Category

Data Privacy & Security

Category

Questions continue to arise over the interplay of the second Payment Services Directive (PSD2) with the General Data Protection Regulation (GDPR). Both PSD2 and the GDPR are complex legislation and the relationship between distinct provisions of each law and how they work together is not altogether clear, which has led to uncertainty for payment service providers, including banks. For example, when is “consent” required to access payment data and what does consent mean? To this…

**Originally published by Bloomberg Law.** On July 1, 2020 California’s attorney general started enforcing the California Consumer Privacy Act by sending letters to companies with requests to cure alleged violations, as contemplated by the CCPA. The legislation took effect on Jan. 1, 2020, as part of the California Civil Code, and called on the attorney general to enforce the law within six months of enacting regulations or July 1, 2020 the latest. The CCPA regulations…

On 10 July 2020, the Colombia National Police Intelligence Directorate (DIPOL) initiated a public bidding process for the procurement of an AI based cyber-intelligence system for DIPOL. Such system would provide the police with access to social media accounts and instant messaging services. The cyber intelligence system should allow the dynamic monitoring of activity in social media and instant messaging networks that have public links. Additionally, the system should allow the identification of the following…

On 16 July 2020, the European Court of Justice (“ECJ”) ruled that the EU Commission’s 2016 decision regarding the adequacy of data protection in the United States and the EU-US Privacy Shield (“Privacy Shield”)* are invalid. As a result, companies in the EU and United States relying on the Privacy Shield program are scrambling to determine the impact on their operations.  Many US companies grant share-based awards to employees of their subsidiaries in the EU…

In this article published by the Financial Express, partner Anne Petterd explains why an important issue for the e-commerce sector in preparing for the new Indian law will be to recognize that data is not solely the concern of privacy regulators. Competition and consumer regulatory issues are also being raised in relation to processing personal and other data. Click here to read.

It’s difficult to believe that it has only been a short time since the Court of Justice of the European Union invalidated the European Commission adequacy finding for the EU-U.S. Privacy Shield on July 16, 2020. So much has changed. In this final note in the series, we provide seven predictions for the road ahead with “Schrems II” and global data transfers. Some of these may be more controversial than others, but here goes: 1.…

Most companies consider cross-border data transfer restrictions under EU data protection laws a difficult compliance requirement, particularly since July 16, when the Court of Justice of the European Union ruled on the EU-U.S. Privacy Shield and standard contractual clauses. Additionally, companies that offer data-processing services are also facing a difficult sales topic, which commands urgent attention, particularly in the technology, media and telecommunications sectors. Click here to continue reading. Note: This is the seventh in…

Starting with a good note: The “Schrems II” judgment does not lead to significant negative implications for companies that rely on the derogations the EU General Data Protection Regulation provides for international data transfers through Article 49. The Court of Justice of the European Union’s judgment stipulates that companies will need to evaluate whether their use of the standard contractual clauses provides sufficient protection in light of any access by the public authorities of the third country…

BCRs as a robust alternative to Privacy Shield and SCCs Binding corporate rules are considered the “gold standard” for international data transfers, primarily as they constitute the only data transfer mechanism that carries individual regulatory approval. As all concerned supervisory authorities have participated in the review and approval process, it seems unlikely that a supervisory authority would initiate an enforcement action against a data transfer that takes place on this basis. BCRs are also not…

In its “Schrems II” opinion issued July 16, the Court of Justice of the European Union did not reach any findings on the EU Commission’s decisions 2001/497/EC or 2004/915/EC, i.e., the standard contractual clauses for the transfer of personal data to controllers. However, the rationale behind the CJEU’s ruling on the controller-to-processor SCCs, as well as on the EU-U.S. Privacy Shield, suggests two things with respect to controller-to-controller SCCs: The additional measures for transfers under C2P SCCs…