CCPA Business-to-Business and Personnel Carve-Out Extension Clears California Legislature

Following a winding path in the California Legislature, AB-1281 passed the CA Senate on Friday, August 28th, and the Assembly on Sunday, August 30th, and will now go to Governor Newsom for his signature. Governor Newson is not expected to veto the bill. AB-1281 amends the California Consumer Privacy Act (CCPA), extending the business-to-business and personnel/applicant carve-outs through January 1, 2022. Continue Reading

New Amendments Passed to Japan’s Data Privacy Law

Japan FlagIn the midst of revising the Japan Civil Code and the foreign attorney laws, Japan has recently passed amendments to its data privacy law, the Act on the Protection of Personal Information (“APPI”).  Some of these changes put Japan’s law closer in line with the EU’s General Data Protection Regulation “GDPR” as to which both have recognized the adequacy of each other’s data privacy regimes.  As a result, transfers of personal information from Japan to all third countries will be subject to stricter controls when the amendments become fully enforceable, which is expected to occur in 2022. Continue Reading

Final CCPA Regulations Are Now in Effect – With a Few Changes

CCPA-California-Consumer-Privacy-ActThe California Attorney General (“AG”) announced on Friday, August 14th, that the Office of Administrative Law (“OAL”) approved the final California Consumer Privacy Act (“CCPA”) regulations. The AG submitted the regulations to OAL for approval on June 1, 2020.  The final version includes several substantive changes where the AG “withdrew” provisions along with procedural and grammatical changes.  Although the AG did not explain the reasons for withdrawing several provisions in the Addendum to Final Statement of Reasons, the AG stated he may resubmit these provisions following “further review and possible revision.”  The final regulations have immediate effect and are now enforceable by the AG. Continue Reading

NIST Releases Zero Trust Architecture

The U.S National Institute of Standards and Technology (“NIST”) recently published its “Zero Trust Architecture,” which outlines a road map for cybersecurity measures across an organization.  NIST explained that the security concept was created with the purpose of “mov[ing] defenses from static, network-based perimeters to focus on users, assets, and resources.”  “Zero trust” is a term for a security model based on the principle that there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).  It is a response to enterprise network trends that include increasing numbers of remote users, bring your own device policies, and cloud-based assets that are not located within an enterprise-owned network perimeter.  Zero trust focuses on protecting resources, not network segments, as the network location is no longer considered the prime component to the security posture of the resource.

The NIST 800-207 draft is a detailed document that includes a wealth of information for would-be practitioners of Zero Trust.  Given the rapid evolution of “reasonable security procedures and practices,” cybersecurity professionals should give the Zero Trust Architecture serious consideration.

Key Takeaways from the FTC’s PrivacyCon

What even might actually manage to have more geeks than Comic-Con?


Ok, probably not, but on July 21, 2020 the FTC hosted their fifth annual PrivacyCon event, and for the first time it was entirely online. This event is designed to provide researched information on various important privacy topics. The FTC curates the event content based on submitted materials and moderates each session. This year’s topics were (1) health apps, (2) artificial intelligence, (3) Internet of Things devices, (4) privacy and security of specific technologies such as digital cameras and virtual assistants, (5) international privacy, and (6) miscellaneous privacy and security issues. Continue Reading

NYDFS Files Formal Charges Against Insurance Company for Violations of New York’s Cybersecurity Regulation

Digital ConceptAs predicted in our February 4, 2020 blog post, the New York Department of Financial Services (“DFS”) has filed its first formal charges for violation of the state’s cybersecurity regulation. The charges were filed against an insurance company for allegedly violating several provisions of Part 500 of Title 23 of the New York Codes, Rules, and Regulations. In this case, the DFS alleged five distinct violations, including failure to identify and remediate certain risks, thereby enabling the potential exposure of millions of mortgage-related documents that contained sensitive non-public personal information. Additional details about this enforcement action may be found here.

Webinar – EU Data Transfers Post-Schrems II: What are the Viable Options Going Forward?

Webinar – July 30, 2020 (8:30a PDT, 11:30a EDT, 4:30p BST, 5:30p CEST)

Register Here

The European Union’s highest court has ruled that the EU-US Privacy Shield data transfer mechanism is invalid. The court also ruled that another much-used transfer mechanism – the EU Standard Contractual Clauses (also known as Model Clauses) – is valid in principle but not always in practice, depending on the circumstances of the data transfers in question. Businesses relying on (or switching to) the SCCs will need to carefully consider whether they are able to commit to all of the boilerplate clauses included in the Model Clauses.

Join us on July 30, 2020 for a Roundtable Discussion including our top EU and US data protection experts: Rosa Barcelo (Brussels), Ann LaFrance (US), Mareike Lucht (Germany), Catherine Muyl (France) and Francesca Fellowes (UK) who will discuss the Schrems II judgment and its implications, including:

  • What the judgment says and does not say
  • What alternatives are available
  • Challenges ahead for use of the SCCs and potentially BCRs
  • Practical steps to take now

The session will be moderated by our DC-based privacy pundit, Lauren Kitces.

This program is pending 1.0 hour of CLE in AZ, CA, NJ and NY.

Register Here

CJEU Invalidates the EU-US Privacy Shield Framework but Leaves the Standard Contractual Clauses Intact, Subject to Major Caveats

Data Protection ShieldOn 16 July 2020, the Court of Justice of the EU (“CJEU” or the “Court”) delivered another landmark decision on international data transfers – the so-called Schrems II judgment.  In its decision, the CJEU invalidated the EU Commission’s adequacy decision on the EU-US Privacy Shield Framework (“Privacy Shield”), on which thousands of US companies have been relying to lawfully transfer personal data from the EU to the US.  In the same decision, the CJEU confirmed the validity of the Standard Contractual Clauses (“SCCs” or “Clauses”) in principle, but made clear that their legality must considered on a case-by-case basis in light of the circumstances of the particular transfer.

US companies currently relying on Privacy Shield will need to move quickly to evaluate their ability to make use of alternative data transfer mechanism such as the SCCs, Binding Corporate Rules (“BCRs”) or, where applicable, one of the specific transfer-related derogations provided for in the EU General Data Protection Regulation (“GDPR”). Continue Reading

ICO and Australian Information Commissioner Team-up to Investigate Clearview AI, Inc. Facial Recognition Tool and Data Scraping

Digital Facial RecognitionLast week (9th July), the ICO announced that it would join forces with the Office of the Australian Information Commissioner (OAIC) to investigate the use of personal information, including biometric data, by Clearview AI, Inc. (Clearview). Limited information is available so far, but given the focus of the investigation, this is an important step in determining data protection rights and obligations, where information is ‘scraped’ from ‘publicly available’ sources, for the purposes of tackling crime. Continue Reading

The UK Government and the Information Commissioner Provide Guidance on the Collection of Contact-Tracing Information by Hospitality & Leisure Businesses

As businesses in the hospitality and leisure industries are permitted to re-open in England, the Government is asking them to keep a temporary record of their customers and visitors, in order to support NHS Test and Trace.  This information will be requested by NHS Test and Trace in the event that someone who has tested positive for COVID-19 lists the business’s premises as a place that they visited recently, or because the premises has been identified as the location of a potential outbreak. This is viewed by the UK Government as a key part of their ongoing response to the virus, as the lockdown is lifted. Continue Reading