What’s happened? The European Commission has finalised its new standard contractual clauses (“SCCs”) for the transfer of personal data from EEA member states to the many “third countries” – most notably the U.S. – that have not been granted an “adequacy decision” that would permit such transfers in the ordinary course. Companies will only be able to enter into new…

Since the implementation of the California Consumer Privacy Act (“CCPA”) 18 months ago, more than 75 lawsuits have been filed seeking damages using the Act’s private cause of action. The CCPA provides a cause of action to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a…

On Monday, June 14, 2021, the Board of the California Privacy Protection Agency (“Agency”) hosted its first inaugural public meeting. As discussed in a prior posting, the California Privacy Rights Act (“CPRA”) established the Agency, which is governed by a five member Board and is tasked with adopting additional implementing regulations and enforcing the CCPA. While the meeting focused on…

May saw useful reminders for companies, including: (i) the need to appoint an EU – and/or UK – representative if caught by the (UK) GDPR’s extraterritorial effect; (ii) that regulators are increasingly focused on adtech and cookies compliance; and (iii) that the GDPR applies not just in the EU and UK but also Iceland, Liechtenstein and Norway.  We also saw…

The key development from April must be the European Data Protection Board (“EDPB”) approving the draft UK adequacy decisions from the European Commission (the “Commission”). Companies will be relieved that they are one step closer towards maintaining the seamless flow of data between the EU and the UK. Other notable developments this month include the publication of the Commission’s highly…