Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week’s webinar will consider companies’ obligations to give individuals access to their data and to correct or erase it.  We will also explore the new data portability requirements.  The webinar will conclude with some suggestions on how to make these requirements less burdensome. We hope you can join us!

Registration link is here.

Since September, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week, we’ll explore the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we will consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses. Make sure to join us for this important webinar!

Registration link is here.

It’s likely that 2017 will see still more data breaches and hacking stories, and companies should be looking closely at cybersecurity as a risk management issue, and not as an IT issue (we’ve been saying that for years ….).

One of the issues for 2017 will continue to be global changes in data protection laws, and how US companies operating in a global environment prepare for compliance with competing regulations.

To that end, we continue our ongoing series of webinars on the European Union’s General Data Protection Regulation (GDPR).

The upcoming webinar, the fifth in our GDPR Series, will explore the ways in which the Regulation creates new avenues for data transfers, and narrows others. In particular, we will consider sector-specific Commission decisions, privacy seals/certifications, the exception for non-repetitive, limited transfers, and the outlook for BCRs and Model Clauses.

Registration is online here.

 

For the past few months, the Mintz Levin Privacy Webinar Series has focused on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation. The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

This week, we’ll present a webinar examining the criteria that determines whether or not your organization needs to appoint a Data Protection Officer. We will discuss the role of the DPO, the significance of the “independence” requirement, and the qualifications required to hold the position. Make sure to join us for this important webinar!

Registration link is here.

 

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

For the next few months, the Mintz Levin Privacy Webinar Series is focusing on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation.   The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Next week, we’ll present a webinar focusing on the data security and accountability requirements of the GDPR, including reviews and documentation of internal policies and procedures and data impact assessments.   We will also take a look at the onerous breach notification requirements and recommend actions that companies can take in advance to mitigate the need for breach notification.

Make sure to join us for this important webinar!

Registration link is here.

 

The Article 29 Working Party (WP29) has released a brief updated statement on the final form of the Privacy Shield adequacy decision and supporting annexes.  WP29 is an important advisory group made up of representatives of each of the EU’s national data protection authorities.   In a nutshell, WP29 has said that Privacy Shield isn’t perfect, but it will wait until the first annual review to raise specific objections, which gives the Privacy Shield program enough time to get up and running.  The WP29 statement promises  that, during the first annual review of Privacy Shield, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”  WP29 goes on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

While WP29’s statement has been interpreted by at least one legal news source as a one-year moratorium on Privacy Shield litigation,  that seems rather unlikely.  The WP29 does not have  the legal power to deprive any EU data subject of his or her right to challenge Privacy Shield on human rights grounds, or to materially delay such a challenge.  If a national DPA refused to hear a complaint on the basis of the putative WP29 moratorium, the national courts would most likely find against the DPA.

A more modest — and realistic- – interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year.  Instead, they will leave that to Max Schrems and other individuals who remain skeptical of the EU-US privacy deal.

The EU Commission has formally adopted Privacy Shield and the US Department of Commerce will go live with a new Privacy Shield registration website on August 1.  US companies that had been registered under Safe Harbor will need to complete a new internal review, self-certification and registration to take advantage of Privacy Shield.

Much of the negotiation of Privacy Shield has focused on enforcement and oversight of the program by US authorities (as well as on the US intelligence agencies’ own collection and use of EU personal data).  Companies that are already familiar with Safe Harbor will find Privacy Shield’s general privacy principles to be very similar.  However, companies will want to take note of the more stringent conditions for onward transfers to third parties, which are likely to require companies to review their contracts with service providers and business partners.  Companies will also need to scrutinize their data retention practices carefully.  Overall, annual data protection reviews will be necessary as part of continued self-certification. The Department of Commerce is expected to take a more active role in proactively monitoring compliance, so companies will need to be prepared for inspections even if no complaints have been made.

The final version of Privacy Shield and its appendices, along with a press release and FAQ, are available here.

 

The final version of Privacy Shield (which has not yet been officially published) passed the Article 31 Committee vote on July 8th and is being presented today to the LIBE committee of the European Parliament.  LIBE’s vote is advisory, but it may provide some early indications as to how well Privacy Shield will survive anticipated legal attacks once it is formally adopted and implemented.

Formal adoption of Privacy Shield is widely expected to happen this week.  Once that happens, the US Department of Commerce or FTC  should publish the final text and start processing registrations.  Companies considering certifying under Privacy Shield should note that it requires a greater degree of internal scrutiny and documentation than Safe Harbor did.

Companies that have put standard clauses in place following the demise of Safe Harbor will want to consider the pros and cons of participating in Privacy Shield rather than continuing to rely on the standard clauses.  Neither approach is guaranteed to be risk-free: The standard clauses have been sent to the Court of Justice of the EU for review under the second round of the Schrems case in Ireland, and Privacy Shield is virtually certain to end up before the Court of Justice at some point within the next year or two.

Not all the news coming out of Europe these days is about Brexit. In fact, the forces of unity and harmonization remain a top priority for European regulators hoping to combat digital security threats and create a safer and more secure environment for the entire online community.  To this end, on July 6, 2016, the European Parliament adopted the Network and Information Security (“NIS”) Directive in an effort to enhance cybersecurity and incident reporting at a national level across all of its member states (“NIS Directive”). This move followed an announcement the day before from the European Commission (the “Commission”) that it had launched a public-private initiative that will steer €1.8 billion of investment into cybersecurity by 2020.  Continue Reading EU Adopts Cybersecurity Directive: What US Companies Need to Know