Tough Cookie: French CNIL Hits Google and Amazon with a Total of €135 million in Fines On December 7, 2020, the French data protection authority, the CNIL (“Commission Nationale de l’Informatique et des Libertés”), fined first Google LLC and Google Ireland Ltd €100 million, and then Amazon Europe Core €35 million for violations of the French Data Protection Act (“French DPA”).…

On December 10, 2020, California’s Attorney General formally announced a fourth round of proposed modifications to the AG’s regulations regarding the California Consumer Privacy Act (“CCPA”). These modifications include the long-awaited proposal for a universal form of “opt-out” button for businesses to use on their websites – shown below without further ado: The proposal responds to a mandate, in the…

We have recently written about the persistence of the four most common varieties of cyberattacks: Ransomware, Phishing, Business Email Compromises, and Credential Stuffing, as well as the increased regulatory scrutiny that companies face when they fall victim to these attacks. Over the last few months, we have observed an increase in another form of cybersecurity threat: DDoS ransom attacks, where cybercriminals demand a…

At many companies, employees are increasingly using non-business communication applications (“apps”) such as iMessage, WhatsApp and WeChat for business-related communications. This trend has likely accelerated in the COVID era, as work-from-home arrangements blur traditional lines between “business” and “personal” time, and many conversations that were normally held in person are now done virtually. A recent SEC enforcement action highlights the…

The big news this November was the European Data Protection Board (the “EDPB”) issuing its highly anticipated post-Schrems II data transfer guidance, followed just a day later by the European Commission’s draft updated Standard Contractual Clauses (“SCCs”) (see our blog post here).  In case you missed them while trying to solve the data transfer conundrum, here are ten more enforcement…

On December 17, 2020 at 12:00pm ET, Luke Dembosky and Anna Gressel from Debevoise’s Data Strategy and Security Group will be joined by William Roberts, Acquisitions Chief for the U.S. Joint Artificial Intelligence Center, and Matti Neustadt Storie, Director of Privacy and Data Security for NetApp, for an insightful panel on “Artificial Intelligence and Government Contracting – Emerging Issues and…

On November 16-17, 2020, Anna Gressel and Avi Gesser from Debevoise’s Data Strategy and Security Group joined AI thought leaders from around the globe at “The Athens Roundtable on Artificial Intelligence and the Rule of Law.”  During the Roundtable, Avi and Anna were joined by Edward Stroz of Stroz Friedberg for an insightful panel on “Supervising AI: The Role of Corporate…

The European Data Protection Board (“EDPB”) recently published new guidance on how companies can validly transfer EU personal data to the many countries that have not been deemed by the EU Commission to generally provide an adequate level of data protection – most notably the U.S. (so called “third countries”). The guidance has particularly important implications for companies that transfer…

EU authorities have understandably declined to put forward a single list of mandatory data security controls that apply to all companies subject to the GDPR. As a result, each new enforcement action by EU data protection authorities provides guidance as to what the GDPR requires for “appropriate technical or organisational measures” to safeguard personal data. We summarise here the lessons…

On November 4, 2020, Vincent Pitaro of the Cybersecurity Law Report published: Comparing U.S. and E.U. Approaches to Incident Response and Breach Notification. The article summarises a panel discussion at the European Incident Response Forum 2020 which featured Robert Maddox from Debevoise & Plimpton’s London office. The panel compared the U.S. and E.U. approaches to incident response across a variety…