Takeaways from the first review of the EU-U.S. Privacy Shield

(Oct 18, 2017) Today, the European Commission published its report and other materials documenting its first Annual Review of the EU-U.S. Privacy Shield. The annual review is a means for the Commission to evaluate its finding that the Privacy Shield “ensures an adequate level of protection” for personal data transferred from the EU to the U.S. Among other things, the report examines the implementation of the Privacy Shield by U.S. authorities. Overall, the EU Commission’s report concludes that “the United Stat... Read More

WP29 releases guidelines on profiling under the GDPR

(Oct 18, 2017) The Article 29 Working Party has adopted new draft guidelines covering profiling and automated decision-making under the forthcoming GDPR.  The proposed guidelines acknowledge two general benefits of these technologies: first, increased efficiencies and, second, resource savings. And they note the potential to “better segment markets and tailor services and products to align with individual needs.” However, the WP29 warns that profiling and automated decision-making technologies can pose “signi... Read More

What’s new in the WP29 guidelines on DPIAs?

(Oct 17, 2017) The Article 29 Working Party has published this week its “last revised” guidelines on data protection impact assessments and determining whether processing is “likely to result in a high risk” for the purposes of the GDPR. The DPIA is a “process” that, according to GDPR Article 35, at a minimum, systematically describes an organization’s processing operations and their purposes and assesses their necessity and proportionality, the risks they present to the rights and freedoms of data subjects, a... Read More

Schrems redux: Now what?

(Oct 5, 2017) According to the forthcoming 2017 IAPP-EY Privacy Governance Survey, to be released at P.S.R. in San Diego, 88 percent of companies that transfer personal data from the European Union to the United States and other non-"adequate" countries rely on standard contractual clauses as a valid method for doing so.  As the privacy world now knows, however, the validity of SCCs is now squarely in doubt, following Tuesday’s decision by the Irish High Court in Data Protection Commissioner v. Facebook Irel... Read More

Understanding 'Schrems 2.0'

(Oct 3, 2017) With the release of the Irish High Court’s decision to refer questions on the adequacy of standard contractual clauses to the Court of Justice of the European Union, there is a new “Schrems Case” back in the spotlight. Commonly referred to as Schrems 2.0, this case’s complex background is worth exploring due to its potential to jeopardize continued trans-Atlantic data flows from the European Union to the United States. Schrems 2.0 is the continuation of a complaint brought against Facebook Irel... Read More

The legal risks for the DPO

(Sep 6, 2017) While the role of data protection officer has come into the spotlight given the impending General Data Protection Regulation in the EU, with that prominence may come personal liability. As the titular head of the data protection and privacy program, the DPO may be interpreted as the final decision maker surrounding the use of personal data, and in some jurisdictions that role can come with personal civil and criminal liability. In this white paper overview, IAPP Legal Extern Carissa Hanratty, CI... Read More

The Privacy Advisor Podcast: What's it like to be just starting out?

(Jul 28, 2017) It seems to be the experience of many privacy pro newbies, anecdotally at least, that many employers are looking for pros who have at least a few years of experience to start, and, typically, they want them to be lawyers. But if everyone wants someone with experience, how does anyone get their start? In this episode of The Privacy Advisor Podcast, IAPP Westin Fellows Cobun Keegan, CIPP/US, CIPM, and Calli Schroeder, CIPP/C, CIPP/E, CIPP/US, CIPM, discuss what it's like to be just starting out in... Read More

Trump's voter data request tests state public data rules

(Jul 7, 2017) On May 11, 2017, U.S. President Donald Trump established the Presidential Advisory Commission on Election Integrity through an executive order, with a stated mission to “study the registration and voting processes used in Federal elections.” The PACEI is chaired by Vice President Mike Pence, who selected Kansas Secretary of State Kris Kobach as a vice chair. There are currently eight other members, and the PACEI has scheduled its first meeting July 19, 2017. In his role as vice chair of the PAC... Read More

IAPP Guide to FTC Privacy Enforcement

(May 5, 2017) This guide from the IAPP Westin Research Center describes the various paths the Federal Trade Commission may pursue when it brings privacy cases under its primary consumer protection authority, Section 5(a) of the FTC Act. The guide also discusses the various avenues that the FTC may pursue in seeking these remedies (e.g. administrative adjudication and filing suit directly in federal district court), and how these respective avenues lead to different available outcomes (e.g. fines, injunctive r... Read More

It takes 21 hours to build a DPO, and much more

(Jan 25, 2017) With the EU's General Data Protection Regulation, the role of the data protection officer has come into sharp focus. Many organizations, especially those processing large amounts of EU citizen data or particularly sensitive data, will have to appoint a DPO, either someone already on staff or someone new to the organization. Some organizations may choose to outsource. Regardless, the question remains as to how to create a DPO when no obvious candidate in the organization exists. In an analysis of... Read More