Photo of Chiara Portner

Chiara holds the certificate for CIPP/US for U.S. private-sector privacy from the International Association of Privacy Professionals (IAPP), the global standard in privacy certification.

Last July you will recall that in the Schrems II Case (“Schrems”) the Court of Justice of the European Union (“CJEU”) invalidated the European Union/United States (“EU/US”) Privacy Shield framework, while also reiterating that companies could rely on the standard contractual clauses (“SCC”s).  However, the CJEU also made clear that transfers of personal data from the European Economic Area (“EEA”) to non-adequate countries were not always permissible, requiring supplemental measures and in some cases transfer impact assessments.

In order to address the Schrems II holding and to improve ill-adapted SCCs that pre-dated the General Data Protection Regulation (“GDPR”) amid an exponential increase in cross-border transfers, the European Commission adopted two new sets of SCCs June 4, 2021:  Third Country Transfer SCCs and Controller-Processor SCCs.  As detailed below, these new SCCs must be used commencing September 27, 2021, for all new data transfers.  Companies have until December 27, 2022 to amend contracts for data transfers that previously were made under the old SCCs.
Continue Reading Addressing Data Transfers from the European Union Starting September 27, 2021

This summer, Colorado passed the new data privacy law called the Colorado Privacy Act (“CPA”), granting Colorado residents new rights and creating new obligations for businesses that are located in or conduct business with those in Colorado. CPA regulates the collection of personal data, or information relating or reasonably linkable to an identifiable person, such as a person’s name, social security numbers, email address, transaction data, Internet browsing history, and geolocation.
Continue Reading Colorado Privacy Act

In April, Rob Bonta became the new California Attorney General. In swift form, and not taking any summer break, he has made it clear that privacy and CCPA compliance is a priority, and that enforcement won’t be limited to a handful of requirements under the CCPA, as many previously believed.

First, the Attorney General posted several examples of enforcement actions, including those addressing the following issues:
Continue Reading The Summer of CCPA Enforcement

A few weeks ago, many Americans on the east coast spent several days scrambling for gas when Colonial Pipeline halted systems for 5,500 miles of pipeline as a precautionary measure after being hit by a ransomware attack. Highly publicized, the Colonial Pipeline ransomware attack is just one of many that have been hitting companies small and large. Healthcare has been a prime target, but other industries are equally at risk, and critical national infrastructure now appears to be a target. In 2020, over 2,000 local governments, health care facilities and schools were victims of ransomware.
Continue Reading STEP UP SECURITY TO PROTECT YOUR ORGANIZATION FROM CRIPPLING RANSOMWARE ATTACKS

Data privacy and security terms have become ubiquitous in software license agreements, including in both hosted service agreements and software license agreements. Security terms have been the norm for many years in the SaaS world, where the software licensor is hosting a customer’s data. However, in more recent years, much to the chagrin of small start-up software licensors of on-premise software, security terms and guarantees are now an expected part of the deal, even if the terms tend to be shorter in length and more limited in scope. Given the increasing importance – and inherent risks – of storing data, customers are understandably still concerned with data privacy and security even where a vendor is not actually hosting or storing their data.
Continue Reading Why Security Matters Even More for On-premise Software Vendors

Happy new year from our team at Hopkins & Carley! With each new year comes a host of bright new intentions. As each of us knows all too well, some will stick and others will quickly be forgotten. As a reminder to stay the course when it comes to data privacy and security, this year we kick off our 2021 to-do (and not-to-do) list. Rather than focus on privacy and security predictions for 2021, we wanted to share a list of action items based on some of the hard-learned lessons from 2020, as well as trends that we expect to continue into 2021. 2020 was a very busy and tumultuous year in the privacy and security world, and this will certainly also be the case in 2021. Companies that handle personal information must juggle an increasing number of laws, regulations, business-mandated requirements and risks. With that, here are a few things to keep in mind as we enter 2021:
Continue Reading Our Privacy & Security 2021 To-Do (and Not-To-Do) List: Lessons Learned From a Year Like No Other

Data retention. It’s not something that excites and invigorates businesses. But it is a necessary cost of doing business, not only to ensure one retains certain data for as long as each applicable law requires, but also as an increasingly important risk mitigation strategy.

