On December 22, 2021, the Austrian Data Protection Authority (DSB) found that medical news company, NetDoktor, violated Europe’s General Data Protection Regulation (GDPR) by using Google LLC’s popular data analytics platform, Google Analytics (GA), on its website, which resulted in the transfer of personal information from Europe to Google’s servers located in the United States (U.S.).1 Such transfers are generally prohibited unless an adequate level of data protection exists pursuant to Article 44 of the GDPR, including through European Commission-approved standard contractual clauses (SCCs).
Continue Reading Austrian Data Protection Authority Finds Website Use of Google Analytics Violates GDPR

On November 17, 2020, Canada’s Minister of Innovation, Science and Industry introduced the proposed Digital Charter Implementation Act (DCIA or “Act”), new legislation from the Liberal Party of Canada that could dramatically alter how the country regulates consumer data.[1] The Act, which will likely extend to businesses outside of Canada, aims to “significantly increase protections to Canadians’ personal information” and “provide significant new consequences for non-compliance with the law.”[2] The DCIA grants consumers powerful consent rules, including the ability to withdraw consent, control over the transfer of their information to third parties, algorithmic transparency rights and data de-identification safeguards.[3] Penalties for noncompliance are substantial and can reach as high as 5% of a company’s revenue or C$25 million, whichever is greater.[4]
Continue Reading Canada Proposes New Privacy Bill

The Schrems II decision, issued on July 16, 2020, continues to impact the ability of organizations to transfer personal data from the European Economic Area to the United States. The effects of the decision are now felt in Switzerland as the Federal Data Protection and Information Commissioner (FDPIC) addressed the issue on September 8, 2020. The FDPIC determined that the Swiss-U.S. Privacy Shield, which is separate and distinct from the EU-U.S. Privacy Shield and was not directly addressed by the Schrems II decision, nonetheless fails to provide an adequate level of protection for personal data transferred from Switzerland to the United States.[1] The Swiss-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and Swiss administration to provide organizations with a mechanism to comply with data protection requirements when transferring personal data from Switzerland to the U.S.[2]
Continue Reading Swiss-U.S. Privacy Shield Invalidated by Swiss Commissioner

On September 3, 2020, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) held a meeting to discuss the Schrems II decision and the future of personal data transfers between the European Economic Area (EEA) and the U.S.[1]

Justice Didier Reynders, the EU Commissioner for Justice, stated that conversations with U.S. counterparts (most likely the Department of Commerce) on a possible new data transfer framework have started, but that it is impossible to predict or provide a clear timeline.[2] The European Commission is currently working on an amended set of standard contractual clauses (SCCs) that will address the concerns of the Schrems II decision and incorporate the General Data Protection Regulation (GDPR).[3]
Continue Reading European Parliament Committee Discusses the Future of EEA-U.S. Data Flows

On September 4, 2020, the European Data Protection Board (EDPB) announced that it had created two task forces following the Schrems II decision.[1] The first task force will prepare recommendations to support controllers and processors regarding their duties in “identifying and implementing” appropriate measures to meet the required standard when transferring data to third countries.[2] The EDPB noted that there will be no quick-fix solution, and that each organization will be required to evaluate its own data processing operations and transfers.
Continue Reading EDPB Establishes and Appoints Task Forces to Prepare Recommendations and Review Complaints Following the Schrems II Decision

On September 7, 2020, the European Data Protection Board (EDPB) issued draft guidelines clarifying the concepts of “controller,” “joint controller,” “processor” and “third party” under the General Data Protection Regulation (GDPR). These concepts are important under the GDPR, as they determine which party is responsible for compliance with particular GDPR provisions and how data subjects can exercise their rights. The guidelines, when finalized, will replace the previous Article 29 Working Party Opinion issued in 2010.[1] The concepts of “controller” and “processor” have not changed since the Article 29 Working Party Opinion, but the Court of Justice of the European Union’s (CJEU) decision and the obligations placed on these roles by the GDPR provided a need for clarification and harmonization across the European Economic Area (EEA).[2] The guidelines provide clarity to the different roles and responsibilities, and stress the importance of a clear and consistent interpretation of the concepts across the EEA. The following is a summary of some of the significant takeaways:
Continue Reading EDPB Issues Draft of GDPR Controller-Processor Guidelines

All 50 states have enacted their own version of a data breach notification statute requiring notice to affected individuals and/or regulatory bodies in the event of data loss, unauthorized data access or data exfiltration of personally identifiable information (“PII”). Many states, however, do not require such notification when the data at issue is encrypted. But what “encryption” requirements trigger this “safe harbor” provision? Each state’s answer to this question is slightly different. Some states exclude disclosure or access of encrypted PII from the definition of “breach” requiring notice. In such states, notification is required only if the accessed or disclosed PII is unencrypted. In other states, including New York, a “breach” occurs only where there is unauthorized access of both encrypted information and the necessary encryption key. N.Y. Gen. Bus. Law § 899-aa (Westlaw through L. 2019, ch. 1 to 19) (effective Mar. 28, 2013). Unauthorized access of encrypted data alone, therefore, may not necessarily be a breach that requires notice.
Continue Reading Encryption Considerations under Data Breach Notification Laws

One of the biggest risks to data security is lack of vendor (third-party) and vendor subcontractor (fourth-party) management. Companies can mitigate ever-increasing vendor data security risk through purchasing appropriate cyber insurance and implementing a vendor risk management program that includes processes for systematically conducting due diligence and contract negotiations.

If primary vendors are not properly assessed, or controls are not placed on subcontractors (i.e., “fourth parties”) that may be used to render primary vendors’ services, numerous unknown parties with varying degrees of security controls can have access to sensitive information without the companies’ knowledge. Companies can contractually address this exposure by requiring pre-approval of fourth parties, imposing security requirements that must be met by fourth parties and/or requiring security reviews of such fourth parties. Vendor and fourth-party risk can also be managed by cyber insurance policies.
Continue Reading Cyber Risk: Addressing the Elephant in the Room

The New York State Department of Financial Services (“DFS”) Cybersecurity Regulation (“Regulation”) took effect on March 1, 2017, and applies to those entities operating or required to operate under New York banking, insurance and finance laws (“Covered Entities”). Covered Entities should have been in compliance with portions of the Regulation as of August 28, 2017, for which they certified compliance on February 15, 2018.
Continue Reading Be Prepared for the September 3, 2018 Deadline for New York State Department of Financial Services Cybersecurity Regulation Requirements

With Alabama’s recent enactment of the Alabama Data Breach Notification Act of 2018 (“Act”), all 50 states now have their own data breach reporting statutes. Given the complexity of the current U.S. data breach reporting regime, which also includes statutory reporting obligations in jurisdictions like Puerto Rico and the District of Columbia, businesses with customers in more than one state must coordinate with advisors who have experience navigating this patchwork quilt of statutes.

On March 28, 2018, Alabama became the 50th (and final) state to enact a data breach notification law. The Act requires notification where a “good faith and prompt investigation” results in a determination that “sensitive personally identifying information” (“SPII”) of an Alabama resident has been acquired or is reasonably believed to have been acquired by an unauthorized person, “and is reasonably likely to cause substantial harm to the individuals to whom the information relates.” 
Continue Reading Now That All U.S. States Have Data Breach Laws, National Breach Reporting Is Even More Complex