DBR Kicks Off Its Year-Long CCPA Webinar Series … While the CA AG Seeks Public Input on the CCPA and Lawmakers Propose Changes to It.
DBR’s CCPA Webinar Series Kicks Off
The end of February marked the beginning of Drinker Biddle’s nine-part webinar series on the new California Consumer Privacy Act of 2018 (CCPA) — one of the most significant data privacy laws in the United States.
Compliance with the new law will require considerable knowledge and effort. Our webinar series delves into the complex details and strategies that companies doing business in the state need to know. The series will feature a panel of CCPA professionals from Drinker Biddle’s Information Privacy, Security and Governance team, including Peter Blenkinsop, Jeremiah Posedel, Reed Abrahamson, and others.
The first webinar held on February 27 provided a comprehensive overview of the CCPA, including the obligations and limitations imposed on businesses that collect and process personal data of California residents, the rights of such residents, and the enforcement mechanisms and potential penalties available under the act. The DBR team also highlighted some key open issues that will hopefully be addressed or clarified by California regulators before the law becomes operative on January 1, 2020. For those who were unable to attend, a recording of the webinar and a copy of the presentation materials are available here.
Issues of lack of transparency and consent formed the basis of the CNIL’s $57 million dollar fine against Google under the GDPR. CNIL is France’s highest ranking data-privacy agency. It’s the first large penalty for a U.S. technology company since the GDPR went into effect last May.
The UK Information Commissioner’s Office (ICO) announced that it has fined a direct marketing company, Everything DM Ltd. (EDML) £ 60,000 ($77,421) for failing to take reasonable steps to ensure that unsolicited marketing emails sent on behalf of its clients complied with privacy laws applicable to electronic communications.
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
Providing data subjects with meaningful information regarding the processing of their personal data and their rights with respect to such processing is an axiom of privacy law—and a key requirement under the General Data Protection Regulation (GDPR).
The significance of this principle of transparency was recently highlighted by the European Court of Human Rights (ECHR) in Bărbulescu v. Romania where the court affirmed an employee’s right to privacy when using communications tools in the workplace due, in part, to the employer’s failure to provide adequate notice regarding its internet monitoring activities. This post briefly discusses the principle of transparency under GDPR and its application to the Bărbulescu case.