal movement of data from the EU to the U.S. Invalidation of…

READ MORE