Complimentary Webinar – Understand and Prepare for the California Privacy Rights Act

Join us on January 21, 2021 at 12pm EST/9am PST for a complimentary webinar – Understand and Prepare for the California Privacy Rights Act.

Panelists Elliot Golding, Glenn Brown and Lydia de la Torre of our Data Privacy & Cybersecurity Practice will provide an overview of the CPRA and its interplay with the CCPA.  The speakers will also address what can be done now to start preparing for compliance.

Additional information and registration is available here.

This program is pending 1.0 hour of CLE in AZ, CA, GA, NJ and NY. The program is also approved for 1.0 hour of CPE by IAPP.

Brexit Updated: Interim Deal Reached on EU-UK Data Transfers

Laptop Data TransferOn 24th December 2020, the UK and the EU finally agreed on the terms of a Brexit deal, including an interim solution to the issue of personal data transfers from the EU to the UK.  This interim arrangement gives some much-needed breathing space to European organizations with UK affiliates or that use UK service providers, and renewed hope for an eventual adequacy decision from the European Commission covering transfers of personal data to the UK.

The interim solution agreed allows companies and organisations that transfer personal data from the EU to the UK, to continue to do so, for up to six months to give time for the European Commission to approve an adequacy decision in favour of the UK (under Article 36(3) of Directive (EU) 2016/680 and under Article 45(3) of Regulation (EU) 2016/679).

The relevant terms are set out in the EU-UK Trade and Cooperation Agreement (‘Agreement’) in Article FINPROV.10A (which starts at page 406 of the 1246 page document), which is also summarised by the UK government here.  The key points to note are as follows:

  • During the extension period, transfers of personal data from the EU to the UK will not be considered transfers to a ‘third country’ (provided that the UK’s data protection law remains the same as it is as of 31 December 2020);
  • The same applies to transfers from Norway, Liechtenstein and Iceland (the additional countries, which with the EU, form the European Economic Area (EEA));
  • The initial four-month extension period will end when adequacy is granted, or may be extended by two further months unless the UK or EU objects;
  • If the UK amends its data protection legislation, or exercises certain designated powers without EU agreement during the extension period, the extension period will end.

The ICO has also issued a statement on the Agreement, including an encouraging quote from Commissioner Elizabeth Denham confirming

This means that organisations can be confident in the free flow of personal data from 1 January, without having to make any changes to their data protection practices.

The Commissioner’s statement also contains a note of caution, however, reminding us that adequacy is not guaranteed:  “As a sensible precaution, before and during this period, the ICO recommends that businesses work with EU and EEA organisations who transfer personal data to them, to put in place alternative transfer mechanisms, to safeguard against any interruption to the free flow of EU to UK personal data.” In an ideal world, if there is no adequacy finding, and businesses need to revert to using SCCs, the newly drafted versions (currently awaiting approval) could potentially be used at that time instead of producing drafts based on the existing SCCs now, only to revise them later. There is also the potential for UK versions of SCCs, but let’s not complicate it further.

As we have previously reported, transfers of personal data in the reverse direction, from the UK to the EU, can also continue without interruption, as the UK had already recognised the adequacy of Europe’s data protection standards.

This interim agreement at least temporarily resolves the problem of the UK being considered by the EU as a third country, for personal data transfer purposes, but businesses will still need to address other issues created by Brexit, including privacy notice updates and the appointment of an EU representative where necessary. Please get in touch with your usual SPB contact or any member of our Data Privacy and Cybersecurity team for further assistance on these requirements.

California Attorney General Proposes Minor Modifications to the CCPA Regulations

CCPA-California-Consumer-Privacy-ActOn December 10, 2020, the California Attorney General (“AG”) proposed some minor modifications  to the regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The modifications were published in response to comments received by the AG following publication of the previous set of proposed modifications on October 12, 2020.

Specifically, the new changes:

  • Propose a design for an opt-out icon that must be included in addition to (not in lieu of), and next to the “Do Not Sell” opt-out notice; and
  • Revise portions of the regulations relating to notice of the right to opt-out in order to highlight alternative methods of providing such notice (such as posted notices and notices over the phone).

Continue Reading

Home Depot’s Agrees to Multistate Settlement Related to 2014 Breach – The Cost: $17.5 Million and Updated Cybersecurity Requirements

As reported on our sister blog Consumer Privacy World, Home Depot recently reached a settlement in a lawsuit related to a September 2014 data breach that affected the payment card information of nearly 40 million customers.

