The Securities and Exchange Commission voted to propose cybersecurity rules that, if adopted, would require investment advisers and funds to implement written policies and procedures to address cybersecurity risk, and would create new reporting, disclosure and record keeping obligations.
DBR Kicks Off Its Year-Long CCPA Webinar Series … While the CA AG Seeks Public Input on the CCPA and Lawmakers Propose Changes to It.
DBR’s CCPA Webinar Series Kicks Off
The end of February marked the beginning of Drinker Biddle’s nine-part webinar series on the new California Consumer Privacy Act of 2018 (CCPA) — one of the most significant data privacy laws in the United States.
Compliance with the new law will require considerable knowledge and effort. Our webinar series delves into the complex details and strategies that companies doing business in the state need to know. The series will feature a panel of CCPA professionals from Drinker Biddle’s Information Privacy, Security and Governance team, including Peter Blenkinsop, Jeremiah Posedel, Reed Abrahamson, and others.
The first webinar held on February 27 provided a comprehensive overview of the CCPA, including the obligations and limitations imposed on businesses that collect and process personal data of California residents, the rights of such residents, and the enforcement mechanisms and potential penalties available under the act. The DBR team also highlighted some key open issues that will hopefully be addressed or clarified by California regulators before the law becomes operative on January 1, 2020. For those who were unable to attend, a recording of the webinar and a copy of the presentation materials are available here.
Issues of lack of transparency and consent formed the basis of the CNIL’s $57 million dollar fine against Google under the GDPR. CNIL is France’s highest ranking data-privacy agency. It’s the first large penalty for a U.S. technology company since the GDPR went into effect last May.
The UK Information Commissioner’s Office (ICO) announced that it has fined a direct marketing company, Everything DM Ltd. (EDML) £ 60,000 ($77,421) for failing to take reasonable steps to ensure that unsolicited marketing emails sent on behalf of its clients complied with privacy laws applicable to electronic communications.
In preparation for the General Data Protection Regulation (GDPR), set to take effect in the EU on May 25, 2018, we have hosted a series of webinars to help attendees navigate the changing data protection landscape. The GDPR is the EU’s most important change in data privacy regulation in 20 years, replacing the 1995 Data Protection Directive, and will affect any company that processes data pertaining to individuals in the EU. Please find more information on the presentations below:
- Overview of Preparing for the General Data Protection Regulation (GDPR): A high-level plan for preparing for GDPR implementation.
- Conducting a Data Inventory and Mapping: The process of conducting a data inventory and mapping.
- Establishing a Data Protection Officer: The requirements and considerations concerning the appointment of a Data Protection Officer.
- Conducting Data Protection Impact Assessments: The requirements and considerations for conducting a data protection impact assessment.
- Determining Your Lead Data Protection Authority: Determining a lead data protection authority and options for companies whose existing structures do not allow them to take advantage of this mechanism.
- Right to Data Portability: Determining the scope of the new data subject right to data portability, when it applies and what it means in practice.
- Legal Bases for Processing: The provisions of legal bases for the processing of personal data.
- Transparency: The provisions of the GDPR transparency requirement and its effects on data subject rights.
- Automated Processing and Profiling: Understanding the automated processing and profiling rights of data subjects under the new GDPR.
- Data Breach Notification: Circumstances in which notification is required and how to implement effective incident response plans.
- International Data Transfers: The key requirements for international data transfers, including actual and potential changes to existing transfer mechanisms.
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.