On February 7, 2019, the German antitrust agency, the Federal Cartel Office (“FCO”), imposed limitations on Facebook’s current practice of collecting and processing user data and prohibited using the related terms of service. After an almost three-year long investigation, the FCO found that some of Facebook’s business practices amounted to an abuse of a dominant position. For the first time, the FCO based its abuse-of-dominance analysis also on whether the dominant company complied with the GDPR – throwing compliance with the GDPR into their competition law assessment. Continue Reading Germany Limits Facebook’s Data Collection and Processing, Refers to GDPR
Emmanuel Ronco’s practice focuses on intellectual property and technology matters, including in the context of corporate transactions such as mergers and acquisitions or joint ventures.
In 2018, data privacy and cyber breaches made headlines throughout the year.
Major companies continued to suffer data breaches, highlighting the risks and potential costs of cyber incidents across industries. At the same time, a growing and overlapping thicket of data security and privacy regulations—within the U.S., European Union, Latin America, and elsewhere—continued to increase compliance costs and regulatory risks. This memo surveys some of the key cybersecurity and data privacy developments of 2018, including the major data breaches and cyberattacks, regulatory and legislative actions, and notable settlements and court decisions.
In addition, we identify some key takeaways from 2018, which include the importance of rapid response and timely disclosure, cyber diligence in M&A transactions, effective management of third-party vendor risk, and protecting privilege. We also highlight key areas to watch in 2019, including GDPR enforcement, efforts to pass a U.S. federal privacy law, responses and potential changes to California’s new privacy law, the adoption of comprehensive privacy laws in more U.S. states and non-U.S. jurisdictions, and heightened U.S. litigation and enforcement risk. Data security and privacy will undoubtedly remain a priority for boards and senior management, as well as regulators and enforcement authorities.
Please click here to read the full alert memorandum.
The European Data Protection Board (“EDPB”) adopted its highly anticipated guidelines on the territorial scope of the General Data Protection Regulation (“GDPR”) (the “Guidelines”), which are currently open for public consultation until January 18, 2019.
The extraterritorial application of the GDPR to entities located in non-EU countries marks a significant shift in the legal framework compared to the GDPR’s predecessor (Directive 95/46/EC).
The GDPR’s extraterritorial scope is based on two main criteria described in its Article 3:
- the “establishment” criterion, according to which the GDPR applies where processing of personal data is undertaken by a person in the context of the activities of an establishment in the European Union regardless of whether the processing takes place in the European Union or not, and
- the “targeting” criterion, according to which the GDPR applies where processing activities conducted by a person established outside the European Union relate to the offering of goods or services or the monitoring of behavior of data subjects in the European Union.
As a result of these two criteria, businesses which did not previously need to consider the applicability of EU data protection law to their processing activities may now be caught within the GDPR’s territorial scope. The Guidelines are intended to bring clarity to non-EU businesses doing business with the EU, either directly or through “establishments”, which must undertake a careful assessment of their data processing activities in order to determine whether the GDPR applies. The full text of the Guidelines can be accessed here and their key features are summarized below. Continue Reading EDPB Publishes Draft Guidelines on the Territorial Scope of the GDPR
Tomorrow, May 25, the European Union’s (“E.U.’s”) sweeping and much-awaited data security and privacy regulation known as the General Data Protection Regulation, or “GDPR,” will come into force. We have previously written a full analysis of the new requirements under the GDPR for companies subject to its jurisdiction.
Since the GDPR was formally approved in 2016, organizations around the world have devoted significant time and resources to preparing for the new law’s implementation. But while tomorrow is a deadline, it is also a start date—for compliance efforts that will require ongoing attention and adjustments in the months and years ahead. With this in mind, we have compiled the following tips and resources to aid companies in their ongoing efforts that will come after May 25: Continue Reading GDPR Compliance: Tips for What Comes <i>After</i> May 25
Since the adoption of the General Data Protection Regulation (GDPR) in 2016, considerable attention has focused on the vastly increased scope of potential administrative fines, and even more attention is being paid to the issue with the GDPR becoming effective on May 25, 2018. In this post, we summarize the key fining provisions, and analyze the recent relevant guidance on this issue from the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission). Continue Reading Administrative Fines Under the GDPR
Following the generally positive assessment of the EU-U.S. Privacy Shield framework (the “Privacy Shield”) by the European Commission further to its first annual review, the Article 29 Working Party (an advisory group consisting of representatives from national data protection authorities together with the European Commission), released its own opinion (the “WP29 Opinion”), which was more critical and called for immediate actions to be taken on the part of the United States.
