Global Privacy & Security Compliance Law Blog

German Court: CJEU Must Clarify Whether GDPR Provides Materiality Threshold

Posted in GDPR

The decision means the CJEU will need to clarify the framework for GDPR damages claims.

By Tim Wybitul, Dr. Christoph Baus, and Dr. Isabelle Brams

The German Federal Constitutional Court has ruled that the Court of Justice of the European Union (CJEU) needs to clarify if the General Data Protection Regulation (GDPR) provides for a materiality threshold for GDPR damage claims. The decision overturns a judgment of the Goslar Local Court of 27 September 2019 regarding the unlawful sending of an advertising email. Continue Reading

Extensive Changes to Singapore’s Data Protection Regime Take Effect

Posted in Legislative & Regulatory Developments

Amendments to the PDPA significantly change Singapore’s data protection landscape, including mandatory data breach notification and criminal offences for mishandling of personal data.

By Farhana Sharmeen, Esther Franks, and Gen Huong Tan

On 1 February 2021, certain sections of the Personal Data Protection (Amendment) Act 2020 (the Act) took effect, implementing the following changes to the Personal Data Protection Act in 2012 (PDPA):

   •  Strengthened enforcement powers for the Personal Data Protection Commission (PDPC)

   •  New criminal offences for individuals for egregious mishandling of personal data

   •  Mandatory data breach notification requirements

   •  New provisions for “deemed” (i.e., implied) consent and exceptions to the PDPA consent requirements, namely the “legitimate interests” exception and “business improvement” exception

Other changes from the Act have yet to take effect but are expected to be introduced in phases. These include:

  • Increased financial penalties for companies in breach of the PDPA
  • A new right of data portability for individuals

Continue Reading

FTC Chair Rebecca Slaughter Outlines Data Privacy Enforcement Agenda

Posted in Legislative & Regulatory Developments, Privacy

Slaughter discusses the FTC’s priorities under the new administration, including ed-tech, health apps, and racial equity.

By Jennifer Archie, Michael Rubin, Marissa Boynton, and Jimmy Smith

On February 10, 2021, in her first major speech as acting chair of the Federal Trade Commission (the Commission, or the FTC), Rebecca Slaughter discussed the Commission’s enforcement priorities under the new administration — with a particular focus on deterring problematic data practices.

In her opening remarks at the Future of Privacy Forum, Slaughter stated that she would urge innovation and creativity and the use of all tools available to the Commission in order to bring about the best outcomes for consumers and to deter problematic privacy and data security practices.[i] She also noted that enhanced enforcement around ed-tech, health apps, and racial equity would be priorities for the new administration. In particular, Slaughter mentioned two types of relief that she believes the Commission should focus on going forward: disgorgement and effective consumer notice.

Continue Reading

Data Protection Brexit Checklist: Businesses Can Rely on Personal Data Transfer Grace Period

Posted in Legislative & Regulatory Developments, Privacy

As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes.

By Gail Crawford, Fiona Maclean, and Amy Smyth

The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one of the more significant implications — the UK becoming a third country for the purposes of EU-to-UK personal data transfers — has been mitigated by a four to six-month grace period in the EU & UK Trade and Cooperation Agreement (the Trade Agreement).

The Trade Agreement’s grace period states that personal data may be transferred from the EU to the UK as if the UK has not become a third country on 1 January 2021 (Article FINPROV.10A). This provision means that the requirement for a data transfer mechanism to legalise such transfers under the European General Data Protection Regulation (GDPR) will not be triggered on 1 January 2021, and these transfers may continue as during the Brexit transition period.

Continue Reading

CNIL Issues Fines Totaling €135 Million in Landmark ePrivacy Directive Cases

Posted in Privacy

The French data protection authority’s decisions cite violations of the cookie rules under the ePrivacy Directive and provide important insights on explicit consent.

