Blog

Enhancing Safeguards for US Signals Intelligence Activities 

President Biden October 7, 2022 Executive Order on
Enhancing Safeguards for US Signals Intelligence Activities – 
Towards an Updated EU-US Privacy Shield Framework 

When the European Court of Justice issued its decision on Schrems and Facebook Ireland v. Data Protection Commissioner in July 2020 (Schrems II),[1] it triggered a brutal disruption and stoppage in the operations of the EU-US Privacy Shield framework (Framework). It also caused significant chaos in the operations of numerous US or EU/EEA businesses and organizations that were relying on the Framework as a strategic tool and structure for providing a legal basis for exchanges or transfers of personal data for commercial and business purposes between the two sides of the Atlantic. 

After lengthy and challenging negotiations between representatives of the European Commission and the United States, a new proposed Trans-Atlantic Data Privacy Framework was published at the end of March 2022. According to the White House, the EU-US Trans-Atlantic Data Privacy Framework of March 2022 was intended to lay the ground for providing a legal basis for transatlantic data flows by addressing concerns that the Court of Justice of the European Union raised in July 2020 in the Schrems II case.

(more…)
Read More

Final Versions of Standard Contractual Clauses Adopted

Three years after the GDPR came into effect, the European Commission has issued the much-awaited final version of two new sets of Standard Contractual Clauses that are expected to enable data controllers and processors to address some of the thorny issues in the transfer of personal data of EU/EEA citizens. The Press Release of the EU Commission, dated June 4, 2021, is available here.

Five New Templates

As anticipated from prior drafts, the new Standard Contractual Clauses framework is comprised of two sets of documents that address two distinct settings. A total of five documents can be used depending on the circumstances: 

One category provides one document, intended to address transfers between controllers and processors when both parties are in the EU/EEA (or otherwise subject to the GDPR) and must meet the GDPR Art. 28. 

The other group addresses, in addition, the issues arising from crossborder data transfers where one of the entities is established outside the EU/EEA (and not subject to the GDPR).  Four scenarios are addressed: Controller-to-controller transfers; Controller-to-processor transfers; Processor-to-processor transfers; and Processor-to-controller transfers. 

(more…)
Read More

Overview of the Upcoming California Privacy Rights Act (CPRA)

California voters approved Proposition 24 on November 3, 2020, paving the way to the California Privacy Rights Act (CPRA), which, on January 1, 2023, will replace California’s current data protection law, the California Consumer Privacy Act (CCPA). CPRA slightly reshapes CCPA, creating additional rights for consumers and additional obligations and restrictions for businesses related to the use of consumer’s personal information, including limits to data collection and retention, among other. 

Most of CPRA will become operative on January 1, 2023. The law will apply to personal information collected after January 1, 2022. There will be a 6-month delay between the effective date of the act and its enforcement, with enforcement actions commencing on July 1, 2023. In the meantime, CCPA will remain in full force and effect.

(more…)
Read More

Privacy Shield after Schrems 2: What to Do Next?

Since the publication of the EU Court of Justice decision in the Schrems 2 case, many organizations that send or receive personal data of EU/EEA residents have been struggling to find reliable, viable means to ensure the continuity of the data flows emanating from the EU/EEA, and the privacy protections needed for this data. The guidance provided by regulatory authorities on both sides of the Atlantic has been limited. 

The Schrems 2 decision focuses primarily on two elements, the EU-US Privacy Shield and the Standard Contractual Clauses Controller-to-Processor.  Both the EU-US Privacy Shield program and the Standard Contractual Clause framework have come out with a black eye. And both aspects of the Schrems 2 decisions have significant consequences for businesses that operate on a global scale.

(more…)
Read More

United States–Mexico–Canada Agreement: Digital Trade Provisions NAFTA 2.0 meets the Internet

The United States–Mexico–Canada Agreement (USMCA) enters into effect on July 1, 2020. Nicknamed “NAFTA 2.0” because it replaces the North America Free Trade Agreement (NAFTA), the USMCA addresses a number issues that had not been tackled by its predecessor, conceived and negotiated almost 30 years ago, at the down of the commercial Internet. In its Chapter 19 – Digital Trade, the USMCA focuses on the trading of digital products, such as computer programs, image, text, video, sound recording or other products that are digitally encoded and can be transmitted electronically. Several Articles focus on cybersecurity, privacy, data localization, and cross-border data transfers, which should be of interest to cloud providers and cloud users.  Other areas of interest include, protection against unsolicited commercial communication, source code protection, prohibition against the application of customs duties, and internet platform liability for third party content.

