The number of internet users in China has rapidly increased to over 900 million individuals as of March 2020.  As internet availability continues to rise in China and the country’s digital community grows in virtually all industries and populations, the People’s Republic of China is keying into the fact that foreign and domestic businesses seeking to capitalize on China’s market must adhere to rules regarding processing and transferring personal information across China’s borders.

On October 21, 2020, the National People’s Congress Standing Committee unveiled its draft Personal Information Protection Law (PIPL) to the public for view and comment.  If enacted, PIPL will be China’s comprehensive law on the protection of personal data.  The necessity of PIPL was cited in part by the National People’s Congress Standing Committee due to China’s explosive growth of information integration and the amount of personal data collected.  The Committee asserted that protection of its citizen’s personal information was of utmost importance for economic development and that there needed to be clear requirements in order to strengthen personal information protection.  Interestingly, PIPL provides numerous data protection principles similar to those we have seen enacted under the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.  Specifically, the draft PIPL appears to take on general principles of transparency, fairness, limitations of purpose for data processing, retention limitations, and accountability.  Some of the more notable items within the draft PIPL include:
Continue Reading China’s Personal Information Protection Law (PIPL) – Data Privacy in the Land of Big Data

Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated.  Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:

(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and

(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).

Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.


Continue Reading Oh the Times (and the Clauses), They are a ‘Changing

As we all prepare for what will undoubtedly be an unconventional holiday season, many of us are turning to our computers to check off items on our shopping list instead of bundling up to head to the mall. Online shoppers around the nation have already made the strongest showing in history with $10.8 billion in sales on Cyber Monday alone, which amounts to a 15.1% increase from last year, while foot traffic in brick and mortar stores was down 42.3% for Black Friday weekend. With the recent spikes in COVID-19 cases around the country, staying home and having those packages delivered right to your door step might seem like the safest way to go, but cyber criminals are pouncing at the online shopping frenzy to steal consumers’ personal and financial information.

This increased threat has been a common thread throughout 2020, as we saw cyber criminals amp up their tactics during the early days of the coronavirus crisis and when Americans received their CARES Act stimulus checks. Indeed, the bad guys are not taking a break because of COVID-19.  The FBI reports that cybercrimes are up an astonishing 400% this year. Now it is more important than ever to understand how these criminals operate and how you can avoid falling victim to these crimes so that you can keep your celebrations holly and jolly.
Continue Reading ‘Tis the Season…for Scams and Cybersecurity Threats

Taft partner Scot Ganow will be one of the presenters for “What we wish clients would do about business email compromise,” on Oct. 29, 2020. The one-hour seminar brings together cybersecurity and risk management professionals to examine business email compromise including a real-world case study, the ramifications of an attack, and how to arm your business against would-be opportunists.

Register to attend here.
Continue Reading Taft Partner to Speak on Business Email Compromise

After months of public comment and sporadic guidance issued by the California Attorney General’s Office, at long last we have the final regulations under the California Consumer Privacy Act, which have been approved by the Office of Administrative Law and filed with the Secretary of State’s Office. The regulations go into effect immediately, and include changes and withdrawn proposals that range from typographical to impactful.

The California Attorney General’s office has characterized the changes to the CCPA text as “non-substantive,” and has withdrawn certain proposed provisions “for additional consideration.” The non-substantive changes are designed to improve consistency in language, and are described in detail in the Addendum to the Final Statement of Reasons. Some withdrawn provisions, however, could impact companies expected to comply with CCPA. We discuss some notable sections below. 
Continue Reading Things Just Got Real: California Approves Final CCPA Regulations

Just a friendly reminder from the Taft Law Privacy and Data Security Practice Group that the Attorney General of California will commence enforcement of the California Consumer Privacy Act (CCPA) on July 1, 2020. While we have all understandably been focused on the many important issues of this year, both personally and professionally, let us not forget that the Attorney General of California explicitly declined to extend the enforcement date due to COVID-19 for this first of its kind state privacy law.

