European Union flag.

EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses

Image Credit: GregMontani from Pixabay.

**Update: On June 4, 2021, the European Commission formally adopted the new standard contractual clauses (“SCCs”) for international personal data transfers. Businesses will have a grace period of 18 months from the effective date of the European Commission’s decision to update all existing SCCs for transfers outside the European Union with the new SCCs.

In the meantime, businesses will be allowed to keep using the old SCCs for “new” data transfers over a transition period of three months from the effective date of the European Commission’s decision — giving organizations the chance to make any changes necessary for compliance with the new SCCs before incorporating them into their contracts. Such contracts, however, will also need to be updated within the 18-month-grace period.

On November 12, 2020, roughly four months after the European Court of Justice’s “Schrems II” decision which invalidated the EU-US Privacy Shield, the EU Commission released a draft set of new Standard Contractual Clauses (“SCCs” or “model clauses”).

These updated SCCs allow transfers of personal data from the EU to third countries, as well as a transfers by controllers when engaging processors located inside the EU. (For a further analysis of the Schrems II judgment, and the motivation for these new clauses, see our prior blog post).

Who can use the new SCCs?

The Commission’s draft, which includes the new SCCSs in its Annex, covers two new types of international transfers and contains important updates in order to bring the text of the model clauses in line with the General Data Protection Regulation (“GDPR”).

The current SCCs, approved by the Commission in 2001 and 2010, only addressed two data flow scenarios:

  • An EU-based controller exporting data outside of the EU to other controllers (controller-controller SCCs)
  • An EU-based controller exporting data outside of the EU to processors (processor- processor SCCs).

In this new draft, the Commission addressed a gap which frequently occurred in practice: EU processors exporting data to controllers and processors outside of the EU. This addition further reflects the expanded territorial scope of the GDPR.

Continue Reading EU-US Data Transfers After Schrems II: European Commission Publishes New Draft Standard Contractual Clauses
social network patents

Facebook, Patents, and Privacy: Social Media Innovations to Mine Personal Data

Social Media Patents & Privacy Data

[©2016. Published in GPSOLO, Vol. 37, No. 5, September/October 2020, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder]

* Updated November 25 to include references to CPRA/ Prop24.

The episode “Nosedive” of the television series Black Mirror envisions a society built on social credit scores. In this dystopia, all social media networks have converged into one platform—think Facebook, TikTok, Yelp, and Equifax combined.

This umbrella social platform allows users to rate each other on a five-point scale after each social interaction. Those with a high score gain access to job opportunities, favorable zip codes, and even high-status relationships. Those with a low score have the social ladder kicked out from under them, leading to a downward cycle of estrangement—and in the case of Black Mirror’s protagonist, jail time.

While the society in “Nosedive” seems far-fetched, is the technology behind it plausible?

Facebook Patents That Impact Privacy

According to Facebook’s patents, the answer is a resounding “yes.”

In a series of filings spanning almost a decade, Facebook has obtained several patents that allow social media platforms to track, identify, and classify individuals in new and innovative ways. Below are just few.

Tracking individuals via dust. U.S. Patent No. 9485423B2, “associating cameras with users and objects in a social networking system” (filed September 16, 2010, patented June 25, 2013), allows social media networks to identify an individual’s friends and relationships by correlating users across the same camera. To do so, an algorithm analyzes the metadata of a photo to find a camera’s “signature.”

Continue Reading Facebook, Patents, and Privacy: Social Media Innovations to Mine Personal Data
Offset angled photo of Proposition 24 from the 2020 California Voter's Guide

What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)

Hot on the heels of the California Consumer Privacy Act (CCPA), California residents this November will vote on Proposition 24. A majority yes vote on Prop 24 would pass the California Privacy Rights Act (CPRA). The CPRA proposes several amendments to the CCPA, such as granting new rights to consumers, imposing greater penalties on businesses for certain violations, and creating a new state enforcement agency, the California Privacy Protection Agency (CPPA).

1. Right to Restrict Use of Sensitive Data

Under the newly added Section 1798.121, consumers now have the right to direct businesses to limit the use of “sensitive personal information.”

As defined in CPRA, sensitive personal information appears to combine the conventional definition of “personally identifiable information” from state breach notification laws with the definition of “special category data” under the GDPR. Accordingly, sensitive personal information is data that may include a Social Security Number, driver’s license number, account log-in/debit/credit card information in combination with password or PIN. It may also include a consumer’s precise geolocation, the contents of their e-mails or texts to others, and racial, religious, biometric, or health data.

