California, home to more than 40 million people and the 5th largest economy in the world, has passed the California Consumer Privacy Act (CCPA), its omnibus consumer privacy law. The law creates sweeping new requirements concerning the collection, maintenance, and tracking of information for both employees or customers who are residents of California. Many aspects of the implementation and enforcement are still being finalized by the California Attorney General. However, companies with employees or customers in California need to take stock of the information they are processing that could qualify as “personal information” for California residents, and they need to begin establishing mechanisms for compliance before the end of 2019. Continue Reading The California Consumer Privacy Act of 2018: What Businesses Need to Know Now
This weekend, Google was fined 50 million euros (over $55 million) by France’s Data Privacy Authority, CNIL, for breaching Europe’s (fairly) new General Data Protection Regulation.
GDPR lays the framework for the legal processing of personal data, requiring that companies have a lawful basis for processing a user’s personal information. This lawful basis can result from the user’s genuine consent prior to collecting personal information; processing necessary for the performance of a contract, compliance with a legal obligation, to protect the vital interests of a data subject or natural person, for the performance of a task in the public’s interest, or for the purpose of the legitimate interests of a controller or third party.
The GDPR went into effect on May 25, 2018. Shortly after its enactment, two privacy rights groups, noyb (Max Schrems’ brainchild) and La Quadrature du Net (LQDN) filed complaints against Google with the CNIL. The noyb complaint was filed on May 25, the same day the Regulation took effect. Continue Reading Google First “Tech Giant” to be Fined for Violating GDPR
Seyfarth Synopsis: Please join us at our Chicago Willis Tower office on Thursday, December 6th, for breakfast along with a Seyfarth Legal Forum and Continuing Legal Education (CLE): 2018 Highlights and a Look Ahead to 2019.
About the Program
Providing our clients with a multidisciplinary overview of Legal Hot Button issues and Best Practice. Featuring:
- Biometric Information Privacy Act: What a long, strange year it’s been (and there’s more on the way!)
- Legalize it: will Illinois go from medical to recreational marijuana and what would that mean to the real estate industry?
- Affordable Care Act Update & Enforcement Activities, 401(k) Student Loan Repayment Arrangements, Socially Responsible Investments, and HIPAA Privacy & Security Audits
- Mergers and Acquisitions: Current State of the Market and Post-Merger Integration Strategies
- The “Cloud”…is in a building?: Data Centers are the newest, and maybe most important, type of real estate
- Latest Developments in Pregnancy Accommodation (Illinois’ New Lactation Law and Nationwide Trends)
- Litigation Hot Topics for 2019, including: Developments in trade secret and non-compete law; New laws affecting threshold issues such as forum selection and choice of law; Frontloaded discovery in federal court: Mandatory Initial Discovery Pilot Programs; Best practices for protecting the attorney-client privilege for in-house counsel
- Welcome to the Future: It arrived yesterday – The intersection of Technology and Legal Services
- Bots, bits and bytes… Artificial Intelligence and its leading role in recent legal projects
The program will feature a panel of Seyfarth Chicago subject matter experts — with an eye toward preparing for the developments in the coming year. Our overview will be targeted at highlighting issues for the General Counsel, Chief Information Officer, Chief Human Resource Officer, and other members of their teams.
The program will consist of an engaging ninety minute presentation with speakers from each of Seyfarth Chicago’s practice groups: Benefits, Corporate, Labor & Employment, Litigation, and Real Estate, as well as an exciting presentation on the use of technology in law. Then, we will offer 30 minute break-out sessions on hot topics warranting a deeper dive that companies are facing when looking at their legal compliance needs. The break-out sessions will address Privacy/Data Security, Managing in the #metoo Environment, and Blockchain/Cryptocurrency in business.
The program is on Thursday, December 6, 2018, at 8:00 a.m. – 8:30 a.m., for breakfast and registration, 8:30 a.m. – 10:00 a.m., for the panel presentations, and 10:00 a.m. – 10:30 a.m., for the breakout sessions. Our offices are at 233 S. Wacker Drive, Suite 8000, in Chicago, IL.
