The General Data Protection Regulation (GDPR) does not just impact companies located in the European Economic Area (EEA). It has a “long-arm” provision which may subject foreign companies to its jurisdiction. There is a fair amount of uncertainty regarding how this provision may be applied. The European Data Protection Board (EDPB) has recently issued updated guidelines that shed some light on how national Supervisory Authorities are expected to interpret the extra-territorial reach of the GDPR (guidelines). This article focuses on one aspect of the guidelines that may negatively affect vendors located outside the EEA. Continue Reading
On March 11, 2020, the California Attorney General issued further revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA).
For context, in passing the CCPA, the legislature directed the California Attorney General to solicit broad public participation and adopt regulations to further the purposes of the CCPA. On October 11, 2019, the California Attorney General issued the first draft of the proposed regulations, imposing obligations on businesses that arguably exceeded the statutory requirements of the CCPA, which were noticed for a 45-day public comment period. On February 10, 2020, after the CCPA had gone into effect and after receiving nearly 1,700 pages of written comments and additional oral comments, the California Attorney General issued a second draft of the proposed regulations, scaling back some of these obligations and adding some helpful clarification. During the subsequent 15-day written public comment period on these proposed changes, approximately 100 written comments spanning 782 pages were submitted. Continue Reading
On February 7, 2020, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data in the context of connected vehicles and mobility related applications. If adopted in their current form, the draft guidelines will have far-reaching consequences for connected vehicles and mobility applications that operate in Europe. They contain detailed interpretations of the General Data Protection Regulation (GDPR) and related laws. Notably, the draft guidelines apply the EU cookie rules to connected vehicles, requiring granular consent to collect both personal and non-personal data from connected vehicles. Continue Reading
On December 10, 2019, the Danish Supervisory Authority (SA) published its final version of Standard Contractual Clauses (SCCs) that data controllers and processors may use to satisfy the General Data Protection Regulation (GDPR) obligation to enter into a data processing agreement.
The Danish SCCs have been reviewed and approved by the European Data Protection Board (EDPB). Accordingly, they constitute an official template containing the contractual provisions that the Danish SA and the EDPB consider important. Because the Danish SCCs have been examined by all EU Supervisory Authorities and approved by the EDPB, they may become the model for data processing agreements across the EU. Continue Reading
Updates to Compliance Likely Required
On February 10, 2020, the California Attorney General issued the proposed text of modified regulations implementing the California Consumer Privacy Act (CCPA). This draft is a correction of a version that the California Attorney General issued on February 7, 2020. While the California Attorney General previously indicated that major changes to the proposed CCPA regulations were not anticipated, these modifications are likely to have a significant impact on CCPA compliance efforts, particularly regarding privacy notices, agreements between businesses and service providers, and policies on handling consumer requests. Continue Reading
On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.
At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S. Continue Reading