On January 6th, the first day of the New York legislature’s 2021 session, NY lawmakers proposed Assembly Bill 27 (AB 27), the Biometric Privacy Act.  The legislative purpose of AB 27 is to provide safeguards for consumers regarding their biometric identifiers, such as fingerprints, handprints, retina or iris scans, voiceprints, and other facial and hand recognition.  Effectively, the proposed Act would require private (non-governmental) organizations that possess a biometric identifier or biometric information (i.e., information…

The French data protection authority (CNIL) rendered three major decisions impacting worldwide online service providers following online controls and investigations performed on the companies’ websites. These decisions highlight the obligations of data controllers when using cookies and other trackers, notably regarding the way the user’s consent shall be collected, and the level of information that has to be provided to users. Companies across sectors with interests in France should consider adapting their cookie compliance and…

The UK’s supervisory authority, the Information Commissioner’s Office (ICO), published a new data sharing code of practice (Code), available here, which addresses the requirements for data sharing under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018). Once approved by Parliament, the Code will become a statutory code of practice. Thereafter, the Code will be used by the ICO when assessing whether organisations have complied with their data protection…

After a long period of negotiation, the United Kingdom (UK) and the European Union (EU) have reached a deal on the sharing of personal data, only a few days before the end of the Brexit transition period. The agreed trade deal allows for the continued free flow of personal data from the EU to the UK for a maximum of six months after the transition period expires. During that time, the UK hopes that the…

With the end of the Brexit transition period quickly approaching on 31 December 2020, the future of international data transfers between the UK and the European Union (EU) and European Economic Area (EEA) remains somewhat unclear. As background, Article 44 of the General Data Protection Regulation (GDPR) prohibits the transfer of personal data from the EU/EEA to recipients in jurisdictions outside the EU/EEA, unless specific conditions are met. One such condition under the GDPR is…

On 12 November 2020, the European Commission released draft updated standard contractual clauses (SCCs) for consultation (available here). The current SCCs were adopted by the Commission before the GDPR came into force.  The CJEU’s decision in the Schrems II case has given greater urgency to updating the current SCCs. Once approved, the new SCCs will repeal the current SCCs. Data controllers and processors alike will therefore need to re-paper their agreements. The main changes…

In a recent Q&A with Colorado Attorney General (AG) Phil Weiser, the first term AG discusses how he makes data privacy and cybersecurity accessible and interesting to his Colorado constituents. AG Weiser also explains the role of Colorado’s interdisciplinary Data Privacy and Security Impact Team and how its implementation has benefitted the state. Lastly, AG Weiser discusses his views on a comprehensive federal privacy law and his office’s privacy- and data security-related priorities for 2021.…