Determining how long to retain a type of data or record depends on several factors. Various laws and regulations mandate that businesses retain certain records and data for minimum time periods. Statutes of limitation on certain types of claims also guide businesses as to how long to retain certain data. Conversely, privacy laws have always included a component of data minimization requiring businesses not to “hoard” data. Taken as a whole, these different rules require businesses to strike the right balance between retaining data for at least the properly mandated period and not retaining it for longer than necessary. Now, getting this right is even more important with the increasing risks of class action lawsuits for data security breaches. Quite simply, the more data you have, the more data you can lose. Having bastions of data will further complicate the tracking of data that may have been accessible to or taken by an unauthorized third party. This is one reason why, despite requirements to promptly notify individuals that their data was accessed in a security breach, businesses may take months to provide the notifications to individuals.
Continue Reading Data Retention – More than Meets the Eye

With the adoption of more stringent privacy laws across the globe, we have seen an exponential increase in privacy technology (or “tech”) vendors offering automated privacy compliance solutions. Among other things, privacy tech vendors provide software and services to assist companies with a whole range of services, including data inventory and mapping, privacy assessments, compliance reports and risk management, as well as policies, individual rights automation and other records that may be required as part of an organization’s compliance obligations. Many privacy tech vendors pitch their solutions to organizations as designed to “easily” assist with ongoing global compliance with the aid of automation and/or algorithms. Depending on the price that you are willing to pay, relying on these solutions can indeed be helpful to automate certain aspects of privacy compliance, including data mapping, consent mechanisms, records of processing or individual rights management. However, in their marketing materials, many privacy tech vendors – big or small, paid or free – caution companies that using legal professionals for privacy compliance will simply be too costly. Based on our experience, this is misleading at best, and a recent situation really reveals just that.
Continue Reading Lessons on Hidden Costs of Privacy Tech Vendors

Consistent with California’s history of prioritizing consumer privacy protections, Proposition 24 (full text here), a.k.a the California Privacy Rights Act (“CPRA”), was placed on the November ballot and handily approved by voters last week. The measure’s background itself indicates that the CPRA was being put forward to make privacy more transparent to users, similar to “ingredient labels on foods.” Background information also indicates a willingness to strengthen privacy rights over time rather than diluting them (particularly as regards to children), and in fact this push for increased transparency and protection is consistent with how certain platforms are requiring clearer policies (we discuss Apple’s new requirements here). While the CPRA will be fully effective and enforceable January 1, 2023, certain provisions take effect earlier and have a look-back provision. Businesses should start to familiarize themselves with the new or updated definitions and additional requirements contained in the CPRA.
Continue Reading Voters Approve the California Privacy Rights Act: What Businesses Need to Know

Long gone are the days when companies could claim ownership in their employees’ data, at least in California. As our prior posts have indicated, the definition of “consumer” under the CCPA is extremely broad and extends to employees. A consumer is not only a customer or user of a business’ services, products or websites, but also a business’ employees, contractors and job applicants.

However, despite taking effect in January 1, 2020, the CCPA’s application is currently limited with regard to personal information of employees, contractors, and job applicants collected and used in the employment context. This hold delays application of some provisions of the CCPA with respect to personal information collected in the employment context (originally until January 1, 2021 and now as extended to January 1, 2022 or 2023 as set forth below), including the rights to access data and deletion of data. As a reminder, the exemption also only applies to the extent that the employer collects/uses the personal information in the context of its employment relationship and for employment purposes. Thus, any use of such personal information by an employer outside the scope of the strict employment relationship would remain covered under all of the provisions of the CCPA. For example, if an employer were to allow its insurance company to collect employee data in order to market other insurance services to those individuals, this would not be within the scope of employment and therefore subject to all of the consumer rights otherwise available under CCPA.
Continue Reading Employee Data under CCPA