(more…)
Read More

New Data Protection Law Enacted in Dubai Emirate

Dubai has enacted a new data protection law that replaces the current privacy law, law N. 1 of 2007. The new 50-page law, which modernizes the current data protection law, will come into effect on July 1, 2020, at which time the pre-existing law and all related regulations will be repealed.

The Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 (DIFC Law No. 5 of 2020) was enacted on June 1, 2020 by His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE, in capacity as the Ruler of Dubai. Like its predecessor, the geographic scope of the law is limited to the Dubai International Financial Centre (DIFC) rather than the entire territory of the Dubai emirate.

The new law introduces concepts of accountability, and enhances individuals’ control over their personal data. It also provides for fines for data breaches. According to its Article 5, the purpose of the law is to provide standards and controls for the processing and free movement of personal data, and to protect the fundamental rights of the data subjects. Interestingly, Article 5 also specifies that the purpose of the law is to protect the fundamental rights of data subject “including how such rights apply to the protection of personal data in emerging technologies.”

Overview

DIFC Law No. 5 of 2020 takes into accounts principles found it other well-known data protection laws, such as the EU General Data Protection Regulation (GDPR), Brazil’s General Data Protection Law (LGPD), and the California Consumer Privacy Act (CCPA). According to the official press release, the modernization of the data protection legal landscape of the DIFC signals its ambition to apply for adequacy recognition by the European Commission and other jurisdictions, which would ease global data transfers for DIFC-based businesses.

(more…)

Read More

Proposed Principles for Artificial Intelligence Published by the White House

A draft memorandum outlining a proposed Guidance on Regulation of Artificial Intelligence Application(“Memorandum“) for agencies to follow when regulating and taking non-regulatory actions affecting artificial intelligence was published by the White House on January 7, 2020. The proposed document addresses the objective identified in an Executive Order 13859 on Maintaining American Leadership in Artificial Intelligence, (“Executive Order 13859”) published by the White House in February 2019.2 

The Memorandum sets out policy considerations that should guide oversight of artificial intelligence (AI) applications developed and deployed outside the Federal government. It is intended to inform the development of regulatory and non-regulatory approaches regarding technologies and industrial sectors that are empowered or enabled by artificial intelligence and consider ways to reduce barriers to the development and adoption of AI technologies.

(more…)
Read More

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

Francoise Gilbert

Failure to Meet Data Retention and Data Minimization Obligations In Germany Results in a EUR 14.5 Million fine

The abundance of storage space and the increased pressure to keep interacting with current or former customers prompt businesses to collect large amounts of data, and retain as much of this data as possible, often well beyond actual useful period. Too often, businesses may not spend the time and resources necessary to periodically audit their practices and evaluate the nature of the data collected or to be collected, how the data is used, or why it is needed in view their then-current needs. And they may neglect to purge their databases and securely dispose of this data.

(more…)

Read More

Legal barriers for drones

Dr. Ursula Widmer

Legal Barriers for Drones

The use of drones for various purposes, such as image recording, surveys, scientific studies, surveillance or transport, is spreading rapidly. However, certain legal barriers must be observed for reasons of security, and protection of privacy and personality rights. The Federal Office for Civil Aviation (FOCA) recently adopted more stricter regulations for the use of drones and model aircraft in order to take better account of the security risks.

(more…)

Read More

Are cookies currently regulated in South Africa?

Olivia Smith & John Giles

What is the cookie law in South Africa? Many people ask because the law relating to cookies is such a big issue in many other countries. Do you need to get a user’s (aka data subject’s) consent before using cookies? Are there any specific regulations?

What are cookies and why are they used?

Cookies are text files transferred from your browser to your computer’s hard drive. They store information about your activity on a browser. Companies worldwide use cookies to monitor customer behavior and to improve interactivity with a website.

You will notice when you search for a specific product, ads relating to that product appear on other sites you visit.  When you log into a website that uses cookies and later re-visit it, the cookies allow the website to ‘remember’ you.

Cookies make your life as a website user much easier because you do not have to log in every time you visit the same page. Your online experiences will be personalized to your preferences. (more…)

Read More
© Global Privacy Book 2023.