In a security advisory this past weekend, SolarWinds disclosed that its systems experienced a highly sophisticated supply chain attack on versions of its Orion network monitoring products released between March and June 2020. The New York Times has reported that it is highly likely that the Russian intelligence unit known as Cozy Bear, or A.P.T. 29, carried out the attack, which involved inserting malicious code into automatic product updates to allow the attackers to gain a foothold in networks, impersonate highly privileged accounts, and blend their reconnaissance traffic with legitimate activity. The U.S. government has not commented on attribution at this time. Continue Reading
On November 12, 2020, the European Commission (EC) issued a draft version of a new set of Standard Contractual Clauses (New SCCs). The long-awaited New SCCs include several modules that companies can use depending on the transfer scenarios, such as controller-to-controller, controller-to-processor, and processor-to-processor data exports. The New SCCs have also been updated to reflect the high standard for data protection set forth in the General Data Protection Regulation (GDPR) and to take into account the requirements resulting from the Schrems II ruling. Continue Reading
On November 11, 2020, the European Data Protection Board (EDPB), comprised of the European data protection regulators (DPAs), issued two long-awaited sets of recommendations. These recommendations are critical for any companies exporting or importing EU personal data. Continue Reading
In a long anticipated ruling, the Court of Justice of the European Union (CJEU) confirmed on October 6, 2020 (joint-cases C-623/17 and C-511/18 et seq., “Ruling”) that general and indiscriminate transmission or retention of traffic and location data for law enforcement and national security purposes breaches EU law. Continue Reading
On October 13, 2020, France’s high administrative court (Conseil d’État, “the Court”) rejected a request to suspend France’s centralized health data platform—the Health Data Hub—currently hosted by Microsoft in its data center in the Netherlands.
In essence, the Court rejected the French DPA’s (CNIL) argument that in light of the important public interest of maintaining a COVID-19 related health database, the risks of access by U.S. authorities, although real, do not justify the suspension of the platform. The judgment provides useful insights in light of the recent Schrems II ruling for organizations transferring health data outside of the EU (for more information on the Schrems II ruling, see our blog post ECJ Invalidates EU-U.S. Privacy Shield and Upholds the Standard Contractual Clauses). Continue Reading