President Biden and EU leaders announced on March 25, 2022 an agreement in principle to craft a replacement for the Privacy Shield and expand options for trans-Atlantic data transfers in accordance with the General Data Protection Regulation (“GDPR”).
Background
The GDPR requires that transfers of personal data of EU residents to countries outside of the EU must take place pursuant to an approved transfer mechanism,… More
The French Conseil d’Etat handed down an important decision October, 13th regarding privacy and personal data protection. This decision comes in the wake of the “Schrems II” ruling of the Court of Justice of the European Union (CJEU), which ruled that the protection of data transferred to the United States by the “Privacy Shield” was insufficient under European law.
A platform managing health data (named “Health Data Hub”) was created in 2019 to facilitate the share of these data in order to promote research.… More
On 26 July 2019, the Greek Supervisory Authority (SA) found Pricewaterhouse Coopers (“PwC”) not compliant with General Data Protection Regulation (GDPR) in relation to the processing of its Greek employees’ personal data. The SA issued a €150,000 fine and an injunction requiring PwC to take measures to comply within three months (which is has apparently done). A summary of the decision in English is available on the Greek SA’s website.… More
Data scraping is a technique where information on one platform is exported onto another. The practice is widespread and is used for all sort of reasons, like market analysis or advertising. The kind of information located and extracted is as varied as the kind of information that exists on the internet–which is to say, anything and everything–but where it becomes particularly interesting is when personal information is being scraped.… More
It has been rough weather for Google in France. Three weeks after the French Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court (“Tribunal de Grande Instance”) invalidated 38 clauses of Google’s Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google. This decision was rendered on February 12,… More
On January 23, 2019, the European Data Protection Board (“EDPB”) issued an interesting opinion about personal data processed in relation to clinical trials.
The main role of the EDPB – which succeeded the Article 29 Working Party – is to contribute to the consistent application of the GDPR throughout the European Union. Its tasks include providing general guidance to clarify the law and advising the European Commission on data protection issues and new legislations.… More
On 21 January 2019, the French Data Protection Authority (the “French DPA”) fined Google LLC 50 million euros for breach of the GDPR.
As we reported on this blog, just after GDPR became applicable, noyb.eu (None of Your Business), the non-profit privacy organization set up by Max Schrems, the Austrian lawyer who initiated the action against Facebook that led to the invalidation of the Safe Harbor,… More
On January 10, 2019, Advocate General Szpunar issued his much awaited opinion in the Google case that was referred to the European Court of Justice by the French “Conseil d’Etat”, the highest administrative court of the country. The Conseil d’Etat basically asked the European Court of Justice to follow-up on its Google Spain decision: is the right to be forgotten –… More
Our experience in advising clients about GDPR and assisting them in the compliance process is that there are often misconceptions about the so-called “right to be forgotten”. The purpose of this post is to address some of these misconceptions.
The GDPR replaced the EU’s 1995 Directive which provided in Article 12(b) that “Member States must guarantee every data subject the right to obtain from the controller: (…),… More
Partner Colin Zick will join Naomi Leach, Senior Associate, Data Protection at Stephenson Harwood, and Lana Gladstein, Vice President and General Counsel at Brammer Bio, for a MassBio program on July 31 entitled The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy?
Details
The GDPR Data Privacy Law has been in effect since May 25,… More
Attorneys Colin Zick, Catherine Muyl and Marion Cavalier recently presented a webinar for MichBio U on what the EU’s General Data Protection Regulation means for U.S. healthcare and life science companies.
Click here to download the presentation. More
As many of you may already be aware, the European GDPR goes into effect during May 2018. Below are some frequently asked questions and answers about GDPR as a short guide to assist investment advisers and private fund managers with initial GDPR analysis.
What is GDPR?
