On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”). These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other … Continue Reading
On July 24, 2019, the European Commission (“the Commission”) published a report appraising Europe’s progress in implementing the General Data Protection Regulation (“GDPR”) as a central component of its revamped data protection framework. In its report, the Commission highlights certain achievements resulting from implementation efforts, calls attention to issues that require further action, and describes … Continue Reading
On June 20, 2019, Keith Krach was confirmed by the U.S. Senate to become the Trump administration’s first permanent Privacy Shield Ombudsperson at the State Department. The role of the Privacy Shield Ombudsperson is to act as an additional redress avenue for all EU data subjects whose data is transferred from the EU or Switzerland … Continue Reading
On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, … Continue Reading
On May 31, 2019, the Cyberspace Administration of China (“CAC”) released the draft Regulation on the Protection of Children’s Personal Information Online (“Draft Regulation”) for public comment. (An official Chinese version is available here and an unofficial English translation of the Draft Regulation is available here.) The comment period ends on June 30, 2019. As mentioned … Continue Reading
On May 28, 2019, the Cyberspace Administration of China (“CAC”) released the draft Measures for Data Security Management (“Draft Measures”) for public comment. (An official Chinese version of the Draft Measures is available here and an unofficial English translation is available here.) The comment period ends on June 28, 2019. The release of these Draft Measures demonstrates … Continue Reading
On April 19, 2019, China’s Ministry of Public Security (“MPS”) released the final version of its Guideline for Internet Personal Information Security Protection (互联网个人信息安全保护指南) (the “Guideline”). A previous version of the Guideline was released for public comments on November 30, 2018. Under China’s Cybersecurity Law (the “CSL”), MPS is the key regulator tasked with protecting … Continue Reading
On February 12, 2019, the European Data Protection Board (“EDPB”) published two information notes to highlight the impact of a so-called “No-deal Brexit” on data transfers under the EU General Data Protection Regulation (“GDPR”), as well as the impact on organizations that have selected the UK Information Commissioner (“ICO”) as their “lead supervisory authority” for … Continue Reading
On February 1, 2019, China’s National Information Security Standardization Technical Committee (“TC260”) released a set of amendments to GB/T 35273-2017 Information Technology – Personal Information Security Specification (“the Standard”) for public comment. The comment period ends on March 3. Although not legally binding, the Standard has been highly influential since becoming effective in May 2018, … Continue Reading
On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”). In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield, including in particular the recent appointment of a permanent … Continue Reading
Key Provisions in India’s Draft Personal Data Bill This post is a follow-up to our earlier post on the release of India’s draft personal data protection bill. In this post, we go into greater detail about the bill’s provisions and flag issues for companies worldwide that may process data in India or provide goods or … Continue Reading
Covington’s Alex Berengaut and Kate Goodloe today hosted a webinar on the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act. The CLOUD Act was signed into law in March and creates a new framework for government access to data held by technology companies worldwide. The webinar, hosted with DataGuidance, is available here. The webinar expands … Continue Reading
On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation. The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial … Continue Reading
On July 17, 2018, the European Commission successfully concluded negotiations with Japan on a reciprocal adequacy finding which will allow personal data to flow freely from the EU to Japan (and vice versa). The adequacy decision has not yet been formally adopted, as it must still undergo the respective EU and Japanese approval procedures, which … Continue Reading
On March 23, 2018, Congress passed, and President Trump signed into law, the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, which creates a new framework for government access to data held by technology companies worldwide. The CLOUD Act, enacted as part of the Consolidated Appropriations Act, has two components. Part I: Extraterritorial Reach of … Continue Reading
On the heels of the Federal Trade Commission’s (“FTC”) third annual “PrivacyCon,” the Future of Privacy Forum hosted its eighth annual “Privacy Papers for Policymakers” event on Capitol Hill—a gathering in which academics present their original scholarly works on privacy-related topics to D.C. policy wonks who may have a hand in shaping laws and regulations … Continue Reading
The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A). The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies … Continue Reading
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v Facebook Ireland Limited [2016 No. 4809 P.] to the Court of Justice of the European Union (“CJEU”). The case, commonly referred to as Schrems II, is based on a complaint by Max Schrems concerning the transfer of personal data by Facebook, from … Continue Reading
By Dan Cooper and Rosie Klement On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”). The Agreement was signed in 2014, but the CJEU … Continue Reading
South Korea has became the fifth member economy to join the Asia-Pacific Economic Cooperation’s (“APEC”) Cross-Border Privacy Rules (“CBPR”) system, a voluntary but legally enforceable code of conduct that aims to facilitate secure data transfers and e-commerce between parties to the agreement. Established in 2011, the CBPR system aims to provide a minimum level of … Continue Reading
On May 27, 2017, China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (Draft Version) (the “draft Standard”) for public comments. The official Chinese version of … Continue Reading
The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C. The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, … Continue Reading
Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website. Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months. EU Justice Commissioner Věra Jourová recently concluded her visit to the … Continue Reading
When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space. Before the new Cybersecurity Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government. While many Chinese laws and … Continue Reading
