Cross-Border Data Flow

Since the General Data Protection Regulation (“GDPR”) took effect on May 25, 2018, US companies without facilities or employees in Europe have struggled to understand the extraterritorial scope of the GDPR. Under Article 3(2), US companies without an “establishment” in the EU are required to comply with the GDPR where their processing activities relate to the “offering of goods or services” to EU data subjects or where they “monitor” the behavior of EU data subjects. The meaning of these concepts is a particularly vexing question for US companies that have a website accessible to Europeans or have some European customers, but lack a physical presence in the EU. Continue Reading EDPB Draft Guidelines on Extraterritorial Scope of the GDPR Provide Few Clear Answers for US Companies

With the European Union’s General Data Protection Regulation (GDPR) set to go into effect on May 25, 2018, many questions remain as to what entities that control and process data from EU citizens must do to comply. One such issue is the ongoing effort by the Internet Corporation for Assigned Names and Numbers (ICANN) to ensure that the WHOIS service (an online database of identity and contact information for registrants of web domains) complies with GDPR. Continue Reading GDPR And The Future of WHOIS Data

The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament. Continue Reading CJEU Issues Mixed Ruling for Schrems’ Class Action Against Facebook

Among the more significant changes under the GDPR are new limitations on the use of consent to permit the processing of personal data. Recent WP29 guidelines on consent expand on previous opinions (for example Opinion 15/2011 regarding the definition of consent or Opinion 06/2014 regarding the legitimate interests of data controllers) and confirm that the use of consent must pass a very high bar to be effective under the GDPR.

Consent is one of six lawful bases to process personal data under the GDPR.  Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Continue Reading Analysis: WP29 Guidelines on Consent Under the GDPR

The FTC has released its annual report summarizing its activity during 2017 relating to privacy and data security issues.  In its self-declared role as “the nation’s primary privacy and data security enforcer,” the FTC outlines 10 privacy cases and 4 data security cases that it brought in 2017, including Uber Technologies (transportation service), Vizio (television manufacturer), Blue Global (lead generator), Upromise (college rewards program), ACDI Group (an alleged debt buyer), TaxSlayer (tax preparation service), and D-Link (wireless routers and Internet cameras). In addition, the FTC also brought its first actions to enforce the EU-US Privacy Shield in 2017. The FTC report also described its activities relating to international enforcement, children’s privacy, and Do-Not-Call. Continue Reading FTC Releases Annual Privacy and Data Security Update

With the May 2018 deadline for compliance with the General Data Protection Regulation (GDPR) inching closer, U.S. multinational companies have been eagerly awaiting guidance from the Article 29 Working Party on key provisions, such as the use of algorithms to make processing decisions, the new 72-hour response period for data breaches, the meaning of consent under the GDPR, and the appointment of a Data Protection Officer. Over the next few weeks, we will be providing our analysis of recent WP29 guidance.

Today, we begin with new guidelines addressing the use of algorithmic processing engines – what the GDPR calls “automated decision-making.” According to the Guidelines, profiling is an automated form of processing, carried out on personal data, the objective of which is to evaluate personal aspects about a natural person. Continue Reading Analysis: Article 29 Working Party Guidelines on Automated Decision Making Under GDPR