It is the new General Data Protection Regulation (GDPR) adopted by the European Union that is intended to protect the “personal data” of natural persons in the European Union.… More
Attorneys Colin Zick, Catherine Muyl and Marion Cavalier recently presented a webinar for MichBio U on what the EU’s General Data Protection Regulation means for U.S. healthcare and life science companies. Click here to download the presentation. More
A lot of information has been circulating about GDPR in the last months from all kinds of sources, some more reliable than others, and you may have the feeling that you are quite knowledgeable about it. We have designed this quiz to enable you to check how knowledgeable you really are.
If you get all the answers right except for one or two, you are a true expert!… More
Partners Colin Zick and Catherine Muyl joined the MassTLC’s CISO and CTO Peer Group Meeting this week to discuss the General Data Protection Regulation. Click here to download the presentation, which focused on setting security strategies and new obligations starting in May 2018. More
In the European Union (“EU”), “everyone has the right to the protection of personal data concerning him or her” under the Charter of Fundamental Rights. Intellectual property is also protected as a fundamental right under the Charter, as is freedom of speech. These rights can sometimes conflict. In two previous posts on cases about linking to Playboy pictures and the inspiration for Jeff Koons’ sculptures,… More
Partners Colin Zick and Catherine Muyl will join MassTLC’s CISO and CTO Peer Group Meeting on Tuesday, February 6 to discuss the General Data Protection Regulation.
The fast approaching deadline to comply with GDPR is only months away. There are checklists and guidelines to help companies meet these new regulations, but realistically what must companies prioritize, how do you create these new protocols in your company,… More
With enforcement set to begin in May 2018, organizations around the world must be ready to comply with the European Union’s General Data Protection Regulation (GDPR). Partner Colin Zick discusses 10 things you need to know now with Enterprise.nxt.
Avoid GDPR non-compliance fines with this list of things to consider and plan for before the fast-approaching deadline. Click here to read more.… More
Privacy and data security have rocketed to the top of the list of concerns for all corporate boards. Whether you are a technology company, a biotech, or a traditional widget maker, your company has confidential information about its products, customers and employees. And that information has to be protected as a matter of law, both by statute and under contracts with your customers and suppliers.
As in-house counsel,… More
This is the third post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Two)
GDPR Features that Apply Specifically to the Healthcare/Life Science Sectors
Even though the GDPR is a general regulation,… More
This is the second post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Three)
New General Features of the GDPR
Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.… More
This is the first post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part Two and Part Three)
The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).… More
Emmanuel Macron won France’s presidential election in a landslide. He defeated his opponent, Marine Le Pen, by more than thirty percentage points. Such a high margin might lead one to think that his victory was inevitable. But on the eve of the election, it did not seem that way.
On the Friday before the Sunday election, hackers released a trove of documents they had stolen from the Macron campaign.… More
The new (EU) 2016/679 General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. Its scope is broader than that of the current 95/46/CE Directive, which means that more companies headquartered outside of the EU will have to comply with European data protection rules than under the current regime.
The 95/46/CE Directive set up a European body, the Article 29 Working Party,… More
US companies with employees or clients in Switzerland will be interested to hear that the new Swiss-US Privacy Shield was approved on 11 January.
Although Switzerland is not a member of the European Union, its data protection law (Federal law of 19 June 1992) is very similar to the European 1995 Data Protection Directive. According to the Federal law, the transfer of personal data outside of the country is not allowed if that would pose a serious threat,… More
Reuters reported earlier this month that, according to three former employees, Yahoo Inc. had “complied with a classified U.S. government demand, scanning hundreds of millions of Yahoo mail accounts at the behest of the NSA or FBI.” Yahoo responded that the article was misleading, but did not deny the scanning had occurred.
