EU Updates
Applying GDPR Experiences to the CCPA
Alston & Bird recently issued an advisory entitled “Applying GDPR Process Lessons to the CCPA,” authored by Jim Harvey and Karen Sanzaro. The recently and hastily adopted California Consumer Privacy Act of 2018 (CCPA) has already been compared to the General Data Protection Act (GDPR), though the two greatly differ in scope and content. However, there are valuable insights to glean from the GDPR adoption process that can give companies a head start on implementing the CCPA.
Japan and EU Agree on Terms of Reciprocal Adequacy for Data Transfers
On July 17, the European Commission announced that the European Union and Japan successfully concluded talks on reciprocal adequacy and agreed to recognize each other’s data protection systems as equivalent. In its press release, the commission explained that this adequacy agreement will create “the world’s largest area of safe transfers of data based on a high level of protection for personal data.”
German DPA Announces GDPR Compliance Survey of Large Companies – Translation Provided
Following a two-year grace period, the EU General Data Protection Regulation (GDPR) entered into force on May 25, 2018. For many companies, preparing for the GDPR was a multiyear project involving multiple teams and input or assistance from across the organization. In this blog post, we outlined the items we saw as particularly time- or resource-intensive.
GDPR Fragmentation May Appear More Significant Than Intended
With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only a fraction of Member States have effectively passed legislation, which still leaves the legal landscape precarious. The GDPR allows for deviations and specifications in several areas, for instance to introduce specific conditions or limitations for the processing of biometric, genetic, or health data; to create specific protection regimes for employee data; or to restrict the rights the GDPR grants to individuals. Businesses that operate in the EU are required to comply with both the legal framework of the GDPR and the (potentially deviating) national legal frameworks of the specific countries where they operate.
Privacy Activist Challenges Data Collection for Internet Businesses
Austrian privacy activist Max Schrems’s organization, NOYB – Center for Digital Rights, filed complaints against Google (Android), Instagram, WhatsApp, and Facebook on May 25, the same day on which the GDPR became effective. NOYB filed the complaints based on the GDPR with supervisory authorities in France, Belgium, Germany, and Austria. These “Day 1” complaints could have a definite impact on ad-supported online businesses.
EU Supervisory Authorities Disclose DPO Notification Tools
Shortly after the GDPR’s entry into application on May 25, 2018, several EU supervisory authorities have activated online data protection officer notification tools, allowing organizations to communicate the contact details of their DPO to the supervisory authorities, which is a requirement under Article 37 GDPR.
In the News
September 2018 – David Carpenter was ranked in the “40 Under 40” by Global Data Review as a leading privacy lawyer.
July 2, 2018 – Peter Swire and Dan Felz authored an article, “A Canary in the Ad Tech Coal Mine? German DPAs Announce Opt-In Regime for Online Advertising,” in Bloomberg Law.