US Privacy in Flux. How the California Consumer Protection Act changes US Privacy Laws

Similar documents
I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

U.S. Private-sector Privacy Certification

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

GDPR: A QUICK OVERVIEW

HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

MOBILE.NET PRIVACY POLICY

Data Privacy and Cybersecurity

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

EU data security and privacy trends

The Role of the Data Protection Officer

International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018

GDPR: What Is It & Should Your Financial Institution Be Concerned?

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Safeguards on Personal Data Privacy.

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

The Impact of Cybersecurity, Data Privacy and Social Media

Knowing and Implementing the GDPR Part 3

Laws and Regulations & Data Governance

Motorola Mobility Binding Corporate Rules (BCRs)

PRIVACY NOTICE WHO WILL PROCESS YOUR PERSONAL INFORMATION? WHY IS YOUR PERSONAL INFORMATION REQUIRED?

Privacy Policy... 1 EU-U.S. Privacy Shield Policy... 2

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Data Leak Protection legal framework and managing the challenges of a security breach

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

GDPR is coming in less than 2 months Are you ready?

BIOEVENTS PRIVACY POLICY

EU General Data Protection Regulation (GDPR) Achieving compliance

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

Technology and data privacy Global perspectives

2014 Luxury & Fashion Industry Conference for Multinationals

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

How the GDPR will impact your software delivery processes

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

The types of personal information we collect and hold

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

IoT & Open Source. Martin von Haller Groenbaek Partner, Copenhagen LES SCANDINAVIA: INTERNET OF THINGS & IP SEMINAR 25 November 2015

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

A Modern European Data Protection Framework

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

GDPR RECRUITMENT POLICY

Certified Information Privacy Professional/United States

16 th Annual In-House Counsel Conference January 23, 2019 (Anaheim,CA)

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Japan s Cyber Diplomacy

Emsi Privacy Shield Policy

Data Breach Notification: what EU law means for your information security strategy

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

PRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM

GDPR and the Privacy Shield

ADMA Briefing Summary March

PRIVACY NOTICE STORM RECRUITMENT UNIT 11, 2 ND FLOOR CHARLESLAND CENTRE, GREYSTONES, CO. WICKLOW 1. INTRODUCTION

Conjure Network LLC Privacy Policy

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

Adtech and GDPR What to consider when choosing your partner

Privacy Policy. Effective date: 21 May 2018

Cyber Security Law --- Are you ready?

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017

Cybersecurity Considerations for GDPR

GDPR Compliant. Privacy Policy. Updated 24/05/2018

ICTLC Paolo Balboni, Ph.D.

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

Subject: Kier Group plc Data Protection Policy

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

CLEPA Conference: "Warranty in a Digital World"

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

PRIVACY NOTICE: UK NARIC ANNUAL CONFERENCE

PRIVACY NOTICE BACKGROUND:

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

OUR PRIVACY POLICY. 1. Our Privacy Principles. 2. Information that We Collect from You. Last Updated: May 25, 2018

U.S. Corporate Privacy Certification

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

How Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner

Data protection declaration

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

General Data Protection Regulation (GDPR) NEW RULES

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Data Privacy & Protection

Online Ad-hoc Privacy Notice

Keeping It Under Wraps: Personally Identifiable Information (PII)

Data Security: Public Contracts and the Cloud

NOTICE OF PERSONAL DATA PROCESSING

CURTIS BANKS LIMITED. Privacy Information Notice. curtisbanks.co.uk

Transcription:

US Privacy in Flux How the California Consumer Protection Act changes US Privacy Laws IT Law Camp 2018 Frankfurt, November 10, 2018 kai.westerwelle@twobirds.com

US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield

US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield

CCPA GDPR ( Export Champion ) GDPR aligns the European privacy landscape EEA / EFTA adoptions China s new privacy and cybersecurity laws Brazilian Lei Geral de Protecao de Dados Japan s Act on Protection of Personal Information (APPI) India Mexico Argentina South Korea Columbia Argentina Canada Australia New Zealand South Africa California Consumer Privacy Act (CCPA) Slide 4

CCPA GDPR Background

CCPA GDPR Sisters but not Twins Slide 6

CCPA GDPR Scope substantial differences in coverage Fines GDPR Scope Individual s Rights CCPA Definitions TOM Transparency Slide 7

CCPA GDPR Scope substantial differences in coverage One Stop GDPR Processing Records Supervisory CCPA DPIA Controller Processor DPO Slide 8

CCPA GDPR Who is addressed limited scope v. catch all Business Ltd. Scope Not wholly outside CAL Ltd. Service Providers Change of Control (Asset Deal) < Business in = Affiliation < Servicers < Third Parties < CoC Establishm. in the EU Processing outside EU Processing of EU data No Change of Control Slide 9

CCPA GDPR Who is protected: residents v. data subjects Consumer Protection Consumer CAL Residents Outside state Children = Individuals < Residents > Outside = Children Fundament al right Data Subjects Natural persons Within EU No limits Children Slide 10

CCPA GDPR What Data personal information v. personal data Identified Associated No special categories Excludes publicly available Pseudonym ous data? = Identified = Identifiable < No limits > US PII Identified Identifiable Special Categories Publicly available Pseudonym ous data Aggregated Slide 11

CCPA GDPR Transparency privacy notice v. information requirement Some information Form readily accessible Online Do not sell = Transparent = Intentions < Less inform. > Online Full information Purpose Legal basis Data Retention To non-eu Automated decisionmaking Slide 12

