Data Protection

South Carolina Enacts Insurance Data Security Act

Written by

South Carolina recently enacted a prescriptive data security law for insurers. The law bears resemblance to the New York Department of Financial Services (NYDFS) cybersecurity rules that entered into force last year. In short, the South Carolina law requires licensees (defined below) to develop and implement a comprehensive written information security program (a “WISP”) and to notify the South Carolina Department of Insurance of certain cybersecurity events. Effective on January 1, 2019, the law includes extended deadlines for compliance with the requirement to implement a WISP (July 1, 2019) […] Read more

Japan and EU agree on Terms of Reciprocal Adequacy for Data Transfers

Written by

On July 17, the European Commission (the “Commission”) announced that the European Union and Japan successfully concluded talks on reciprocal adequacy and agreed to recognize each other's data protection systems as equivalent.  In its press release, the Commission explains that this adequacy agreement will create “the world's largest area of safe transfers of data based on a high level of protection for personal data.” The General Data Protection Regulation (“GDPR”) came into effect as of May 25 of this year.  Under the GDPR, “adequacy” is the simplest way for companies to [...] Read more

Landmark New Privacy Law in California to Challenge Businesses Nationwide

Written by

Following our June 4 and July 2, 2018 blog posts tracking California's November 2018 ballot measure turned hastily enacted new California privacy law titled The California Consumer Privacy Act of 2018 (CCPA), Alston & Bird's Privacy & Data Security Group released a more detailed "first look" review of California’s sweeping new law.  The advisory provides an overview of the new law, which establishes an array of privacy rights for state residents and worries for businesses nationwide, and concludes with key initial takeaways for business. Read the advisory here. [...] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

GDPR Fragmentation May Appear More Significant than Intended

Written by

With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only 30% of Member States have effectively passed legislation, which still leaves the legal landscape to be precarious. The GDPR allows for deviations and specifications in several areas, for instance to introduce specific conditions or limitations for the processing of biometric, genetic, or health data; to create specific protection regimes for employee data; or to restrict the rights the GDPR grants to individuals. [...] Read more

Oregon and Arizona Amend Breach Notification Laws

Written by

Amended breach notification laws recently took effect in Oregon or will soon take effect in Arizona. In both cases, the amended laws heighten existing requirements and reflect broader trends in the breach notification landscape at the state level, including by expanding the scope of “personal information” that triggers notification and requiring notification within a specified timeframe. In Oregon’s case, the amendments supplement already-existing data security requirements for companies the handle the personal data of Oregon residents. Oregon Broadened Definition of Personal Information Like [...] Read more

Chicago City Council Considers Data Collection and Protection Legislation

Written by

Unique and detailed data protection legislation is currently under consideration by the Chicago City Council. If passed in its current form, the Data Collection and Protection Ordinance (the “Ordinance”) would impose consent, notification, and registration obligations on regulated companies, as well as require a prescribed notice to users of location services on mobile devices and express consent for use of geolocation data by mobile applications. Consent requirements The consent provisions would apply to “operators,” defined to include any entity that (1) “owns a website on the [...] Read more

EU Supervisory Authorities Disclose DPO Notification Tools

Written by

Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR. While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more

Colorado Enacts Expanded Data Breach Notification Law

Written by

Consistent with recent expansions to state data breach notification laws, Colorado recently enacted an expanded data privacy law that strengthens the state’s existing breach notification law and that requires policies and procedures concerning the protection and destruction of personal identifying information (“PII”).  The law applies to any individual or commercial entity that maintains, owns, or licenses “personal information” or PII, as applicable, in the course of its business, vocation, or occupation, and also contains largely identical provisions that apply to state and local governments.  [...] Read more

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more