International

Are You Ready for Canada’s New Privacy Breach Rules?

Written by

Mandatory privacy breach notification, reporting and record-keeping obligations under Canada’s federal data protection law called the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force as of November 1, 2018. Earlier this year, the Canadian government published new privacy-related obligations under PIPEDA.  PIPEDA applies to private-sector organizations and sets the ground rules for how businesses must handle personal information in the course of commercial activity.  The new obligations present challenges to organizations, requiring an additional [...] Read more

Alston & Bird Hosts Webinar on Binding Corporate Rules – The Benefits Go Far Beyond Data Transfers

Written by

Binding corporate rules (BCRs) are a legally recognized mechanism that facilitate intra-group transfers of personal data from the European Economic Area (EEA) to the rest of the world. Adopting BCRs not only allows for the free flow of information across an organization but also builds a strong digital culture which is crucial in this data intensive world. On Nov. 7th at 1-2 pm ET, join partners Jan Dhont and Jim Harvey, and senior counsel Peter Swire in an engaging discussion on the evolution of BCRs, the path to BCRs (including the application process), and the realities of embedding the elements […] Read more

India’s Draft Data Protection Bill: Another GDPR Around The Corner?

Written by

India recently introduced the Personal Data Protection Bill 2018 (“Bill”). The transfer of personal data in India is currently governed by the SPD Rules (Sensitive Personal Data and Information, 2011), which is however considered outdated and not fully protective of personal data. The Bill comes as a result of the country’s Supreme Court recent judgment that declared privacy a fundamental right of an individual. The Srikrishma Committee (“Committee”) was responsible for drafting the Bill and coined a legal framework that is aimed to shape the country’s digital agenda. The Committee […] Read more

Brazil Transitions from Sectoral to Omnibus Privacy Regime

Written by

On August 14, Brazil adopted its new General Data Protection Law (LGPD) designed to replace and/or supplement its existing sectoral privacy framework.  Brazil’s LGPD echoes many of the components of the GDPR and will likely serve as part of Brazil’s own push for a reciprocal adequacy finding from the European Commission similar to the one Japan received this past July.  In addition to the LGPD, President Temer has stated that the government will establish a Brazilian national data protection authority (DPA) with a separate bill. Scope Like the GDPR, Brazil’s LGPD includes an expanded […] Read more

Japan and EU agree on Terms of Reciprocal Adequacy for Data Transfers

Written by

On July 17, the European Commission (the “Commission”) announced that the European Union and Japan successfully concluded talks on reciprocal adequacy and agreed to recognize each other's data protection systems as equivalent.  In its press release, the Commission explains that this adequacy agreement will create “the world's largest area of safe transfers of data based on a high level of protection for personal data.” The General Data Protection Regulation (“GDPR”) came into effect as of May 25 of this year.  Under the GDPR, “adequacy” is the simplest way for companies to [...] Read more

German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided

Written by

Following a two-year grace period, EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018.  For many companies, preparing for the GDPR was a multi-year project involving multiple teams and input or assistance from across the organization.  On this blog, we have outlined the items we have seen as particularly time- or resource-intensive. On June 29, 2018, the Data Protection Authority (DPA) of the German state of Lower Saxony (Niedersachsen) announced it would be surveying GDPR compliance among companies under its jurisdiction.  Germany has 16 state-run DPAs with general [...] Read more

Privacy Activist Challenges Data Collection for Internet Businesses

Written by

Austrian privacy activist Max Schrems’ organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp and Facebook on May 25th, the same day on which the EU General Data Protection Regulation (GDPR) became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany and Austria.  These “Day 1” complaints could have a definite impact on ad-supported online businesses. The complaints reflect similar criticisms of each company. Assuming that each company processes personal data on the basis [...] Read more

EU Supervisory Authorities Disclose DPO Notification Tools

Written by

Shortly after the GDPR’s entry into application on May 25, 2018, several EU Supervisory Authorities have activated online Data Protection Officer (“DPO”) notification tools, allowing organizations to communicate the contact details of their DPO to the Supervisory Authorities, which is a requirement under Article 37 GDPR. While the DPO Guidelines of the Article 29 Working Party (“WP29”; replaced by the European Data Protection Board, “EDPB”) do not emphasize the requirement to notify DPOs, Supervisory Authorities (“SAs”) view these notifications as important, and have made available [...] Read more

German DPAs Issue DPIA Blacklists; Many Companies Likely to be Affected

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more

On GDPR Day, Austrian DPA issues First Binding DPIA Whitelist

Written by

The GDPR entered into force on May 25, 2018.  One of the GDPR’s core going-forward obligations is the duty to conduct Data Protection Impact Assessments (DPIAs) over processing activities that create a “high risk” to individuals’ privacy.  DPIAs constitute an important aspect of GDPR compliance, as they arguably replace the notifications of processing systems and activities to European Data Protection Authorities (DPAs) which pre-GDPR privacy law often obligated companies to make.  Instead of notifying DPAs, the GDPR now requires companies to internally conduct DPIAs that document “high [...] Read more