GDPR

Brazil Transitions from Sectoral to Omnibus Privacy Regime

Written by

On August 14, Brazil adopted its new General Data Protection Law (LGPD) designed to replace and/or supplement its existing sectoral privacy framework.  Brazil’s LGPD echoes many of the components of the GDPR and will likely serve as part of Brazil’s own push for a reciprocal adequacy finding from the European Commission similar to the one Japan received this past July.  In addition to the LGPD, President Temer has stated that the government will establish a Brazilian national data protection authority (DPA) with a separate bill. Scope Like the GDPR, Brazil’s LGPD includes an expanded […] Read more

Japan and EU agree on Terms of Reciprocal Adequacy for Data Transfers

Written by

On July 17, the European Commission (the “Commission”) announced that the European Union and Japan successfully concluded talks on reciprocal adequacy and agreed to recognize each other's data protection systems as equivalent.  In its press release, the Commission explains that this adequacy agreement will create “the world's largest area of safe transfers of data based on a high level of protection for personal data.” The General Data Protection Regulation (“GDPR”) came into effect as of May 25 of this year.  Under the GDPR, “adequacy” is the simplest way for companies to [...] Read more

European Parliament Calls to Suspend Privacy Shield

Written by

On the heels of the Committee on Civil Liberties, Justice and Home Affairs’ (LIBE) recent resolution, the full European Parliament on July 5 adopted a resolution calling for the suspension of the EU-U.S. Privacy Shield agreement if the U.S. fails to comply in full by September 1, 2018.  With a vote of 303 in favor and 223 opposed with 29 abstentions, the Parliament passed the resolution and stated concerns about the enforcement of the Privacy Shield framework and about U.S. surveillance and privacy law generally.  Regarding the resolution, LIBE Chair and rapporteur Claude Moraes said “[t]his [...] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

GDPR Fragmentation May Appear More Significant than Intended

Written by

With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only 30% of Member States have effectively passed legislation, which still leaves the legal landscape to be precarious. The GDPR allows for deviations and specifications in several areas, for instance to introduce specific conditions or limitations for the processing of biometric, genetic, or health data; to create specific protection regimes for employee data; or to restrict the rights the GDPR grants to individuals. [...] Read more

Privacy Activist Challenges Data Collection for Internet Businesses

Written by

Austrian privacy activist Max Schrems’ organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp and Facebook on May 25th, the same day on which the EU General Data Protection Regulation (GDPR) became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany and Austria.  These “Day 1” complaints could have a definite impact on ad-supported online businesses. The complaints reflect similar criticisms of each company. Assuming that each company processes personal data on the basis [...] Read more

EU Supervisory Authorities Disclose DPO Notification Tools

Written by

Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR. While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more

European Parliament’s Civil Liberties Committee Targets EU-U.S. Privacy Shield, Cloud Act

Written by

On June 12, 2018, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) passed a resolution calling on the European Commission to suspend the EU-U.S. Privacy Shield unless the U.S. fully complies with the framework’s requirements by September 1, 2018.  With a vote of 29 votes in favor, 25 opposed, and 3 abstentions the LIBE passed the draft resolution calling on the European Commission to (1) ensure that the Privacy Shield fully complies with the GDPR and the EU charter so as to not create loopholes or competitive advantage for US companies; and (2) restart [...] Read more

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more

On GDPR Day, Austrian DPA issues First Binding DPIA Whitelist

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more