Businesses will need to take additional steps to ensure compliance as exemptions under the California Consumer Privacy Act expire at the end of 2022. By Robert Blamires, Michael H. Rubin, Robert W. Brown, and Jennifer Howes The California legislature adjourned its 2022 session without extending the exemptions under the California Consumer Privacy Act (CCPA) for … Continue Reading
Aggressive enforcement may be on the horizon now that businesses have had more than two years to comply with California’s landmark privacy law. By Michael Rubin, Joseph Hansen, Robert Brown, Max Mazzelli, and Wesley Tiu On August 25, 2022, the California Office of the Attorney General (OAG) announced that it had settled a complaint against … Continue Reading
The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR. By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of … Continue Reading
The evolution of cybersecurity-related representations and warranties in M&A transaction documentation has had an impact on financing transactions. Major M&A transactions and IPOs have become the target of increasingly sophisticated cyberattacks, in some cases affecting thousands of companies along the supply chain. Regulators have responded with stepped-up enforcement, extending their reach not just to victim … Continue Reading
Utah enacts data privacy legislation in the mold of California, Colorado, and Virginia, but with less onerous requirements for businesses, in what is expected to be a model for more states going forward. By Jennifer Archie, Michael Rubin, Joseph Hansen, and Wesley Tiu On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer … Continue Reading
The French Data Protection Authority’s white paper discusses how companies can comply with data privacy and security obligations. By Christian F. McDermott, Myria Saarinen, Calum Docherty, Charlotte Guerin, Jiou (Alex) Park, and Amy Smyth The use of card, contactless, and innovative digital payment solutions has significantly increased in recent years, fueled by the immediate impacts … Continue Reading
The Personal Information Protection Law, or PIPL, imposes stringent obligations of a similar standard to the GDPR and will take effect on November 1, 2021. By Hui Xu, Kieran Donovan, and Bianca Lee On August 20, 2021, the Standing Committee of the National People’s Congress adopted the Personal Information Protection Law of the People’s Republic … Continue Reading
The regulations aim to protect the security of the CII and impose more compliance obligations in support of the Network Security Law. By Hui Xu and Kieran Donovan On July 30, 2021, the State Council of the People’s Republic of China (PRC) published the Security Protection Regulations on the Critical Information Infrastructure (the Regulations), which … Continue Reading
The decision will likely provide comfort to businesses operating in the healthcare sector both in the UAE and globally. By Brian A. Meenagh and Avinash Balendran On 28 April 2021 the United Arab Emirates (UAE) federal government issued Ministerial Decision No. 51 of 2021 (the Decision) to clarify when health information may be stored or … Continue Reading
The privacy organisation noyb will file more than 10,000 complaints for use of cookies contrary to its interpretation of compliance. By Gail Crawford, Myria Saarinen, Tim Wybitul, Wolf Boehm, Charlotte Guerin, and Amy Smyth On 31 May 2021, the nonprofit privacy organisation noyb (short for “none of your business”) launched a large-scale campaign to combat … Continue Reading
The Act represents an accelerating trend among US states to attempt to pass comprehensive privacy legislation in the wake of the CCPA. By Jennifer C. Archie, Michael H. Rubin, Marissa R. Boynton, and Alexander L. Stout On March 2, 2021, Virginia Governor Ralph Northam signed comprehensive state privacy legislation titled the Consumer Data Protection Act … Continue Reading
Slaughter discusses the FTC’s priorities under the new administration, including ed-tech, health apps, and racial equity. By Jennifer Archie, Michael Rubin, Marissa Boynton, and Jimmy Smith On February 10, 2021, in her first major speech as acting chair of the Federal Trade Commission (the Commission, or the FTC), Rebecca Slaughter discussed the Commission’s enforcement priorities under … Continue Reading
As the Brexit transition period draws to a close, businesses will need to consider their data protection efforts to comply with both UK and EU regimes. By Gail Crawford, Fiona Maclean, and Amy Smyth The end of the Brexit transition period on 31 December 2020 will have several data protection consequences. The impact of one … Continue Reading
The French data protection authority’s decisions cite violations of the cookie rules under the ePrivacy Directive and provide important insights on explicit consent. By Gail Crawford, Myria Saarinen, Tim Wybitul, and Wolf-Tassilo Böhm Between December 2019 and May 2020, the French data protection authority (CNIL) conducted multiple online investigations by visiting google.fr and amazon.fr, before … Continue Reading
The EDPB takes a strict approach in its recent guidance on international data transfers following Schrems II, posing a difficult challenge for businesses. By Gail Crawford, Ian Felstead, Fiona Maclean, Serrin Turner, Tim Wybitul, Victoria Wan and Amy Smyth On 10 November, the European Data Protection Board (EDPB) released its much anticipated draft guidance on … Continue Reading
As contactless transactions boom, EU regulators publish draft guidelines on the interplay between the GDPR and PSD2. By Fiona M. Maclean, Christian F. McDermott, Calum Docherty, and Amy Smyth Last year, more than half of all payments in the UK were made by card and contactless methods, while cash made up less than a quarter … Continue Reading
A ruling by the EU’s top court invalidates the key mechanism for transferring personal data from the EU to the US and imposes additional conditions for use of the standard contractual clauses. By Gail E. Crawford, Fiona M. Maclean, Michael H. Rubin, Ulrich Wuermeling, Calum Docherty, and Amy Smyth On 16 July 2020, the Court of … Continue Reading
Judgment offers some comfort for data controllers, without eliminating the possibility of vicarious liability based on an employee’s actions. By Ian Felstead and Calum Docherty The UK Supreme Court (UKSC) has ruled that WM Morrisons Supermarkets plc (Morrisons) was not vicariously liable for the actions of a rogue employee who leaked the personal payroll data … Continue Reading
Hong Kong regulator declares that the disclosure of personal data of potential COVID-19 carriers is permissible under law. By Kieran Donovan COVID-19 is having a profound impact not only on the way the world interacts socially, but also in the way it interacts in business. Businesses are choosing to protect the health and well-being of … Continue Reading
Research participants must identify which data sets constitute personal data to ensure compliance with the GDPR. By Frances Stocks Allen and Mihail Krepchev The UK Medical Research Council (MRC) has published a useful guidance note on the identifiability, anonymisation, and pseudonymisation of personal data in the context of research activities (the Guidance). The Guidance reminds … Continue Reading
While still in draft form, the modifications both clarify certain obligations and introduce new uncertainty for businesses covered by the CCPA. By Jennifer C. Archie, Michael H. Rubin, Robert Blamires, Marissa R. Boynton, and Scott C. Jones Earlier this month, the California Attorney General released modified draft regulations further clarifying, and in some cases complicating, … Continue Reading
Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime. By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set … Continue Reading
Eliminating the risk of business email compromise (BEC) attacks requires all parties to a financial transaction to pay close attention to email security, financial controls, and communication protocols. By Jennifer C. Archie, Serrin Turner, and Tim Wybitul Key Points: The FBI has identified BEC fraud as the No. 1 financial threat to businesses in the US. … Continue Reading
“Business as usual” for UK-EU data protection transition in 2020. By Gail E. Crawford and Susan Mann On 29 January 2020, the EU Parliament approved the UK Withdrawal Agreement after the UK Parliament’s ratification via the EU Withdrawal Act 2020 on 23 January 2020 (Withdrawal Agreement). The Withdrawal Agreement maintains the UK pre-Brexit position … Continue Reading