CCPA GDPR Rights of the Individual privacy rights here and there Disclosure Deletion Access Portability Opt-Out No discrimination = Similar < Forgotten < Portability < Access < Opt-In < Discriminate Information Access Rectification Erasure Restrict Processing Data Portability Object Opt-In Slide 13

CCPA GDPR Security private right of action v. regulator involvement Security measures required Private Right of action Notification = TOM > Indiv. Rights < Less inform. = Notification Technical and Organizat. Measures (TOM) Regulator Controller Slide 14

CCPA GDPR Consequences of Non-Compliance damages v. fines 100 to 750 USD Per case Private action Class action = Severe! > Indiv. Rights < Authority 20 mio or 4 % annual global revenue Private claims Regulator complaints Slide 15

CCPA GDPR Reuse your GDPR Efforts TOM GDPR Processing Records Notification CCPA Transparency CRM (but opt-out) Individual s Rights Slide 16

US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield

California One of 50

California Gross Domestic Product* *billion USD (2016)

California Home of the Unicorns

California Home of the next Unicorns

California Home of the Big Guys

California Spearheading Privacy

California Spearheading Privacy California security breach notification law (California Civil Code 1798.82)

California Spearheading Privacy

US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield

US Privacy State Law v. Federal Law

US Privacy Patchwork Background Categories Activity Consumer Protection States Best Practice

US Privacy Patchwork Background Federal Trade Commission Act (FTC ACT) Children s Online Privacy Protection Act (COPPA) Financial Services Modernisation Act (Gramm-Leach-Bliley GLB) Health Insurance Portability and Accountability Act (HIPPA) HIPAA Omnibus Rule Fair Credit Reporting Act Controlling the Assault of Non-Solicited Pornography and Marketing Act Electronic Communication Privacy Act Computer Fraud and Abuse Act Judicial Redress Act Privacy Rule for broadband ISPs Industry Best Practises State security laws (technical, physical and administrative security protocols) Security breach notification laws (all states e.g. California Civil Code) State privacy regulations sometimes multiple per State, e.g. California California Electronic Communication Privacy Act Several amendments to the security breach notification law A.B. 1541 (redifining personal information, e.g. email address with passwort)

US Privacy Federal Privacy Act Race to the Bottom?

US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield

CLOUD Privacy Shield Clarifying Lawful Overseas Use of Date (Act) Background Extension of the Stored Communications Act (SCA) Background: United States v. Microsoft (Supreme Court Feb 27, 2018) Content: US law-enforcement orders under SCA reach foreign data Bilateral agreements for enforcement in the US Formalized procedure for companies to challenge request Limits and restrictions on enforcement ref. privacy and civil liberty Applies to (see SCA): Providers of electronic communication services / remote computing E-communication data and cloud-stored documents

CLOUD Privacy Shield CLOUD ACT Targeting Access of US enforcement agencies to data in foreign countries Legal certainty for providers cought between two conflicting laws CLOUD Act Executive Agreements (see also Art 48 GDPR) Centerpiece of the CLOUD Act Reciprocal access to data held in the other country (not U.S. Citizens!) Countries with (actually none) / Countries without

CLOUD Privacy Shield CLOUD ACT Sidenotes Allows providers to inform the foreign government of the law enforcement request so that the foreign government can object directly to the U.S. government Electronic Frontier Foundation: robbed from the American public when sneeking into the back of a 2,232 page government spending bill

CLOUD Privacy Shield Survival of the Privacy Shield Digital Right Ireland v. EU (2016) Ausschuss für bürgerliche Freiheiten, Justiz und Inneres des EU Parlaments (LIBE) (März 2017) Art. 29 Datenschutzgruppe (automn 2017) EU Parliament (non binding) resolution July 2018

US Privacy in Flux Questions Why Who What Where When We Which

Dr Kai Westerwelle Partner Tel: +1 415 623 9950 kai.westerwelle@twobirds.com The World s Leading Patent & Technology Licensing Lawyers IAM 250 One of the most recommended data protection specialists German Association of Inhouse Counsels Client Choice Award for IT-Law in Germany ILO Kai Westerwelle is recognized as a leading IT and privacy lawyer, with a particular focus on supporting both inbound and outbound business for the US market. Kai is a partner in our international Commercial Practice Group, based in San Francisco. As a German Certified Specialist Attorney in Information Technology Law, Kai has more than 25 years experience in the field. He has specialized in information technology law, particularly outsourcing and cloud computing projects, national and international license agreements as well as comprehensive transactional advice. He has supported a substantial number of national and international restructurings and IoT projects, as well as many M&A transactions and IPOs. In addition, he focuses on German, European and international data protection law, especially referring to business from and with the USA. Kai is author of numerous publications mainly in the areas of information technology law, data protection and competition law. He regularly speaks at national and international congresses and lectures data protection and compliance at universities in Germany and the USA. He is an active member of the German Society of Law and Information, the Bitkom e.v. (Germany s leading association for IT & Telecom companies), the German American Business Association, the International Association of Privacy Professionals and Member of the Board of Advisors of the International Privacy + Security Forum (USA). Kai speaks German, English and French. Slide 37

Thank you Dr Kai Westerwelle kai.westerwelle@twobirds.com (415) 623 9950 https://www.linkedin.com/in/westerwelle twobirds.com Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback