In advance of its June 8 public board meeting, the California Privacy Protection Agency (“CPPA”) has released draft regulations intended to implement and interpret new requirements under the California Privacy Rights Act (“CPRA”). In addition to codifying the new obligations under the CPRA (e.g., the right to correct, right to opt out of “sharing”), the Draft Regs include helpful illustrative examples and also provide details regarding certain new obligations, which we’ve summarized below. Key Takeaways…
Friday 28 January 2022 is Data Protection Day (or Data Privacy Day outside of Europe), which marks the anniversary of the Council of Europe’s Convention 108. To mark Data Protection Day 2022, our Global Data Privacy and Security Team have provided a roundup of key trends and developments across the globe from a data protection perspective as well as looking ahead to what to expect in 2022. There are new laws and developments to keep…
The new standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”) issued by the European Commission provide for, both, chances and challenges for EU service providers supporting EU and non-EU customers, some of which are outlined below. 1. When do the Ex-EU SCCs apply? EU service providers supporting non-EU customers might want to enter into the new Ex-EU SCCs with…
The European Commission (“EC”) recently issued a set of standard contractual clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). The Intra-EU SCCs accompany a wider set of clauses issued for extra-EU/EEA personal data transfers (“Extra-EU SCCs”), covering transfers between different types of data processing actors (processors, controllers, sub-processors etc.). Both of them were published in the Official Journal of the European Union on June 7, 2021. The clauses for intra-EU data processing arrangements…
The European Commission (“EC”) recently issued its revised standard contractual clauses for data transfers to third countries (“Ex-EU SCCs”) and a companion set of standard clauses for controllers and processors in the EU/EEA (“Intra-EU SCCs”). Both are now published in the Official Journal. The following is an introduction to the core elements of the Ex-EU SCCs and a brief overview of the Intra-EU SCCs. Legal Context The Ex-EU SCCs are a mechanism that companies can…
The roller coaster of comprehensive state data privacy laws continues in earnest. California has now double dipped: first with the California Consumer Privacy Act (CCPA) and second with the California Privacy Rights Act (CPRA). With all eyes on New York, Washington State, and other potential early movers for more state legislation, Virginia has surprised the nation by coming out very quickly with its own version of comprehensive privacy law, which Governor Ralph Northam signed into…
Florida’s governor, Ron DeSantis, and the speaker of the state’s house of representatives, Chris Sprowls, each recently highlighted proposed new privacy legislation in Florida that resembles the California Consumer Privacy Act (CCPA). This has landscape-changing potential, as House Bill 969 is the first CCPA-like proposal endorsed by a Republican governor. The bill the governor and speaker lauded was filed on February 15th, and if passed would become effective on January 1, 2022. Application/Exceptions House Bill…
The Empire State is making waves in the world of privacy with the introduction of its own version of the now infamous California Consumer Privacy Act (CCPA). SB 567, which was introduced on January 6, 2021, is New York’s attempt to introduce new consumer rights with respect to personal information, as well as regulate the sale of consumer personal information to third parties. Notably, the Bill also introduces a private right of action for consumers…
The European Data Protection Board (EDPB) recently published the draft Guidelines on Examples Regarding Data Breach Notification, a document that encompasses eighteen examples of data security incidents, on a spectrum of risk and necessary mitigating measures. Each example concludes with recommended actions based on the identified risks, mainly: recording the incident in the organization’s internal register, notifying the organization’s supervisory authority, and notifying affected individuals. The Guidelines are currently open for public consultation. The Guidelines…
**Originally published by Bloomberg Law.** On July 1, 2020 California’s attorney general started enforcing the California Consumer Privacy Act by sending letters to companies with requests to cure alleged violations, as contemplated by the CCPA. The legislation took effect on Jan. 1, 2020, as part of the California Civil Code, and called on the attorney general to enforce the law within six months of enacting regulations or July 1, 2020 the latest. The CCPA regulations…