CCPA: Data Brokers Must Register Now

When A.B. 1202 was signed into law last fall, it was expected that the data broker registration requirement would not go into effect until 2021. However, the California Attorney General’s Office has taken the position that organizations that qualify as data brokers must register on or before January 31, 2020.

Our Client Alert on this topic delves into this requirement as well as the definition of a data broker, definitions of what constitutes “Sale” of personal information, what is a “Direct Relationship” as well as other important and relevant information.

Heightened Risk of Cyberattacks – What You Should Do Now

In recent days, all eyes have been on the escalating tension between Iran and the US.  While we wait and watch politics unfold, the Department of Homeland Security (DHS), New York’s Department of Financial Services and the Cybersecurity and Infrastructure Security Agency (CISA) have all issued notices concerning the heightened risk of an Iranian cyberattack.

Given these warnings, it is important for organizations to take the appropriate steps necessary to protect themselves against cyberattacks.   Our client alert, Why the Threat of an Iranian Cyberattack Should Matter to Your Organization discusses the steps you can take now and in the future to ensure that your organization is adequately prepared.

Russia Increases Fines for Violation of its Data Localization Law

Russia’s Federal Law No. 242-FZ, On the Introduction of Amendments to Certain Legislative Acts of the Russian Federation with regard to the Clarification of the Procedure for the Processing of Personal Data in Data Telecommunications Networks, took effect on September 1, 2015 and requires that Russian citizens’ personal data gathered by operators, be stored by servers/data centers located in the Russian Federation (the “Localization Requirement”).  The fine for violation of the Localization Requirements was relatively small (approximately US$160).

On December 2, 2019, President Vladimir Putin signed Federal Law No. 405-FZ, On the Introduction of Amendments to the Administrative Offenses Code of the Russian Federation.  As of December 13, 2019, the Code has introduced new constituent element of an administrative offense – breach of localization requirements. Continue Reading

CCPA Coming Soon… Is Your Organization Ready?

In just a few short weeks (January 1, 2020), the California Consumer Privacy Act (CCPA) will impose burdensome GDPR-like transparency and individual rights requirements on almost every company that handles “personal information” regarding California residents, including employees.  Is your organization ready?

We have prepared a number of client alerts and blog posts to help you determine if your organization is subject to the CCPA and, if so, the steps necessary to comply. Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 2)

Article 3(2) of the GDPR and the second criterion: Targeting criterion


Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)).  Our first post in this series examined the “Establishment” criterion. In this post, we will move into the second criterion, “Targeting”.

Two Types of Targeting Activities Relating to Data Subjects in the EU

Under this criterion, the GDPR applies to two distinct and alternative types of activities, provided that these processing activities relate to data subjects that are in the Union.

Article 3(2) (a) Offering Goods or Services to Data Subjects in the EU, Irrespective of Whether a Payment of the Data Subject is Required

There are two important issues in this respect:

  • Article 3 (2) (as) specifies that the targeting criterion concerning the offering of goods or services applies irrespective of whether payment is made in exchange for the goods or services provided.
  • It has to be determined on a case-by-case basis whether the offer of goods or services is directed at persons in the Union.

Continue Reading

Territorial Scope of the GDPR Following EDPB’s Final Guidelines (Part 1)

The General Data Protection Regulation (EU) 2016/679, or GDPR, has a much wider territorial scope than organisations may expect. Some organisations that are not established in the EU may have to comply with the GDPR. Even for groups established in the EU, their operations outside of the EU may, in certain circumstances, fall under the scope of the GDPR.

The European Data Protection Board (EDPB) has finally published its long-awaited final version of the guidelines 3/2018 on the territorial scope of the GDPR (article 3). Such a standard interpretation is essential for controllers and processors, both within and outside the EU, so that they may assess whether they need to comply with the GDPR for a given processing activity. It is, therefore, essential that controllers and processors, especially those offering goods and services at an international level, undertake a careful, concrete assessment of their processing activities in order to determine whether the related processing of personal data falls under the scope of the GDPR.

