privacy

Subscribe to privacy via RSS

The General Data Protection Regulation (GDPR) does not just impact companies located in the European Economic Area (EEA). It has a “long-arm” provision which may subject foreign companies to its jurisdiction. There is a fair amount of uncertainty regarding how this provision may be applied. The European Data Protection Board (EDPB) has recently issued updated guidelines that shed some light on how national Supervisory Authorities are expected to interpret the extra-territorial reach of the GDPR (guidelines).[1] This article focuses on one aspect of the guidelines that may negatively affect vendors located outside the EEA.
Continue Reading Non-EEA Based Vendors Caught by GDPR’s Long-Arm Provisions

On March 11, 2020, the California Attorney General issued further revisions to the proposed regulations implementing the California Consumer Privacy Act (CCPA).

For context, in passing the CCPA, the legislature directed the California Attorney General to solicit broad public participation and adopt regulations to further the purposes of the CCPA. On October 11, 2019, the California Attorney General issued the first draft of the proposed regulations, imposing obligations on businesses that arguably exceeded the statutory requirements of the CCPA, which were noticed for a 45-day public comment period. On February 10, 2020, after the CCPA had gone into effect and after receiving nearly 1,700 pages of written comments and additional oral comments, the California Attorney General issued a second draft of the proposed regulations, scaling back some of these obligations and adding some helpful clarification. During the subsequent 15-day written public comment period on these proposed changes, approximately 100 written comments spanning 782 pages were submitted.
Continue Reading Third Time’s the Charm? Newest Round of Modifications to Proposed CCPA Regulations Issued by the California Attorney General

On February 7, 2020, the European Data Protection Board (EDPB) published draft guidelines on the processing of personal data in the context of connected vehicles and mobility related applications. If adopted in their current form, the draft guidelines will have far-reaching consequences for connected vehicles and mobility applications that operate in Europe. They contain detailed interpretations of the General Data Protection Regulation (GDPR) and related laws. Notably, the draft guidelines apply the EU cookie rules to connected vehicles, requiring granular consent to collect both personal and non-personal data from connected vehicles.
Continue Reading EU Privacy Regulators Issue Draft Guidelines on Connected Vehicles and Mobility Applications

Updates to Compliance Likely Required

On February 10, 2020, the California Attorney General issued the proposed text of modified regulations implementing the California Consumer Privacy Act (CCPA). This draft is a correction of a version that the California Attorney General issued on February 7, 2020. While the California Attorney General previously indicated that major changes to the proposed CCPA regulations were not anticipated, these modifications are likely to have a significant impact on CCPA compliance efforts, particularly regarding privacy notices, agreements between businesses and service providers, and policies on handling consumer requests.
Continue Reading CCPA Update: California Attorney General Issues Modifications to Proposed CCPA Regulations

On December 19, 2019, the Advocate General (AG) of the highest EU Court (the Court of Justice of the European Union (CJEU)) issued his opinion in Schrems II[1] (the opinion). Wilson Sonsini previously covered the key points of the opinion in our Alert of December 20 and now provides a more detailed analysis in this contribution.

At stake in this case is the validity of two key EU data transfers mechanisms, the Standard Contractual Clauses (SCCs) and the EU-U.S. Privacy Shield. The SCCs allow companies to transfer personal data to any country outside of the European Economic Area. The Privacy Shield enables transfers specifically from the EU to the U.S.
Continue Reading CJEU Advocate General Confirms Validity of EU Data Transfer Tools

On January 21, 2020, the Information Commissioner’s Office (ICO) published its final version of its Age Appropriate Design Code of Practice (the code). The code will be submitted to Parliament in the coming days, and, assuming there is no objection, will become effective approximately two months later.

This blog post follows our previous update on the ICO’s draft Age Appropriate Design Code. The current code was produced following extensive industry and consumer engagement. It adopts the maximum transition period of 12 months to allow companies to make meaningful and thoughtful changes to how they operate. 
Continue Reading Update: UK’s Age Appropriate Design Code