Swiss Flag

Switzerland is implementing new legislation to better protect its citizens’ data (“revFADP”), replacing the longstanding Federal Act on Data Protection of 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.

Continue Reading Nothing Neutral about the New Swiss Federal Act on Data Protection

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.

Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:

  • when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
  • when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws.  This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
  • as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.


Continue Reading I’m Done With My Data, Now What?

This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.

Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
Continue Reading New Personal Data Transfers out of the UK: Like the GDPR, but Different

GDPR Image

The European Union’s (EU) General Data Protection Regulation (GDPR) sets out requirements for transferring personal data outside the European Economic Area. These requirements not only restrict the use and transfer of personal data, but also ensure that personal data is adequately protected with enforceable rights and effective judicial remedies. In 2020, the EU invalidated the EU-US Privacy Shield, a framework that many US companies relied on when transferring data. However, large tech companies, including Microsoft, have ensured compliance with the GDPR’s transfer requirements through the use of standard contractual clauses (SCCs). These SCCs are “pre-approved” by the European Commission to ensure that adequate protections and safeguards are in place for data transfers.

On May 6, 2021, Microsoft announced they were expanding its existing commitments to data privacy in the EU through a plan called the EU Data Boundary for the Microsoft Cloud (EU Data Boundary Plan). This pledge grows Microsoft’s data processing and storing capabilities in the EU by removing the need to move customer data outside the EU. Full implementation of this plan is set for the end of next year.

Continue Reading Freezing the Cloud: Microsoft Takes a Hardline on Data Privacy in the EU

The European Commission has finally released the first updates to the standard contractual clauses (SCCs) required for certain cross-border transfers in more than 10 years. The new SCCs include versions for use between processors and controllers, as well as one for transfers to third countries.  These new SCCs mark the first change in such clauses since 2010 and in view of the Court of Justice of the European Union’s decision in  Schrems II.

We will write more on this
Continue Reading Europe Commission Releases Updated Standard Contractual Clauses for GDPR Compliance

On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.

In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.

Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below.
Continue Reading And Then There Were Two: The Commonwealth of Virginia Joins California in Enacting Comprehensive Privacy Rights Law

The number of internet users in China has rapidly increased to over 900 million individuals as of March 2020.  As internet availability continues to rise in China and the country’s digital community grows in virtually all industries and populations, the People’s Republic of China is keying into the fact that foreign and domestic businesses seeking to capitalize on China’s market must adhere to rules regarding processing and transferring personal information across China’s borders.

On October 21, 2020, the National People’s Congress Standing Committee unveiled its draft Personal Information Protection Law (PIPL) to the public for view and comment.  If enacted, PIPL will be China’s comprehensive law on the protection of personal data.  The necessity of PIPL was cited in part by the National People’s Congress Standing Committee due to China’s explosive growth of information integration and the amount of personal data collected.  The Committee asserted that protection of its citizen’s personal information was of utmost importance for economic development and that there needed to be clear requirements in order to strengthen personal information protection.  Interestingly, PIPL provides numerous data protection principles similar to those we have seen enacted under the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.  Specifically, the draft PIPL appears to take on general principles of transparency, fairness, limitations of purpose for data processing, retention limitations, and accountability.  Some of the more notable items within the draft PIPL include:
Continue Reading China’s Personal Information Protection Law (PIPL) – Data Privacy in the Land of Big Data

Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated.  Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:

(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and

(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).

Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.

Continue Reading Oh the Times (and the Clauses), They are a-Changing’