On September 18, 2020, Brazil’s data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) became retroactively effective August 16, 2020.  Penalties do not begin until August 1, 2021, based on a previous delay passed by Brazil’s legislature. Brazil’s legislature previously rejected a provisional measure which would have postponed applicability of

Yesterday, on August 10, 2020, the European Commission (“Commission”) and the Department of Commerce (“DoC”) issued a joint statement announcing they are beginning discussions to evaluate potential enhancements to the EU-U.S. Privacy Shield framework.  These discussions have begun to address compliance with the recent Schrems II decision by the Court Justice of the European Union

We previously posted on yesterday’s Schrems II decision issued by the Court of Justice of the European Union (CJEU). Today (Jun 17, 2020), the Berlin data protection authority (Berlin DPA) went even further than the CJEU opinion, issuing a statement on the Schrems II case, calling for Berlin-based data controllers storing personal data in the

On July 16, 2020, the Court of Justice of the European Union (“CJEU” or “Court”) issued a significant judgment in Case C-311/18 (“Schrems II decision”) on the adequacy of protection provided by the EU-US Data Protection Shield. The court concluded that the Standard Contractual Clauses (“SCCs”) issued by the European Commission for the transfer of

  1. Details about Apple/Google Launch

Yesterday (May 20, 2020), Apple and Google launched software that will allow public health authorities to create mobile applications that notify people when they may have come in contact with people who have confirmed cases of COVID-19, while purportedly preserving privacy around identifying information and location data. People who have updated

According to a Bloomberg article posted earlier this morning, the U.S. Health and Human Services Department (“HHS”) suffered a cyber attack on its computer systems Sunday night.  The attack appears to have been intended to slow the agency’s systems, but was unable to do so in any meaningful way.   Just before midnight, the National Security

On December 6, 2019, the FTC issued an opinion finding that Cambridge Analytica, they had engaged in deceptive practices to collect personal information from several users of Facebook for purposes of voter profiling and targeting.  In addition, the Commission found that Cambridge Analytica had engaged in deceptive practices regarding its participation in the EU-US Privacy

This last week saw significant compliance and enforcement activity with respect to both GDPR and the FTC.  Specifically, we saw two significant GDPR fines handed down by the UK Information Commissioner’s Office (ICO) against British Airways (approx. $230 million) and Marriott International (approx. $130 million).  In addition, Facebook settled with the FTC for the largest

*written with assistance from co-author and W&L law student, Isabella Gray.

On May 28, 2019, the Cyberspace Administration of China (“Cybersecurity Administration”) released a set of draft Measures for Data Security Management (the “Draft Measures”).  The Draft Measures provide articles governing how network operators, defined as someone who owns and administrates a network or a

On January 21, 2019, the French Data Protection Authority, the Commission Nationale de L’Informatique et de Libertés (“CNIL”) announced a sanction of 50 million euros against Google.  On May 25 and 28, 2018, the CNIL received complaints from two different associations, asserting that Google did not have a valid legal basis for the processing of