The average American today generates more media than they did at any other point in history, and the ease with which our communications, photos, and videos are sent and stored digitally means most of us have more media stored in the cloud or on a single digital device than previous generations would have created in an entire lifetime. However, even as the amount of media we create and store has increased, the laws governing its search and seizure have failed to keep up. Under federal law and the laws of most states, the same information may be subject to different levels of protection from government authorities depending on whether that information is in the form of an e-mail stored in the cloud or a letter stored in a desk drawer.
California is attempting to change that equation. On October 8, 2015, Governor Jerry Brown signed into law the California Electronic Communications Privacy Act (CalECPA, SB 178), a sweeping bill Continue Reading
Today, one month after the European Court of Justice decision that invalidated the Safe Harbor framework, the European Commission (the “Commission”) issued a Communication setting forth its position on alternative tools for the lawful transfer of personal data from the EU to the United States. The Commission also stated its objective to conclude negotiations with the U.S. government regarding the so-called Safe Harbor 2.0 within three months. This timeline dovetails with the Article 29 Working Party’s grace period, which continues until the end of January 2016. Continue Reading
Over the course of the coming weeks, we will examine the various options available to companies in light of the European Court of Justice’s (CJEU) decision invalidating the US-EU Safe Harbor framework, including model contracts, binding corporate rules (BCRs), consent and reliance on derogations.
News out of Germany, however, indicates that a one-size-fits all approach to data transfers from the EU to the U.S. may be difficult to achieve. Continue Reading
Results from the SEC’s First Round of Cybersecurity Examinations. On February 3, 2015, the OCIE published a risk alert summarizing its findings from its examinations of over 100 registered investment advisers and broker-dealers. The examinations were conducted as part of the OCIE’s cybersecurity examination initiative, announced in April 2014, to assess cybersecurity preparedness in the securities industry and gather information on common practices and trends among registered firms. The OCIE interviewed key personnel and reviewed documents at 49 registered investment advisers and 57 registered broker-dealers. The OCIE’s findings focused on how registered investment advisers and broker-dealers:
- Identify cybersecurity risks;
- Establish cybersecurity policies, procedures and oversight processes;
- Protect their networks and information;
- Identify and address risks associated with remote access to client information, funds transfer requests and third-party vendors; and
- Detect and handle unauthorized activities and other cyber-attacks.
Just one week after the milestone decision rendered by the CJEU (http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=fr&type=TXT&ancre) to invalidate the Safe Harbor program established 15 years ago between the U.S. and the EU to facilitate the transfer of personal data from the EU to the U.S., a German data protection authority (DPA) of the state of Schleswig-Holstein (one of the German DPAs) issued a position paper where it states that, in its opinion:
- Given the mass surveillance conducted by U.S. intelligence agencies, data subjects may not be able to provide effective informed consent to the transfer of their data to the U.S., which means that such a legal basis may not be able to be used to legally transfer personal data from Europe to the U.S.;
- Model contractual clauses are not a reliable a tool to transfer personal data from Europe to the U.S. and data exporters should consider suspending such transfers under the model contracts. To reach this conclusion, the German DPA relied on the fact that the clauses require the data importer to represent that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter. However, the German DPA agency reasoned, U.S. data importers are not in a position to give such a representation.
Since the Article 29 Working Party on the Protection of Individuals (“WP29”) announced last week that it would it shortly issue a statement on the landmark CJEU ruling invalidating the Safe Harbor Decision (Schrems v. Data Protection Commissioner (C-362- 14)), we have been awaiting their guidance. Today, the WP29 issued an important statement offering some clarity to companies that, amid the fallout from the decision, have been pondering the question of “What’s next?” Continue Reading