While the Article 29 Working Party praised some improvements made by U.S. authorities in terms of transparency and surveillance, the WP29 Opinion noted significant outstanding issues which ought to be remedied before the second annual review of the Privacy Shield or even earlier. In particular, the Article 29 Working Party expressed concerns relating to the supervision of U.S. surveillance programs, the processing by U.S. authorities of personal data transferred under the Privacy Shield for national security purposes and the implementation of redress mechanisms available to individuals located in the EU against U.S. companies that are not using personal data in accordance with their commitments under the Privacy Shield. The Article 29 Working Party has set out as priorities the appointment of an independent Ombudsperson entrusted with the appropriate powers, the clarification of internal procedural rules relating to the interaction between the Ombudsperson and other intelligence or oversight bodies (including declassification rules) and the appointment by the U.S. administration of the members of the Privacy and Civil Liberties Oversight Board contemplated by the Privacy Shield. According to the Article 29 Working Party, those priority issues should be resolved by May 25, 2018, which is the deadline for compliance with the EU’s General Data Protection Regulation (GDPR) (please refer to our prior Alert Memo in that regard).
Other issues identified by the Article 29 Working Party related to the lack of information given to individuals in the EU regarding the exercise of their rights under the Privacy Shield and the need to increasingly monitor compliance of companies certified under the Privacy Shield. The WP29 Opinion also provided specific recommendations with regard to the processing of employee data, rules regarding automated decision-making and the profiling of individuals, and the self-certification process by U.S. companies wishing to take advantage of the Privacy Shield.
The Article 29 Working Party advised that in the event of a failure to take the actions it prescribed in the WP29 Opinion within the next year, it reserved the right to challenge the validity of the European Commission’s adequacy decision underlying the Privacy Shield in national courts, which could result in its annulment. In that regard, some of the arguments the Article 29 Working Party could raise (such as the broad access to personal data by U.S. authorities for national security purposes) appear to be similar to those that resulted in the invalidation of the Safe Harbor scheme (the Privacy Shield’s predecessor) by the Court of Justice of the European Union in its Schrems v. Data Protection Commissioner judgment.
The Privacy Shield is also subject to pending challenges, one of which was dismissed on November 22, 2017, albeit not on substantive grounds but as a result of the applicant’s lack standing to act. These challenges to the Privacy Shield echo other actions seeking to invalidate alternative legal grounds to transfer personal data from the EU to the United States, such as the one initiated by Mr. Schrems and the Irish Data Commissioner to question the legitimacy of so-called Standard Contractual Clauses (“SCCs,” also commonly referred to as Model Contracts), which is now pending before the Court of Justice of the European Union for a preliminary ruling.
The invalidation of both the Privacy Shield and the SCCs as approved methods for transferring personal data would cause serious disruptions in the flow of data and, as a result, business relations, between EU and U.S. companies.
The disclosure by Uber of a data breach that occurred in October 2016 has prompted a growing number of regulators to open investigations into the company. According to Bloomberg, the breach (which Uber disclosed on November 21, 2017) involved hackers accessing the names, email addresses and phone numbers of 50 million riders and 7 million drivers and the driver’s license numbers of approximately 600,000 U.S. drivers.
On October 18, 2017, the European Commission published its report on the functioning of the EU-U.S. Privacy Shield framework (the “Privacy Shield”), marking the conclusion of its first joint annual review of the regime. The Privacy Shield, which is administered by the International Trade Administration within the U.S. Department of Commerce (“DOC”), provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States. To join the Privacy Shield, a U.S.-based organization is required to self-certify to the DOC and publicly commit to comply with the Privacy Shield requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Privacy Shield requirements, the commitment will become enforceable under U.S. law. Continue Reading EU-U.S. Privacy Shield Functions Well, with Scope for Improvement, According to its First Annual Review
Earlier this month, in the latest ruling to emerge from the privacy campaign initiated by activist Max Schrems, the Irish High Court cast fresh doubt on the legitimacy of so-called Standard Contractual Clauses (“SCCs”, also commonly referred to as Model Contracts) as an approved method of ensuring lawful personal data transfers from the European Economic Area (“EEA”) to the United States. In this case, Mr. Schrems, joined by the Irish Data Protection Commissioner (“DPC”), objected to Facebook Ireland Ltd. transferring personal data to its parent company in the U.S., Facebook Inc. Continue Reading Schrems Ruling: Renewed Scrutiny of Standard Contractual Clauses for EU-US Personal Data Flows
From May 2018, organizations established or providing services in the EU will be subject to new national and EU-wide cybersecurity legislation, as regulators in EU Member States begin to apply both the General Data Protection Regulation and national legislation implementing the Network and Information Security Directive.
These new laws will significantly increase the territorial and sectoral scope of organizations subject to EU cybersecurity obligations and introduce strict data security and breach disclosure obligations with potentially severe penalties for non-compliance.
This tightening of the EU cybersecurity regime coincides with similar developments in other jurisdictions worldwide and reflects a global trend for legislators and regulators to require organizations to observe increasingly stringent cybersecurity practices. This memorandum considers the key components of the new EU laws and outlines a number of recent cybersecurity developments in other key jurisdictions.
Click here, to continue reading.