A new New York state law prohibits the use of biometric technology in New York state schools until the later of (i) July 1, 2022 or (ii) the Commissioner of Education completes a study and issues a report to facilitate the creation of a comprehensive statewide regulatory system governing the use of such technology. The
Norway’s Datatilsynet does not mince words in its Brexit guidance:
“On 31 December 2020, the Brexit transition period will end. This means, among other things, that anyone who transfers personal data to the United Kingdom after this date must follow the rules on the transfer of personal data to third countries.”
“If the European Commission…
The European Data Protection Board has issued guidance on its Coordinated Enforcement Framework (CEF). The CEF provides a structure for coordinating recurring annual activities by EDPB Supervisory Authorities. The annual coordinated action focuses on a pre-defined topic which participating SAs may pursue using a pre-defined methodology
- The CEF is the foundation on which the annual
The European Parliament issued a detailed study on the impact of smart mobility applications on the future of transport and addressed some data protection issues.
- Public authorities should further specify legislation for data privacy and protection. (e.g. addressing how drivers can grant third parties’ consent to use their data, where processing data is necessary for
The European Commission has issued long-awaited draft Standard Contractual Clauses and they have something for everyone…
- Annexes and pick-and-choose modules (C2C, C2P, P2P, P2C).
- Lots of emphasis on the laws of the country of transfer and pushing back on government requests.
- Reiteration of some Article 26 (joint controller agreement) and Article 28 (data processor agreement)
Brace yourselves, the post-Schrems II supplemental measures are coming!
The European Data Protection Board adopted recommendations on measures that supplement transfer tools to ensure compliance with the European Union level of protection of personal data, as well as recommendations on the European Essential Guarantees for surveillance measures.
“The implications of the Schrems II judgment extend to all transfers to third countries. Therefore, there are no quick fixes, nor a one-size-fits-all solution for all transfers, as this would be ignoring the wide diversity of situations data exporters face. Data exporters will need to evaluate their data processing operations and transfers and take effective measures bearing in mind the legal order of the third countries to which they transfer or intend to transfer data,” said EDPB chair Andrea Jelinek
The European Essential Guarantees recommendations provide data exporters with elements to determine if the legal framework governing public authorities’ access to data for surveillance purposes in third countries can be regarded as a justifiable interference with privacy rights.
Denmark’s Data Protection Authority Datatilsynet has published an article emphasizing the importance of providing encrypted means for communicating personal information:
- Authorities and companies must, as data controllers, ensure — on the basis of an assessment of the risk to citizens’ rights — that they establish appropriate security measures. This means, among other things, that authorities
The Gibraltar Regulatory Authority has issued helpful guidance on data protection considerations for the use of video conferencing applications (VCAs).
- Consider the implications of VCAs and their compliance with data protection laws to choose the one best suited to your organization’s needs.
- Establish appropriate technical and organizational security measures to protect personal data
When it comes to entering into new agreements with non-EU providers that involve the processing of EU personal data, if in doubt – don’t, says Norway DPA Datatilsynet.
“One must be prepared for the fact that new agreements involving the illegal transfer of personal data to third countries may be considered more severely than existing…
“I worry that we are caught in a DPA (Data Protection Authority) beauty contest of who issues the bigger fine,” said Ireland Data Protection Commissioner Helen Dixon in her keynote for Daniel Solove’s Privacy+Security Academy Fall Forum Keynote.
Additional Key Takeaways
- I am hesitant to list our enforcement priorities because I don’t feel that we