Global Privacy & Security Compliance Law Blog

Swiss Regulator Determines Swiss-US Privacy Shield Is Inadequate

Posted in Legislative & Regulatory Developments

Swiss companies are advised to take additional measures when transferring personal data from Switzerland to the US.

By Gail E. Crawford, Fiona M. Maclean, and Amy Smyth

On 8 September 2020, the Swiss data protection authority, Adrian Lobsiger (the Federal Data Protection and Information Commissioner, FDPIC), concluded in his annual review that the Swiss-US Privacy Shield does not provide an adequate level of protection for personal data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). Mirroring the Court of Justice in the European Union’s (CJEU’s) findings in the recent Schrems II decision, the FDPIC also concludes that the standard contractual clauses (SCCs), and binding corporate rules (BCRs) (as applied in Switzerland), may not provide for adequate protection for transfers to the US or other third countries. Continue Reading

How Does the New DIFC Data Protection Law Compare With the GDPR?

Posted in Legislative & Regulatory Developments

Latham lawyers explain who the DIFC’s new law applies to and how it maps against the GDPR.

By Brian A. Meenagh, Fiona M. Maclean, Alexander Hendry, and Avinash Balendran

The Dubai International Financial Centre (DIFC) recently issued a new data protection law and regulations: the Data Protection Law DIFC Law No. 5 of 2020 and the Data Protection Regulations (together, the DIFC DP Legislation).  The new law, which became effective on 1 July 2020, sets a significant benchmark for data privacy in the Middle East and aligns the DIFC’s data protection framework with international data protection regulations, including the EU’s General Data Protection Regulation (GDPR). Continue Reading

Practical Considerations for Assessing Data Transfers after Schrems II

Posted in Legislative & Regulatory Developments

Latham develops new resource to identify considerations for assessing SCC and BCR data transfers in Europe.

By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Serrin Turner, Tim Wybitul, and Ulrich Wuermeling

Following the Schrems II decision in July 2020, organisations relying on the standard contractual clauses (SCCs) or Binding Corporate Rules (BCRs) to transfer personal data outside of the European Economic Area are required to assess whether the law of the destination country ensures adequate protection for the personal data being transferred. Organisations may also need to put in place additional safeguards to ensure an essentially equivalent level of protection. The CJEU indicated that SCCs should not be used if the destination country’s legal regime prevents compliance with their terms or impinges on the level of protection they afford. Continue Reading

French Data Protection Authority Hands Down First Sanction as Lead Authority

Posted in GDPR

The CNIL has imposed a €250,000 fine on an online retailer for GDPR infringements in cooperation with other EU supervisory authorities.

By Myria Saarinen and Charlotte Guerin

Founded in 2006 and headquartered in France, Spartoo SAS (Spartoo) is one of the leaders of the European online shoe retail market. On 31 May 2018, a week after the entry into application of the GDPR, the French Data Protection Authority (the CNIL) launched an on-site investigation of Spartoo in cooperation with other EU supervisory authorities. The CNIL eventually handed down its decision on 28 July 2020, imposing a €250,000 fine on Spartoo for the infringement of four different provisions of the GDPR. Spartoo may appeal the CNIL’s decision within two months. The decision illustrates how the GDPR’s “one-stop shop” mechanism can operate, and also provides insight to online retailers and other businesses on what to expect regarding GDPR enforcement in practice. Continue Reading

China Issues Draft Data Security Law for Public Comment

Posted in Security

The proposed Data Security Law has a broad jurisdictional scope and will expand the PRC’s regulatory framework for information and data.

