On April 16, 2018, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre issued a joint Technical Alert (TA), alerting the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. The TA explains primary targets to be government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. The affected systems include: Generic Routing Encapsulation (GRE) Enabled Devices; Cisco Smart [...] Read more
On April 11, Justice Caroline Costello of the Irish High Court referred the Schrems 2.0 case to the Court of Justice of the European Union (ECJ) with 11 questions for the ECJ to answer. Per Justice Costello, the sole issue in the case is whether the European Commission’s Decisions regarding standard contractual clauses (SCCs) are valid, which is reflected in the 11 questions posed.
The reference asks the ECJ to determine:
Whether provisions of EU law related to national security, public security, defense, and state security apply to transfers of data outside the EU under SCCs;
Whether [...] Read more
On April 3, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) announced the publication of the “European Union General Data Protection Regulation (GDPR) 2016” guidance document. The PCPD explains that the publication was issued to raise awareness among organizations and businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR. The guidance document covers various provisions of the GDPR, including extra-territorial application of the GDPR and new data privacy governance requirements. It also contains a chart [...] Read more
The Council of the European Union published a new draft of the ePrivacy Regulation (link here) for discussion purposes on 22 March. This draft aims to facilitate discussions as we are moving towards the final version of the ePrivacy Regulation. As such, the changes outlined below are not final, but rather indicative of the direction that the ePrivacy Regulation is taking. Of particular interest to companies are the provisions relating to cookie settings, and direct marketing communications:
Cookie Settings
The new draft clarifies that a one-off consent for a cookie in the context [...] Read more
On Friday morning, March 23, President Trump signed the $1.3 trillion omnibus spending bill into law, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act, and in doing so established a sea change in the rules for cross-border government access to the contents of electronic communications. The CLOUD Act consists of three core components: (1) resolving the main issue in the Microsoft Ireland case pending before the U.S. Supreme Court, (2) providing a process for entities to request a comity analysis for potential conflicts with non-U.S. legal obligations, and (3) removing legal barriers [...] Read more
On February 16, 2018, the Brussels Court of First Instance rendered a judgment in proceedings brought by the Belgian Privacy Commission’s against Facebook. The case forms one part of two-tiered litigation brought by the Commission in regards to alleged monitoring practices vis-à-vis Belgian internet users. In parallel to the proceedings that resulted in the judgment cited above, the Belgian Privacy Commission had also initiated a procedure referred to as “summary proceedings” against Facebook – and Facebook defeated the Privacy Commission’s claim before the Brussels Court of Appeal in [...] Read more
On March 6, Singapore announced that it has become the sixth country to participate in the Cross-Border Privacy Rules System (CBPR) as of February 20, 2018, joining the United States, Mexico, Canada, Japan and the Republic of Korea, and the second country to participate in the Privacy Recognition for Processors System (PRP) alongside the United States. The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies.
Singapore’s Ministry [...] Read more
In just under 100 days, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of their processing activities. Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.
Article 30 GDPR thus creates a new kind of documentation obligation. This obligation [...] Read more
In less than 100 days, the General Data Protection Regulation (GDPR) will go into effect. This means that as of May 25, 2018, each national Supervisory Authority will have the authority to apply and enforce the GDPR.
The GDPR raises the bar in terms of requirements substantially higher than the Data Protection Framework Directive. For instance, it recognizes new rights for data subjects (e.g. right to be forgotten and right to data portability), introduces data breach notification requirements, introduces the concept of a Data Protection Officer, and brings enhanced accountability obligations.
Given [...] Read more
“To Harmonize or Not To Harmonize: That Is the Question.” With the the GDPR fast approaching on May 25, 2018, European Member States are getting ready with the implementation of national legislation. Although the GDPR is a regulation, and directly applicable in all Member States, it has left room for country-specific legislation in several different regards (such as the processing of employee data or individual rights restrictions). Most Member States still only have draft legislation at this point, but the expectation (or at least intention) is that each country will have adopted legislation [...] Read more