Article 3 of the GDPR defines the territorial scope of the regulation using two main criteria with respect to businesses: “Establishment” (Article 3(1)) and “Targeting” (Article 3(2)). We are presenting each of these criteria through two posts. Part 1 is detailed below, Part 2 will be detailed in a separate post shortly hereafter.

Continue Reading

ICO Consults on Draft Subject Access Request Guidance

Padlock and EU flag

The ICO has published draft guidance (the “guidance”) on data subject access requests (“DSARs”), which updates the previous code of practice, last issued in 2017. This guidance takes into account the relevant provisions of the GDPR and UK Data Protection Act 2018 (“DPA”). The ICO will be consulting on this draft guidance until 12 February 2020.

Importantly, the ICO recognises some of the issues that businesses are facing in relation to DSARs, in that the guidance:

  • Explains when a request may be considered complex. The guidance states that a large volume of data may add (emphasis is ours) to the complexity of a request, but notes that the volume of data alone is not a reason by itself to consider a DSAR complex;
  • Provides greater clarity on what a business can take into consideration when it is considering the monetary value of a fee. For example, photocopying and printing are generally valid administration costs, but a business cannot charge for the time taken to deal with the request;
  • Includes a section on what businesses should do when a request involves information about another identifiable individual. It provides further guidance on the DPA exception relating to third-party data; and
  • Contains some practical guidance about the DPA exceptions, such as negotiations and management information.

Whilst this is a valuable update from the ICO, which might provide some helpful additional information, it should be noted that it is only a draft for consultation. The ICO is seeking views from stakeholders and the public about the proposed guidance. In particular, it wishes to understand what specific issues businesses have faced in responding to DSARs since the GDPR was implemented in May 2018. If you are interested in responding, please use this link.


ABA Hosts CCPA Webinar

On December 4, 2019, Squire Patton Boggs partner, Elliot Golding and colleagues Joanne Charles (Microsoft) and Courtney Manzel (Volkswagen Group of America) will present a webinar – The Final California Consumer Privacy Act: What Are Your Obligations?  The webinar will address:

  • Scope and applicability (e.g., what companies, data and processes will be impacted);
  • Key requirements (e.g., privacy statement, individual rights [know, deletion, sale opt out, nondiscrimination], etc.);
  • Suggested steps to build a CCPA compliance program efficiently and effectively;
  • Practical tips to manage risk and leverage existing compliance processes (including GDPR) where possible.

ICO Wants to Hear Your Views on the Design of its New Accountability Toolkit

In an October 28, 2019 blog post, Director for Regulatory Assurance, Ian Hulme, announced that the UK Information Commissioner’s Office (“ICO”) is developing a new ‘accountability toolkit’ which it plans to launch next year. The aim of the toolkit will be to support organisations in demonstrating their compliance with the ‘accountability principle’ under the GDPR[1]. It will enable organisations to understand the ICO’s expectations and to take responsibility for designing their own accountability programs. The ICO wants the toolkit to be ‘user-led’ and, as a result, it believes that gathering the views of organisations is essential.

The ICO seeks the views of a wide range of organisations in different sectors on matters such as their current practices relating to accountability and how the ICO could support them in the development of their own accountability programs.

Any thoughts on the development of the accountability toolkit can be provided on the ICO’s dedicated consultation page or provided by email to The consultation closes at 17:00 on 9 December 2019.

Mr. Hulme made it clear that compliance with the accountability obligation is about “putting data protection at the heart” of all personal data processing. It includes being “crystal clear” about data protection responsibilities throughout the organisation, data protection being a “boardroom issue” and not just the responsibility of the Data Protection Officer, managing risk pro-actively and being transparent to people about the processing of their personal data. He recognised that many organisations are working hard to get this right and stated that the ICO is keen to support those efforts, in light of the substantial work and culture change that can be required.

The consultation page lists a number of measures which the ICO says could enable organisations to demonstrate their compliance with the accountability principle, including implementing data protection policies, taking a data protection by design and default approach, reporting data breaches where required and carrying out data protection impact assessments.

Please contact our Data Privacy & Cybersecurity team members for assistance with GDPR compliance, including putting in place measures to fulfil your organisation’s accountability obligation.

[1] This is a specific obligation under Article 5(2) of the GDPR (EU General Data Protection Regulation 2016/679)