Also, for those that need the credits, note that Seyfarth Shaw LLP is an approved provider of Illinois CLE credit. This seminar is approved for 1.5 hours of CLE credit CA, IL, NY, NJ and TX. CLE Credit is pending for GA and VA. HR professionals: please note that the HR Certification Institute accepts CLE credit toward recertification.
The European Data Protection Board (EDPB) recently issued a report after their November 16, 2018 plenary session. The statement covered a range of topics being discussed by the Board, but no substantive publications. The EDPB is charged with ensuring that GDPR is applied consistently across the EU and that there is consistent enforcement by DPAs across the Union. The Board is also tasked with issuing guidelines on the interpretation the GDPR (formerly the charge of the Article 29 Working Party), and making binding decisions about cross-border disputes. The Board is made up of the head DPA or representatives from each member country.
An EU-Japan adequacy finding appears to be extremely close, and the Board announced they are at work on guidelines about the intersection between Clinical Trials Regulation and the GDPR for medical device and pharmaceutical companies. There have now been four “plenary meetings” of the EDPB. Some may consider no action on the part of the Board a good thing, but there are some significant concepts which eventually need clarification, including a formal process and procedure on appeals of DPA enforcement and fines, and modernization of the outdated Model Contractual Clauses, among other things. The essential message from the EDPB continues to be “stay tuned,” and seems likely that no real substantive publications will come through until early 2019.
The complete press release from the EDPB can be found here.
Seyfarth Shaw Partner Jordan Vick is on the panel for the “Playing by the Rules: Rule Changes Essential to Your Practice” session on Friday, November 16, at Georgetown Law’s 15th annual Advanced eDiscovery Institute in Washington, D.C.
Session topics include:
- The 2015 Amendments to the FRCP and their actual impacts on practitioners, including unintended consequence
- How the changes to Federal Rule of Evidence 902 will change how parties and the court can streamline authentication of ESI and potentially eliminate the need to call a witness at trial
- What other changes the Rules Committee is discussing that may impact eDiscovery professionals
- Pilot accelerated disclosures and their impacts in Illinois and Arizona, including the Mandatory Initial Discovery Pilot Program (“MIDP”) in the Northern District of Illinois
For more information, to see the full schedule, or to register, click here.
At the end of June, the California legislature passed its Bill 375, the California Consumer Privacy Act of 2018. The Act contains a number of concepts that would be familiar to those who are working to bring their companies and organizations into compliance with GDPR. The new law defines a category of “Personal Information” that radically departs from a traditional definition of Personal Data commonly found in various State Data Privacy Laws, which usually ties an individual name to other identifiers like social security number, account number, or other factors. Instead, the California Act defines “Personal Information” as information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It does not, mercifully, include publicly available information, but it still comes closer to a GDPR-like definition of “personal data” than any other US law.
The Act provides California residents some rights that also appear familiar. For example:
- Consumers can request a copy of all the Personal Information a business has collected;
- Consumers have the right to request that the business delete their Personal Information (subject to some exceptions), and a right to direct a company to not share their Personal Information with third parties; and
- Consumers can request that a business disclose the categories of information it has collected, the sources of information, the purpose for the collection and/or its sale of the information, and the third parties with whom the information is shared.
Today, the Information Commissioner’s Office (“ICO”), the UK data protection authority, released for public comment its draft “Regulatory Action Policy,” a document in which the ICO seeks to set forth its objectives in taking regulatory action, present its new investigatory and enforcement powers, and explain how it aims to use them. The comment period will close on June 28, 2018.
With three weeks remaining until the General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) takes effect, this draft document provides organizations with a much needed insight into how the ICO plans to proceed in the age of new data protection compliance realities. In addition to the GDPR, the ICO will be enforcing the upcoming update to UK’s national data protection law, the UK Data Protection Act 2018 (the “DPA”), which is still working its way through Parliament, but should be in place by May 25, 2018, as well as other established data protection legislation.