The New York Times reported further details about this scanning: Yahoo had modified a system intended to scan emails for child pornography and spam in order to satisfy a secret court order requiring it to search for messages containing a computer “signature” tied to the communications of a state-sponsored terrorist organization.… More
On July 6, 2016, the European Union adopted Directive (EU) 2016/1148, “concerning measures for a high common level of security of network and information systems across the Union,” otherwise known as the Network and Information Security Directive. (A directive, in EU parlance, is an instruction to member states to achieve a particular objective and a general framework for how to do so. This differs from a regulation, which is immediately binding on all member states.) Pursuant to this Directive,… More
What the recent Amazon decision tells us
On 28 July 2016, the European Court of Justice rendered a decision in a dispute between an Austrian Consumer Protection organization known as VKI (Verein für Konsumenteninformation) and Amazon EU Sàrl, a subsidiary of Amazon registered in Luxembourg. The main issue in this case is whether Amazon General Conditions were enforceable under Consumer Law; however; one of the questions referred to the European Court was about the territorial scope (Article 4) of the 95/46/EC Directive on Data Protection.… More
Article 29 Working Party on the EU-US Privacy Shield:
The EU’s Article 29 Working Party analyzed the final version of the Privacy Shield and issued a statement on July 26, 2016. What does this mean?
On February 29, 2016, the European Commission issued a draft adequacy decision reflecting the outcome of its negotiations with US authorities in relation to the Privacy Shield,… More
Are you looking for an introduction to the European Union’s General Data Protection Regulation (GDPR)? To find out when and how it’s going to impact you and your organization, listen to this quick 10 minute podcast with, Deborah Hurley. Deborah is an adjunct professor of the practice of computer science at Brown University, fellow at the Institute for Quantitative Social Science at Harvard University, and principal at Hurley Consulting.… More
Key takeaways:
The Details:
Following the invalidation of the US-EU Safe Harbor by the European Court of Justice in the Schrems case,… More
The full text of the General Data Protection Regulation (GDPR) was published on 4 May 2016. Although the GDPR will not be effective until 25 May 2018, it is worth looking into it right now given the major changes it makes to the rules in the 1995 Directive.
Application of the GDPR
The GDPR applies to the processing of personal data by companies having an “establishment” in the European Union,… More
After the European Court of Justice invalidated Safe Harbor on October 6, 2015, the Article 29 Working Party announced in an October 16, 2015 statement that US companies that were Safe Harbor certified had until the end of January 2016 to find alternative means to transfer data to the US and, if they failed to do so, EU Data Protection Authorities would pursue enforcement measures.… More
In Case You Missed It: US and EU officials signed on to the so-called “Privacy Umbrella” deal last week. The agreement is designed to protect the personal data of EU citizens when it is transferred to the US for law enforcement purposes — a sort of criminal counterpart to the sturdier-sounding Privacy Shield we discussed here last Thursday. And, like the Shield, the Umbrella has drawn its share of critics,… More
On 29 February the European Commission released its draft adequacy decision about the proposed Privacy Shield, which is intended to replace the invalidated EU-US Safe Harbor. While Microsoft stated on April 11 that they “pledged to sign up for the Privacy Shield,” the European authorities have so far been much more skeptical.
On May 25, 2016, partners Catherine Muyl, Colin Zick and Daniel Schimmel participated in a panel discussion on how companies can transfer personal data and remain compliant. The event, co-sponsored by The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York, was part of the FACC’s “Tech, Media & Entertainment”… More
How Can Companies Transfer Personal Data and Remain Compliant?
The French-American Chamber of Commerce, Foley Hoag LLP and The Consulate General of France in New York are pleased to invite you to a timely panel discussion and networking event.
Date: Wednesday, May 25
Time: 6:00 pm – 8:00 pm
Location: Consulate General of France
934 Fifth Avenue
New York,… More
After years of intense discussions, the EU General Data Protection Regulation (GDPR) was finally adopted on 14 April 2016.
The GDRP sets out uniform new rules in the field of data protection across the EU, rules that will standardize the law in the 28 EU Member States and have an impact on both European and non-European companies. For example:
After the invalidation of the Safe Harbor by the European Court of Justice (“ECJ”) last October in the Schrems case, negotiations between the European Commission and US authorities led to a new agreement called the EU-US Privacy Shield. However, the EU’s 1995 Data Protection Directive provides that the Article 29 Working Party (“WP29”) has to issue an opinion on this kind of agreements and it did so on April 13.… More