Spoiler Alert: Behavioral advertising companies will find some bad news in the guidance.

The Article 29 Working Party (WP29) advisory group, which will soon become the more transparently-named (and very powerful) European Data Protection Board, is busy drafting and issuing guidance documents to help organizations understand how European data protection authorities will interpret various requirements of the General Data Protection Regulation (GDPR).  WP29 recently issued draft guidance relating to automated decision-making and profiling that will be critical for all organizations that conduct those activities. The draft guidance is open for comments until Nov. 28, 2017.  This post recaps some of the particularly interesting aspects of the draft guidance, which can be found in full here (scroll down to the items just above the “Adopted Guidelines” section).

But first, what counts as automated decision-making under the GDPR?  And what is “profiling”? Continue Reading Key GDPR Guidance on Behavioral Advertising, Profiling and Automated Decision-Making

As was generally expected from informal comments by EU representatives, Privacy Shield has survived its first annual review.  Commissioner Jourova stated: “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”  Specifically, the Commission highlighted the following in the press release today in which it announced its conclusions:

  • More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
  • Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

It’s worth noting the recommendation regarding enshrining the protections for non-Americans under Presidential Policy Directive 28 in the reauthorization of Section 702 — while President Trump has not withdrawn PPD-28, it’s not a given that protection for foreigners will be built into FISA.

The full report is available here.

Executive summary:  The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk.  A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down.  Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.

Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission.  The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs.  But the answer is probably “an awful lot of companies.”  Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.

The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid.  The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents.  In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in?  Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech

Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Access, Correction and Erasure: How to Minimize the Burden (2/16/2017)

This webinar, the sixth and final in our EU General Data Protection Regulation Series, considers companies’ obligations to give individuals access to their data and to correct or erase it.  We explore the new data portability requirements. The webinar concludes with some suggestions on how to make these requirements less burdensome.

Transferring Data from the EU (1/12/2017)

This webinar, the fifth in our EU General Data Protection Regulation Series, explores the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Data Protection Officers: Do You Need One? (12/15/2016)

This webinar, the fourth in our EU General Data Protection Regulation Series, examines the criteria that dictate whether or not your organization needs to appoint a Data Protection Officer. We discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position.

Good-bye to the Cure-all: The New Rules on Consent (11/10/2016)

This webinar, the third in our EU General Data Protection Regulation Series, reviews the new restrictions on relying on user consent to data processing and data transfers. In addition to the general “imbalance of power” problem, we consider the implications of the Directive on unfair terms in consumer contracts and changes that may need to be made to terms of use and privacy policies when dealing with consumers.

Accountability, Data Security, Data Impact Assessments and Breach Notification Requirements (10/13/2016)

This webinar, the second in our EU General Data Protection Regulation Series, focuses on the data security and accountability requirements of the Regulation, including reviews and documentation of internal policies and procedures and data impact assessments. We also explore the breach notification requirements and actions that companies can take in advance to mitigate the need for breach notification.

One-Stop Shopping Mall? The New Regulatory Structure (9/14/2016)

This webinar, the first in our EU General Data Protection Regulation Series, explains the powers and role of the new European Data Protection Board, how a “lead supervisory authority” will be designated for each controller, and how the lead supervisory authority will interact with other interested supervisory authorities. We also look at the complaint process from the point of view of the individual who is claiming a violation, and explore the likely role that will be played by public interest organizations bringing group complaints.

Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week’s webinar will consider companies’ obligations to give individuals access to their data and to correct or erase it.  We will also explore the new data portability requirements.  The webinar will conclude with some suggestions on how to make these requirements less burdensome. We hope you can join us!

Registration link is here.

Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week, we’ll explore the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we will consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses. Make sure to join us for this important webinar!

Registration link is here.

It’s likely that 2017 will see still more data breaches and hacking stories, and companies should be looking closely at cybersecurity as a risk management issue, and not as an IT issue (we’ve been saying that for years ….).

One of the issues for 2017 will continue to be global changes in data protection laws, and how US companies operating in a global environment prepare for compliance with competing regulations.

To that end, we continue our ongoing series of webinars on the European Union’s General Data Protection Regulation (GDPR).

The upcoming webinar, the fifth in our GDPR Series, will explore the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we will consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Registration is online here.

 

For the past few months, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week, we’ll present a webinar examining the criteria that determines whether or not your organization needs to appoint a Data Protection Officer. We will discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position. Make sure to join us for this important webinar!

Registration link is here.

 

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy