On September 18, 2020, Brazil’s data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”) became retroactively effective August 16, 2020. Penalties do not begin until August 1, 2021, based on a previous delay passed by Brazil’s legislature. Brazil’s legislature previously rejected a provisional measure which would have postponed applicability of
International
European Union and U.S. Department of Commerce to Re-Evaluate Enhanced EU-U.S. Privacy Shield
Yesterday, on August 10, 2020, the European Commission (“Commission”) and the Department of Commerce (“DoC”) issued a joint statement announcing they are beginning discussions to evaluate potential enhancements to the EU-U.S. Privacy Shield framework. These discussions have begun to address compliance with the recent Schrems II decision by the Court Justice of the European Union…
Berlin Data Protection Authority Halts Berlin-U.S. Data Transfers Following Schrems II Decision
We previously posted on yesterday’s Schrems II decision issued by the Court of Justice of the European Union (CJEU). Today (Jun 17, 2020), the Berlin data protection authority (Berlin DPA) went even further than the CJEU opinion, issuing a statement on the Schrems II case, calling for Berlin-based data controllers storing personal data in the…

Court Of Justice of European Union (CJEU) Issues Schrems II Decision, Validating Standard Contractual Clauses, Invalidating EU-US Privacy Shield under GDPR
On July 16, 2020, the Court of Justice of the European Union (“CJEU” or “Court”) issued a significant judgment in Case C-311/18 (“Schrems II decision”) on the adequacy of protection provided by the EU-US Data Protection Shield. The court concluded that the Standard Contractual Clauses (“SCCs”) issued by the European Commission for the transfer of…
Apple and Google Launch Contact Tracing and Coronavirus Exposure API Software
- Details about Apple/Google Launch
Yesterday (May 20, 2020), Apple and Google launched software that will allow public health authorities to create mobile applications that notify people when they may have come in contact with people who have confirmed cases of COVID-19, while purportedly preserving privacy around identifying information and location data. People who have updated…
HHS Suffers Cyber Attack Meant to Slow Coronavirus Response, No Damage Done
According to a Bloomberg article posted earlier this morning, the U.S. Health and Human Services Department (“HHS”) suffered a cyber attack on its computer systems Sunday night. The attack appears to have been intended to slow the agency’s systems, but was unable to do so in any meaningful way. Just before midnight, the National Security…
FTC Issues Opinion and Final Order Against Cambridge Analytica
On December 6, 2019, the FTC issued an opinion finding that Cambridge Analytica, they had engaged in deceptive practices to collect personal information from several users of Facebook for purposes of voter profiling and targeting. In addition, the Commission found that Cambridge Analytica had engaged in deceptive practices regarding its participation in the EU-US Privacy…

Significant UK GDPR Penalties & Record FTC/Facebook Settlement Reveal Valuable Insight into Current Landscape of Privacy Governance and Compliance
This last week saw significant compliance and enforcement activity with respect to both GDPR and the FTC. Specifically, we saw two significant GDPR fines handed down by the UK Information Commissioner’s Office (ICO) against British Airways (approx. $230 million) and Marriott International (approx. $130 million). In addition, Facebook settled with the FTC for the largest…
China Releases Draft Measures for Data Security Management
*written with assistance from co-author and W&L law student, Isabella Gray.
On May 28, 2019, the Cyberspace Administration of China (“Cybersecurity Administration”) released a set of draft Measures for Data Security Management (the “Draft Measures”). The Draft Measures provide articles governing how network operators, defined as someone who owns and administrates a network or a…
French Data Protection Authority (CNIL) Imposes € 50 Million GDPR Sanction on Google

On January 21, 2019, the French Data Protection Authority, the Commission Nationale de L’Informatique et de Libertés (“CNIL”) announced a sanction of 50 million euros against Google. On May 25 and 28, 2018, the CNIL received complaints from two different associations, asserting that Google did not have a valid legal basis for the processing of…