In addition to a financial settlement, Home Depot agreed to implement and maintain various cybersecurity protocols, including: Continue Reading

Lydia de la Torre Selected as Top Cybersecurity Lawyer

We are delighted to announce that Lydia de la Torre   has been recognized as a top cybersecurity lawyer by the legal publication, Daily Journal.  Lydia is one of only 20 lawyers selected for this recognition, which distinguishes individuals at the “cutting edge of cybersecurity who advise companies on best practices and on navigating legal and regulatory mandates on privacy and data security.” Further details on this recognition and Lydia’s practice are available here.

Complimentary Webinar – Standard Contractual Clauses for Data Transfers – Is Now the Right Time?

Wednesday 2 December 2020
Noon – 12:30 p.m. GMT

As reported on this Blog, on 12 November 2020, the European Commission published a draft decision and draft standard contractual clauses for the transfer of personal data to third countries.  Once approved, organisations that rely on SCCs for transfers will have a one-year grace period to implement updates.

Join our 2 December 2020 webinar – Standard Contractual Clauses for Data Transfers – Is Now The Right Time?where we will provide an overview of the draft SCCs,  discuss what businesses should be prioritising now, and whether “quick fixes” can be adopted.

Speakers include:

  • Matthew Kirk, International Affairs Advisor, Squire Patton Boggs
  • Andrea Ward, Director, Squire Patton Boggs
  • Kate Lewis, Data Protection Officer, GB Group

Please register for this session here.

What’s New in the EDPB’s Draft Guidelines on Controllers and Processors Under the GDPR? (Part 4)

EU FlagThis continues our series of blog posts on the draft “Guidelines 07/2020 on the concepts of controller and processor in the GDPR” issued by the European Data Protection Board (“EDPB”) on 7 September 2020. This blog focuses on the updates to the concept of “third parties” and “recipients” in the draft Guidelines. See our previous issue on the updates in the draft Guidelines on the concept of processor here, on controller here, and on joint controllers here. Please note that the proposed Guidelines are subject to change in response to feedback received but are unlikely to be amended significantly in their final form. Continue Reading

Watch Out for These Very Important Documents on “Transfers” and “Processing” of Personal Data

"Hot" ButtonSeveral important documents relating to the rules governing the transfer of EU personal data were published during the second week of November 2020 by the European Data Protection Board (EDPB) and the EU Commission. In addition, the EU Commission has also published new standard contractual clauses for use when transferring personal data between a controller and a processor within the EEA and to countries outside the EEA.

Transfers of Personal Data to Third Countries

In the aftermath of the landmark decision by the Court of Justice of the European Union (CJEU) on international data transfers – the so-called Schrems II judgment (see our post on this topic) – organizations have been awaiting additional guidance from EU authorities on measures that must be implemented to transfer personal data to third countries without being in breach of  the Regulation (EU) 2016/679, i.e. the General European Data Protection Regulation (GDPR).

The following documents have been published in relation to implementation of Schrems II. Continue Reading

The Biden Presidency: What’s in Store for Data Privacy and Data Privacy Litigation

The United States is in the process of completing its 59th presidential election and electing its 46th president.  A change in administrations is inevitably accompanied by a change in executive priorities.  Assuming that Vice President Biden is sworn in as President on January 20, 2021, the area of data privacy will likely be of particular focus under the Biden Administration, with consequences for data privacy litigation.  Lydia de La Torre, Glenn Brown, Kristin Bryan and Aaron Garavaglia offer their insights regarding the anticipated impact a Biden presidency may have in this area.

Broadly speaking, it is anticipated that a Biden Administration will likely focus on the passage of federal data privacy legislation, renegotiate conditions for EU data transfers to the US, reintroduce a cybersecurity coordinator to the White House, and increase FTC enforcement activity.  Of course, several of these issues are contingent upon which party will come to control the Senate, a question that will not be answered until the two runoff elections in Georgia are completed in early January 2021.  Their analysis is available  on our sister blog, Consumer Privacy World.

The Brexit Transition Period: Are You Ready?

Brexit and EU keys on KeyboardWith the end of the Brexit transition period fast approaching, we have examined the potential impact on data privacy compliance in the UK and the EU/EEA and prepared a guide which provides practical advice on how to prepare to ensure that your organization is in the best position possible to deal with the outcome of the current UK/EU negotiations on 31 December 2020.

Organisations are advised to identify personal data flows between the EEA and the UK and to devise a plan to ensure that these data transfers will be able to lawfully continue from 1 January 2021, in the event that the UK does not obtain an adequacy decision from the European Commission (and no alternative agreement is reached) in advance of that date. Priority should be given to business-critical data flows and transfers of large volumes of personal data, special category data or criminal data. Continue Reading

LexBlog