By Hui Xu, Gail E. Crawford, Jennifer C. Archie, Kieran Donovan, and Aster Y. Lin

On July 3, 2020, the Standing Committee of the National People’s Congress of the People’s Republic of China (PRC) issued the draft Data Security Law (DSL) for public comment. Once finalized, the DSL, together with the PRC Network Security Law and the proposed PRC Personal Information Protection Law, will form an increasingly comprehensive legal framework for information and data security. Continue Reading

France’s Highest Administrative Court Provides Insights on Lawful Cookie Practices

Posted in Legislative & Regulatory Developments

Court’s decision struck down blanket prohibition on so-called “cookie walls” that prevent users from accessing a website or an application.

By Myria Saarinen and Charlotte Guérin

France’s Highest Administrative Court (the Conseil d’Etat) issued a decision on 19 June 2020 upholding most of the guidance on cookies and other tracking devices that the French Data Protection Authority (the CNIL) had published on 4 July 2019 (the Guidance). However, the Conseil d’Etat struck down the provision of the Guidance imposing a blanket prohibition on so-called “cookie walls” that prevent users who do not consent to the use of cookies from accessing a website or an application. On the same day, the CNIL published a communication acknowledging the decision and announcing that it would adjust its Guidance and future recommendation to strictly comply with the Conseil d’Etat’s decision. Continue Reading

CJEU Invalidates EU-US Privacy Shield

Posted in Legislative & Regulatory Developments, Privacy

A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses.

By Gail E. Crawford, Fiona M. Maclean, Michael H. RubinUlrich Wuermeling, Calum Docherty, and Amy Smyth

On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully transferring personal data from the European Union to the United States. At the same time, the CJEU ruled that the standard contractual clauses (Model Clauses) remain valid but can only be used under strict conditions.

This post provides an initial analysis of the judgment and proposes some immediate next steps for businesses to ensure compliant data transfers from the EU. Continue Reading

French State Council Upholds CNIL’s €50M Fine for GDPR Violations

Posted in GDPR

The Council decision contains useful considerations and clarifications on the “one-stop shop” mechanism, transparency obligations, and consent for targeted advertising.

By Myria Saarinen and Camille Dorval

On 19 June 2020, France’s Highest Administrative Court (Council) handed down its decision on the appeal filed by Google LLC (Google) against the French Data Protection Authority’s (CNIL’s) decision of 21 January 2019, which imposed a fine of €50M to Google for failure to comply with the obligations of transparency and to lawfully process personal data on the basis of a valid consent, with respect to the operating system for Android mobile terminals. Continue Reading

EDPB Guidelines – What is the Territorial Reach of the GDPR?

Posted in GDPR

After the recent two-year anniversary of the GDPR, one fundamental question remains — who does the GDPR apply to?

By Gail Crawford, Ulrich Wuermeling, and Calum Docherty

Last month marked the two-year anniversary of the General Data Protection Regulation (GDPR), but its territorial reach is still hotly debated. This blog post takes a detailed look at the final guidelines on the territorial scope of the GDPR, which the European Data Protection Board (the EDPB) published on 12 November 2019 following public consultation of its draft guidelines dated 23 November 2018 (the Guidelines).

The Guidelines contain several helpful clarifications around when the GDPR applies to controllers and processors of personal data. At the same time, however, the Guidelines still present latent ambiguity as to when and to what extent the GDPR applies, particularly for multinationals.

Continue Reading

UK Supreme Court Clarifies Position on Vicarious Liability for Data Breaches

Posted in Privacy

Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions.

By Ian Felstead and Calum Docherty

The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data of 98,998 co-workers. The UKSC unanimously overturned a 2018 Court of Appeal judgment, and allowed Morrisons’ appeal against vicarious liability claims relating to breach of statutory duty under the Data Protection Act 1998 (DPA 1998), misuse of private information, and breach of confidence.

In its judgment, the UKSC found that Morrisons was not vicariously liable for the data breaches committed by its rogue employee, because the rogue employee’s “wrongful conduct was not so closely connected with acts which he was authorised to do”,  but held that the DPA 1998 does not exclude the imposition of vicarious liability. It is uncertain whether the same interpretation applies under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Continue Reading

LexBlog