On April 16, 2018, the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI), and the United Kingdom’s National Cyber Security Centre issued a joint Technical Alert (TA), alerting the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. The TA explains primary targets to be government and private-sector organizations, critical infrastructure providers, and the Internet service providers (ISPs) supporting these sectors. The affected systems include: Generic Routing Encapsulation (GRE) Enabled Devices; Cisco Smart [...] Read more
On April 11, Justice Caroline Costello of the Irish High Court referred the Schrems 2.0 case to the Court of Justice of the European Union (ECJ) with 11 questions for the ECJ to answer. Per Justice Costello, the sole issue in the case is whether the European Commission’s Decisions regarding standard contractual clauses (SCCs) are valid, which is reflected in the 11 questions posed.
The reference asks the ECJ to determine:
Whether provisions of EU law related to national security, public security, defense, and state security apply to transfers of data outside the EU under SCCs;
Whether [...] Read more
On April 3, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) announced the publication of the “European Union General Data Protection Regulation (GDPR) 2016” guidance document. The PCPD explains that the publication was issued to raise awareness among organizations and businesses in Hong Kong of the possible impact of the new regulatory framework for data protection in the GDPR. The guidance document covers various provisions of the GDPR, including extra-territorial application of the GDPR and new data privacy governance requirements. It also contains a chart [...] Read more
On Friday morning, March 23, President Trump signed the $1.3 trillion omnibus spending bill into law, including the Clarifying Lawful Overseas Use of Data (CLOUD) Act, and in doing so established a sea change in the rules for cross-border government access to the contents of electronic communications. The CLOUD Act consists of three core components: (1) resolving the main issue in the Microsoft Ireland case pending before the U.S. Supreme Court, (2) providing a process for entities to request a comity analysis for potential conflicts with non-U.S. legal obligations, and (3) removing legal barriers [...] Read more
On March 6, Singapore announced that it has become the sixth country to participate in the Cross-Border Privacy Rules System (CBPR) as of February 20, 2018, joining the United States, Mexico, Canada, Japan and the Republic of Korea, and the second country to participate in the Privacy Recognition for Processors System (PRP) alongside the United States. The APEC CBPR system is a voluntary, enforceable mechanism that certifies a company’s compliance with the principles in the APEC CBPR and facilitates privacy-respecting transfers of data among APEC member economies.
Singapore’s Ministry [...] Read more
On Tuesday, February 27th, the U.S. Supreme Court heard oral argument in United States v. Microsoft Corp. on whether a warrant issued under the Stored Communications Act (SCA) can compel the production of data stored outside the United States. Where Microsoft argues that the emails stored outside the United States also lie outside the reach of the SCA, the government contends that the SCA focuses on “classically domestic content,” and that Microsoft can be compelled within the U.S. to turn over records it controls regardless of where the data sought is stored.
This case began in December [...] Read more
In just under 100 days, the EU General Data Protection Regulation (GDPR) enters into force. One of the major changes the GDPR introduces is a duty for in-scope controllers and processors to maintain written records of their processing activities. Under Article 30 GDPR, companies will need to inventory all “processing activities under [their] responsibility” and memorialize them in a written record setting forth, inter alia, the purposes of processing operations, international transfers, and retention periods.
Article 30 GDPR thus creates a new kind of documentation obligation. This obligation [...] Read more
“To Harmonize or Not To Harmonize: That Is the Question.” With the the GDPR fast approaching on May 25, 2018, European Member States are getting ready with the implementation of national legislation. Although the GDPR is a regulation, and directly applicable in all Member States, it has left room for country-specific legislation in several different regards (such as the processing of employee data or individual rights restrictions). Most Member States still only have draft legislation at this point, but the expectation (or at least intention) is that each country will have adopted legislation [...] Read more
In late 2015, the European Court of Justice (ECJ) issued its initial Schrems decision, invalidating the EU/US Safe Harbor and leading to important developments in the rules for transferring personal data from the EU to the US. Since that decision, Mr. Schrems has pursued two further legal proceedings in the EU.
The first involves Mr. Schrems’ challenge in the Irish courts to EU Standard Contractual Clauses, which permit data to be transferred internationally between contract parties. In the trial, Alston & Bird Special Counsel Peter Swire testified as an expert on US national [...] Read more
About this time last January, the European Parliament released its proposal for a new ePrivacy Regulation. The intent of the ePrivacy Regulation is to replace the current ePrivacy regime – which consists of an ePrivacy Directive and a patchwork of local implementing legislation – with a uniform set of directly-applicable EU-wide rules. Since the Parliament released its ePrivacy Regulation draft, both the European Council and the European Parliament have reviewed it and released their own revised drafts.
The ePrivacy Regulation contains a number of important rules for companies. Traditionally, [...] Read more
