While presenting this week at the DRI Cybersecurity and Data Privacy Virtual Seminar, I outlined many of the issues currently impacting data security around the world.

Here are some key points:

  • Cookies are a thing. They are getting enforced in the EU by the Commission Nationale de l’Informatique et des Libertés, Agencia Española de Protección de Datos and by noyb.eu. It is important you check your website tracking; check your cookie disclosure; check your cookie management platform.
  • Cookies are a thing in the US too. The California Department of Justice has indicated this is a priority. “Do not sell” as it relates to cookies was included in the Attorney General’s recent enforcement report.
  • Schrems II is a reason for US-based providers and multinational companies to try to find pragmatic risk-based solutions. The European Data Protection Board guidance did not leave much room for maneuver, but did re-insert some risk-based approach pertaining to the specifics of each transfer.
  • Ireland’s Data Protection Commission decision on WhatsApp reveals that transparency is key and privacy notices need to be accurate, simple, easy to understand and not consist of endless scrolls and multiple documents. This is reiterated in the California Attorney Genera’s report, as well as in the recent Federal Trade Commission’s report on ISPs.
  • The DPC decision on Facebook may open up a new direction and breadth for the GDPR legal basis on contractual necessity. What is necessary for the performance of the contract? Is it impossibility or whatever has been made clear for the “bargained for exchange?”