Category Archives: Uncategorized

Professor Peter Swire Publishes his Expert Testimony from Schrems 2.0

Written by
Peter Swire, Elizabeth and Thomas Holder Chair at the Georgia Tech Scheller College of Business and senior counsel at Alston & Bird, has made public his expert testimony from the landmark Irish High Court Case Data Protection Commissioner v. Facebook Ireland Limited & Maximillian Schrems. Under the Irish Court’s rules, Swire was asked to provide an independent opinion on U.S. surveillance law to assist the Court in its decision. Swire’s testimony highlights U.S. systemic remedies, U.S. individual remedies, Foreign Intelligence Surveillance Court oversight, and the broader implications [...] Read more

New York Attorney General Announces Record Number of Data Breach Notices in 2016

Written by
On March 21, 2017, New York Attorney General (NYAG) Eric T. Schneiderman announced that his office had received a record breaking 1,282 data breach notices to his office affecting 1.6 million New York residents during 2016. Compared to 2015, these figures represent a 60 percent increase in the number of notices and a 300 percent increase in the number of New York residents affected. These research figures build on the NYAG’s 2014 report “Information Exposed: Historical Examination of Data Security in New York State,” which analyzed eight years of security breach statistics in New York from [...] Read more

What Will Trump’s Executive Order Do to U.S. Privacy Law and EU-U.S. Data Transfers?

Written by and
On the third day of his presidency, President Trump signed an immigration-related executive order raising significant questions about the future of U.S. privacy law and EU-U.S. data transfers.  The order, titled “Enhancing Public Safety in the Interior of the United States” (“Executive Order”), directs agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.”[1] The Executive Order has raised a number of questions, among them, [...] Read more

Spanish DPA Issues GDPR Guidelines

Written by
On January 26, 2017, the Spanish data protection authority (“AEPD”) published three guidance papers on the implementation of the general data protection regulation (“GDPR”). Although the guidance is primarily directed at small and medium-sized companies, it gives a snapshot on how the AEPD reads the GDPR and is thus relevant for all companies having operations in Spain. GDPR Guide for Controllers: the guide summarizes the requirements of the GDPR while providing practical recommendations on how to implement them. The guide also contains a questionnaire to help controllers make a [...] Read more

AG Empowers EU Privacy Suits with Redress Act Designations

Written by
Earlier this week, the U.S. Attorney General designated 26 countries and the European Union as “covered countr[ies]” under the Judicial Redress Act. The Attorney General has simultaneously designated 13 “Federal agenc[ies] or component[s]” under the Act. These designations enable citizens of the “covered countr[ies]” to sue and seek remedies in U.S. court if one of the designated “Federal agenc[ies] or component[s]” violates the Privacy Act of 1974. The Privacy Act protects against intentional or willful unlawful disclosure of covered records containing personal information and [...] Read more

WP29 Issues Guidance on the Right to Data Portability under the GDPR

Written by
Late last week, the Article 29 Working Party (“WP29”) issued detailed guidance on companies’ obligations under three key provisions of the General Data Protection Regulation ("GDPR").  This is part two of a three-part Alston & Bird series evaluating WP29's positions, and relates to the Right of Data Portability for data subjects and its obligations for data controllers.  Part 1 deals with Data Protection Officer obligations, under the GDPR, while part 3 analyzes guidance on the Lead Supervisory Authority mechanism. Article 20 of the GDPR creates a new right to data portability [...] Read more

France adopts new regime for privacy class actions

Written by
A few weeks ago, France passed the Digital Republic Act which significantly enhances French citizens’ rights to privacy by offering new avenues to exercise rights and granting new powers to the French data protection authority. A recent amendment to the Data Protection Act, adopted November 18, 2016, goes a mile farther and introduces a new type of class action for privacy-related matters. Class actions were introduced into the French Consumer Code quite recently, in 2014. Although largely inspired by the U.S.-style class action, class actions in France have a slightly different scope: [...] Read more

The French Digital Republic Act: the New Powers of the French Data Protection Authority and Enhanced Rights of Individuals

Written by
On October 7, the French Digital Republic Act (the “Act”) was adopted following a widely-publicized consultation process.  The Act amends the French Data Protection Act, and also modifies French law in various domains, including consumer protection, electronic payment services, medical research, and intellectual property. The Act constitutes a first step in the implementation of the General Data Protection Regulation (“GDPR”), which will apply in all EU Member States as from May 25, 2018.  The Act in particular establishes (i) new powers for the French data protection authority (“DPA”), [...] Read more

ECJ Declares IP Addresses are Personal Data

Written by
Today, the European Court of Justice (ECJ) issued its long-awaited decision in Breyer v. Germany.  Breyer addresses the question of whether IP addresses are “personal data” for purposes of EU data protection law.  As is widely known, personal data is any information that would permit a particular individual to be identified, whether directly or in combination with other information.  Until the present, there has been widespread agreement that static IP addresses are personal data.  In contrast, there has been little agreement on whether dynamic IP addresses constitute personal data.  While [...] Read more

German DPA Publishes First Privacy Shield Guidelines, Requires German-Law Contracts for Transfers

Written by
On June 7, 2016, the European Commission adopted the US-EU Privacy Shield.  Companies that self-certify under Privacy Shield with the US Department of Commerce – dubbed “Privacy Shield organizations” – are thus officially recognized by the EU as providing an adequate level of protection for data transferred from the EU.  As a result, Privacy Shield organizations may in principle freely receive transfers of personal data from the EU.  (For more information on Privacy Shield, visit our Privacy Shield FAQs.) One question that many organizations had following Privacy Shield’s adoption [...] Read more