The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post-Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here).  In case you missed them while trying to solve the data transfer conundrum, here are ten more enforcement…

On December 17, 2020 at 12:00pm ET, Luke Dembosky and Anna Gressel from Debevoise’s Data Strategy and Security Group will be joined by William Roberts, Acquisitions Chief for the U.S. Joint Artificial Intelligence Center, and Matti Neustadt Storie, Director of Privacy and Data Security for NetApp, for an insightful panel on “Artificial Intelligence and Government Contracting – Emerging Issues and…

On November 16-17, 2020, Anna Gressel and Avi Gesser from Debevoise’s Data Strategy and Security Group joined AI thought leaders from around the globe at “The Athens Roundtable on Artificial Intelligence and the Rule of Law.”  During the Roundtable, Avi and Anna were joined by Edward Stroz of Stroz Friedberg for an insightful panel on “Supervising AI: The Role of Corporate…

The European Data Protection Board (“EDPB”) recently published new guidance on how companies can validly transfer EU personal data to the many countries that have not been deemed by the EU Commission to generally provide an adequate level of data protection – most notably the U.S. (so called “third countries”). The guidance has particularly important implications for companies that transfer…

EU authorities have understandably declined to put forward a single list of mandatory data security controls that apply to all companies subject to the GDPR. As a result, each new enforcement action by EU data protection authorities provides guidance as to what the GDPR requires for “appropriate technical or organisational measures” to safeguard personal data. We summarise here the lessons…

On November 4, 2020, Vincent Pitaro of the Cybersecurity Law Report published: Comparing U.S. and E.U. Approaches to Incident Response and Breach Notification. The article summarises a panel discussion at the European Incident Response Forum 2020 which featured Robert Maddox from Debevoise & Plimpton’s London office. The panel compared the U.S. and E.U. approaches to incident response across a variety…

October was a particularly busy month, with headline-grabbing stories such as the long-awaited finalisation of the fines against British Airways and Marriott, which may well be the last penalties the UK Information Commissioner’s Office (the “ICO”) issues as a GDPR Lead Supervisory Authority.  Having already covered both fines (here and here), and the French CNIL’s latest cookies guidance, below is…

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below…

Hot on the heels of British Airways’ £20m fine (covered here), the UK Information Commissioner’s Office has fined Marriott £18.4m for alleged data security failings linked to the breach of 339 million guest records.  Like the British Airways fine, the penalty is a significant climb-down from the amount originally proposed (£99m) in July 2019.  The penalty notice provides helpful insights…

Earlier this month, the Personal Data Protection (Amendment) Bill was read for the first time in Singapore’s Parliament. As we reported previously, in May 2020, Singapore’s Ministry of Communications and Information (“MCI”) and Personal Data Protection Commission (“PDPC”) launched an online public consultation on a draft bill which proposed long-awaited amendments to Singapore’s Personal Data Protection Act 2012 (the “PDPA”),…