The “Regulatory Action Policy” explains that ICO will have the power to issue “urgent” information notices that will require a response within 24 hours, take notice recipients who fail to comply to court on contempt charges, inspect and assess compliance without notice, administer fines by way of penalty notices, and prosecute criminal offences in court. The ICO’s powers to prosecute failures to provide information and its ability to go to court to request a warrant to search premises will come from the DPA, not GDPR.
The DPA also will permit the ICO to issue “assessment notices” to data controllers and processors to allow the ICO to investigate whether the controller or processor is compliant with data protection legislation. The notice may require the organization to give the ICO access to premises and specified documentation and equipment. An “urgent” assessment notice may require access to non-domestic premises on less than 7 days’ notice, which in effect will allow the ICO to carry out a no-notice inspection. An organization that receives an “urgent” information notice, assessment notice, or enforcement notice may petition the court to overturn the urgency of that notice. Under the DPA, destruction or falsification of information the ICO is pursuing in its notice constitutes a criminal offence. However, similarly to the U.S. evidence spoliation principles, it appears that loss of information through routine operation of automated processes may be a defense to criminal charges.
Seyfarth Shaw Offers Data Privacy & Protection in the EU-U.S. Desktop Guide and On-Demand Webinar Series
On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) will impose significant new obligations on all U.S. companies that handle personal data of any EU individual. U.S. companies can be fined up to €20 million or 4% of their global annual revenue for the most egregious violations. What does the future passage of GDPR mean for your business?
Seyfarth’s eDiscovery and Information Governance (eDIG) and Global Privacy and Security (GPS) practitioners are pleased to announce the release of Data Privacy & Protection in the EU-U.S.: What Companies Need to Know Now, which describes GDPR’s unique legal structure and remedies, and includes tips and strategies in light of the future passage of the GDPR.
How to Get Your Desktop Guide:
To request the Data Privacy & Protection in the EU-U.S. Desktop Guide as a pdf or hard copy, please click the button below:
GDPR Webinar Series
Throughout August and October of 2017, Seyfarth Shaw’s attorneys provided high-level discussions on risk assessment tools and remediation strategies to help companies prepare and reduce the cost of EU GDPR compliance. Each segment is one hour long and can be accessed on-demand at Seyfarth’s Carpe Datum Law Blog and The Global Privacy Watch Blog.
Seyfarth eDiscovery Partner Richard Lutkus, along with William Lederer from Relativity and Patrick Zeller of Gilead Sciences, Inc., will host a panel discussion titled “Brave New Words: Cloud Data Collection, Processing, and Hosting” at this year’s RelativityFest on October 24, 2017.
This session will provide attendees with information about new data collection methods with tools like Heureka and Harvester, along with considerations for working with RelativityOne, data privacy, and security. Additionally, best practices surrounding the General Data Privacy Regulation (GDPR), international data transfer with EU entities, secure management of hosting (wiping cloud data) and SSD wiping technologies will be discussed.
RelativityFest is an annual conference designed to educate and connect the e-discovery community. The three-day festival in Chicago will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices. For more information, or to register to attend, please visit https://relativityfest.com/.
Seyfarth eDiscovery attorneys Jason Priebe and Natalya Northrip will present “A Practical Roadmap for EU Data Protection and Cross-Border Discovery” at this year’s RelativityFest on October 24, 2017.
This presentation will provide attendees with practical tips for leveraging the new Sedona International Principles to help in your compliance with stringent GDPR requirements, and in seeking immediate help under the EU-U.S. Privacy Shield.
RelativityFest is an annual conference designed to educate and connect the eDiscovery community. The three-day festival will feature panel discussions, hands-on labs, and breakout sessions to discuss best practices for eDiscovery, Information Governance, and Data Privacy. For more information, or to register to attend, please visit https://relativityfest.com/.