By Gail Crawford, Myria Saarinen, Tim Wybitul, and Wolf-Tassilo Böhm

Between December 2019 and May 2020, the French data protection authority (CNIL) conducted multiple online investigations by visiting google.fr and amazon.fr, before launching a full-scale investigation into Google LLC, Google Ireland, and Amazon Europe Core. On 7 December 2020, the CNIL handed down two decisions, one against Google LLC (€60 million fine) and Google Ireland (€40 million fine), and another against Amazon Europe Core (€35 million fine). Contrary to a previous sanction against Google LLC, which was triggered by specific complaints about its practices, the CNIL’s decisions indicate that the investigations were launched sua sponte with the specific aim of controlling the companies’ cookie practices. Continue Reading

The Commission’s Draft Updated Standard Contractual Clauses — A Close Look

Posted in Legislative & Regulatory Developments

The European Commission has published draft updated standard contractual clauses in light of the Schrems II decision.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan, and Amy Smyth

On 12 November 2020, the European Commission (the Commission) published a draft implementing decision, annexing a draft set of updated standard contractual clauses (SCCs) for the transfer of personal data from the European Union to third countries (the New SCCs). The New SCCs were published two days after the European Data Protection Board (EDPB) released its draft recommendations on supplementary measures (the Recommendations). (For more information, see Latham’s blog post The EDPB’s Draft Data Transfer Guidance Following Schrems II — A Close Look.)

In the New SCCs, the Commission has substantially updated the SCC terms. The New SCCs provide for new types of data transfer (i.e., processor-to-processor and processor-to-controller transfers, in addition to the controller-to-controller and controller-to-processor transfers covered in the current SCCs) and, to a limited extent, address matters arising from the CJEU Schrems II decision. Continue Reading

The EDPB’s Draft Data Transfer Guidance Following Schrems II – A Close Look

Posted in Legislative & Regulatory Developments, Privacy, Security

The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses.

By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth

On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on international personal data transfers (the Guidance) in the wake of the CJEU Schrems II decision. The EDPB simultaneously issued updated recommendations on the European Essential Guarantees for surveillance measures, which are referred to in the Guidance. The Guidance sets out the EDPB’s proposed step-by-step process for data controllers or data processors that export personal data outlining how to assess their data transfers and implement General Data Protection Regulation (GDPR)-compliant mechanisms to protect data flows. One day later, the European Commission released draft updated Standard Contractual Clauses (SCCs) for the transfer of personal data. The draft updated SCCS are explicitly designed to address Schrems II requirements, and cross-refer extensively to the Guidance in the draft implementing decision. — Continue Reading

Privacy and Payments: New Draft EU Advice for Financial Institutions

Posted in Privacy

As contactless transactions boom, EU regulators publish draft guidelines on the interplay between the GDPR and PSD2.

By Fiona M. Maclean, Christian F. McDermott, Calum Docherty, and Amy Smyth

Last year, more than half of all payments in the UK were made by card and contactless methods, while cash made up less than a quarter of all payments for the first time, according to the trade association UK Finance. The COVID-19 pandemic has accelerated the shift towards a cashless society, as governments across Europe encourage citizens and businesses to adopt cashless solutions. At the start of the lockdown, in the spring, ATM transaction volumes in the UK fell 62% year on year, while the daily cash transaction volumes dropped by as much as 90% in Spain, according to the Financial Times. Continue Reading

Swiss Regulator Determines Swiss-US Privacy Shield Is Inadequate

Posted in Legislative & Regulatory Developments

Swiss companies are advised to take additional measures when transferring personal data from Switzerland to the US.

By Gail E. Crawford, Fiona M. Maclean, and Amy Smyth

On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy Shield does not provide an adequate level of protection for personal data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). Mirroring the Court of Justice in the European Union’s (CJEU’s) findings in the recent Schrems II decision, the FDPIC also concludes that the standard contractual clauses (SCCs), and binding corporate rules (BCRs) (as applied in Switzerland), may not provide for adequate protection for transfers to the US or other third countries. Continue Reading

How Does the New DIFC Data Protection Law Compare With the GDPR?

Posted in Legislative & Regulatory Developments

Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR.

By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran

The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and the Data Protection Regulations (together, the DIFC DP Legislation).  The new law, which became effective on 1 July 2020, sets a significant benchmark for data privacy in the Middle East and aligns the DIFC’s data protection framework with international data protection regulations, including the EU’s General Data Protection Regulation (GDPR). Continue Reading

LexBlog