While it is obviously late in the game, and impossible to provide you all the ins and outs of CCPA compliance in this single post, you can always check older posts on our Taft Privacy & Data Security Insights.  That said, it doesn’t mean you can’t get started or continue making progress to understand and meet any applicable requirements for your business. Here are some quick points and additional resources to consider.
Continue Reading Don’t Forget! CCPA Enforcement Commences July 1, 2020

Like so many companies navigating the challenges and changes demanded by COVID-19, we at Taft have had to move our entire workforce home while maintaining a high level of support for our employees and clients. Whether in crisis, design, or other business strategy, companies should carefully and methodically approach the transition of its employees, equipment, and data to a remote environment. Such an approach should be followed in all such moves, whether temporary or permanent. In this article we share what we have learned and some best practices that will benefit any company considering making the move.

A. Operational Support (Andrea Markstrom, CIO, Taft Stettinius & Hollister LLP)

Faced with COVID-19 and moving a firm of 620+ attorneys to home offices, I knew this was not just another business continuity tabletop exercise. I needed to plan thoroughly while still reacting quickly. To do so, I thought about how we were going to be able to keep our employees safe, fully productive, and continue providing excellent service to our clients. To be successful, I think you need to consider and accomplish the following three things.
Continue Reading It’s more than giving ‘em a laptop: Operational & Security Considerations for Supporting the Remote Workforce

The road to hell is paved with good intentions. While the proverb may be a stretch for now, the latest lawsuit by the American Civil Liberties Union of Illinois (ACLU) against Clearview AI certainly shows that good intentions, when acted upon, may have unintended consequences. Technology utilized in the name of public protection—whether from global pandemics or criminal activity—can have disastrous effects when it comes to civil liberties and privacy.

The ACLU filed a lawsuit against Clearview AI based on violations of Illinois residents’ privacy rights. Clearview AI is a technology company that scrapes images from the internet, primarily from various social media platforms, in order to create a searchable database of individual’s face prints. The company claimed that it sold access to its searchable database to hundreds of police departments and federal agencies in order to protect children and aid victims of crimes. However, a recent data breach showed that Clearview AI actually also sold or provided access to its searchable database to retail chains Walmart and Macys, the NBA, Equinox, and many other non-law enforcement entities.


Continue Reading Crossing the Line? ACLU challenges Clearview AI’s Facial Recognition Technology

Losing a job and struggling with finances have added significant stress to those trying to stay safe during the COVID-19 pandemic. It is no secret that for weeks, state departments administering unemployment compensation have been under fire due to massive backlogs of unprocessed claims. Adding to claimants’ frustrations are a number of security incidents affecting several states’ agencies. We previously reported that the Small Business Administration experienced a breach compromising personal data for thousands of applications for financial assistance. Now we are seeing state level entities experiencing security compromises.

Pandemic Unemployment Assistance (PUA) is unemployment compensation available to self-employed and “gig” workers. In the past several weeks, thousands of workers in several states who applied for PUA received notice that their personal information was possibly exposed to other users. The personal information exposed included social security numbers, addresses, names, and the amount workers were receiving in benefits. Fortunately, at least at this time, there is no evidence personal information was misused and the alerts from the states were preventative.
Continue Reading Adding Insult to Injury: Government Agency Security Incidents Expose Unemployed Personal Data

For years, the idea of a federal privacy law in the same vein as GDPR seemed to be a far-fetched dream.  Then came the nightmare: coronavirus.  As mobile device and other monitoring services are being considered for employers and retail, because of the COVID-19 pandemic, the U.S. Senate announced a bill, which would apply to the collection of American health, geolocation, and proximity information.

The COVID-19 Consumer Data Protection Act (the “Act”) aims to heighten protection for American’s data by imposing requirements on businesses similar to those seen in the GDPR and CCPA.  Specifically, the Act is designed to protect information that constitutes “precise geolocation data, proximity data, and personal health information.”  Any entity or person who “collects, processes, or transfers covered information” and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization would be subject to the law.


Continue Reading COVID-19 Inspires Federal Consumer Privacy Act