The big news in June were the EU Standard Contractual Clauses for cross-border data transfers to non-EEA countries.  There were also significant developments for companies engaging in employee surveillance, ad tech, data scraping and the use of AI. Here are our highlights: European Commission adopts new Standard Contractual Clauses What happened:  As reported in our blog post, the European Commission…

This is Part 2 of a two-part article on the recent U.S. Supreme Court TransUnion decision.  In Part 1, we discussed the implications of the decision for standing in cyber cases. On June 25, 2021, the Supreme Court issued a significant opinion on standing in the context of consumer class actions in TransUnion LLC v. Ramirez. The Supreme Court affirmed…

Colorado has just adopted a brand-new data privacy law and Nevada has just significantly amended its law. These changes add rights for consumers, and compliance obligations for businesses, that take the U.S. further in the direction of European-style privacy law. Colorado and Nevada join California and Virginia in adding to the growing patchwork of disparate state laws — making it…

This is Part 1 of a two-part article on the recent U.S. Supreme Court TransUnion decision.  In Part 2, we will discuss the implications of the decision for efforts to defeat class certification. Individuals whose personal information was compromised in a data breach have had mixed success in bringing lawsuits in federal court against the companies that held their data.…

What’s happened? The European Commission has finalised its new standard contractual clauses (“SCCs”) for the transfer of personal data from EEA member states to the many “third countries” – most notably the U.S. – that have not been granted an “adequacy decision” that would permit such transfers in the ordinary course. Companies will only be able to enter into new…

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a…

On Monday, June 14, 2021, the Board of the California Privacy Protection Agency (“Agency”) hosted its first inaugural public meeting. As discussed in a prior posting, the California Privacy Rights Act (“CPRA”) established the Agency, which is governed by a five member Board and is tasked with adopting additional implementing regulations and enforcing the CCPA. While the meeting focused on…

May saw useful reminders for companies, including: (i) the need to appoint an EU – and/or UK – representative if caught by the (UK) GDPR’s extraterritorial effect; (ii) that regulators are increasingly focused on adtech and cookies compliance; and (iii) that the GDPR applies not just in the EU and UK but also Iceland, Liechtenstein and Norway.  We also saw…

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK. Other notable developments this month include the publication of the Commission’s highly…

Our three previous articles in this series on the future of AI regulation have discussed the RFI on AI issued by U.S. banking regulators, the draft EU AI regulation, and the FTC’s recent guidance on AI bias and fairness. In this fourth post, we have taken those important developments in AI regulation, along with some other recently issued guidance, and…