If directed to do so, businesses must limit the use of sensitive personal information to only those purposes that are necessary to provide a consumer’s requested services or goods.

To facilitate consumer exercise of this right, businesses may be required to add another link, “Limit the Use of my Sensitive Personal Information,” to their websites, in addition to any existing “Do Not Sell My Personal Information” link.

2. Right to Opt-Out of Cross-Context Behavioral Advertising

The CPRA requires a right of opt-out for “cross-context behavioral advertising” regardless of whether it constitutes a “sale” of personal information or not.

Continue Reading What Businesses Need to Know if Voters Pass Proposition 24 (California Privacy Rights Act of 2020, “CPRA”)
china data privacy law

China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime

[Originally published as a Feature Article: China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime, by Carolyn K. Luong, in Orange County Lawyer Magazine, April 2020, Vol. 62 No.4, page 31.]

By Carolyn Luong

U.S.-China relations have been a trending topic throughout the past year due to several conflicts involving the alleged encroachment upon free speech principles and perceived threats to U.S. national security. The NBA and Activision-Blizzard, both U.S.-based organizations, fielded criticisms in October of 2019 for supposed political censorship motivated by the fear of losing Chinese customers. Furthermore, as the U.S. races to build out its 5G infrastructure, the U.S. government has explicitly restricted U.S. corporations from conducting business with Chinese technology manufacturer Huawei upon apprehension that Huawei equipment may contain backdoors to enable surveillance by the Chinese government.[1]

Dr. Christopher Ford, Assistant Secretary of the U.S. State Department’s Bureau of International Security and Nonproliferation remarked in September that, “Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party ‘no’ if officials decide to ask for their assistance—e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties . . . .”[2] These Chinese firms in response firmly deny any allegations of contemplated or actual instances of required cooperation with the Chinese government to compromise user information or equipment.

Continue Reading China’s 2020 Cryptography Law in the Context of China’s Burgeoning Data Privacy and Security Regime
Lock on a computer screen held to edges by chains

What Is Happening in Children’s Online Privacy?

Children’s online privacy has always been an important topic, but a number of recent developments around the world have many businesses taking it more seriously. In September, Google agreed to pay a record $170 million fine to the U.S. Federal Trade Commission for violating the Children’s Online Privacy Protection Act (COPPA) by illegally collecting personal information from children without parental consent and using it to profit through targeted ads. A few weeks later, China’s own version of COPPA called the “Measures on Online Protection of Children’s Personal Data,” came into force, providing further clarity on protecting children’s personal data online under China’s Cyber Security Law. On October 7, the FTC hosted a public workshop to explore whether to update COPPA, which is over 20 years old and in need of a refresh due to the emergence of new technologies. (Just think of all those smart devices, social media platforms and educational apps and technologies that were not around in 1998). Finally, the California Attorney General recently released proposed regulations to the California Consumer Protection Act, which goes into effect in January 2020, that would require a business that knowingly collects the personal information of children under the age of 13 to establish, document and comply with a reasonable method for determining that the person affirmatively authorizing the sale of the personal information about the child is the parent or guardian of that child.

Many children start using the Internet at an early age, raising privacy issues distinct from those for adults. First, children may not understand what data is being collected about them and how it is used. Second, children can easily fall victim to criminal behavior online by providing seemingly innocuous information to web users who can appropriate such information for malicious purposes. Third, children cannot give the same meaningful consent to data collection and use activities as an adult. 

In the U.S., Congress passed COPPA in 1998 to protect children’s use of the Internet—particularly websites and services targeted toward children. COPPA requires website operators to provide clear and conspicuous notice of the data collection methods employed by the website, including functioning hyperlinks to the website privacy policy on every web page where personal information is collected. It also requires affirmative consent by parents prior to collection of personal information for children under the age of 13. Recognizing that teenagers between the ages of 13 and 18 are not protected under COPPA, many individual states have made efforts to address privacy issues for this age group.

Recognizing the need to update COPPA to keep up with the times, the FTC considered the following topics at the October workshop, among others:

Continue Reading What Is Happening in Children’s Online Privacy?
1 2 3 4 5 7