This Week in Privacy: 29 March 2021
March 29, 2021
International: Negotiations for enhanced Privacy Shield intensify
The EU Commissioner for Justice alongside the U.S. Secretary of Commerce issued a joint statement noting that the US Government and the European Commission have decided to intensify negotiations on an enhanced EU-US Privacy Shield framework to comply with CJEU's decision in Schrems II.
According to the statement, the negotiations underscore the shared commitment to privacy, data protection and the rule of law and the mutual recognition of the importance of transatlantic data flows to respective citizens, economies, and societies.
Separately, the U.S. Congressional Research Service released its report on Understanding Schrems II and Its Impact on the EU-U.S. Privacy Shield. The report provides an overview of EU law governing international data transfers and a review of US surveillance laws relevant to the Schrems II decision. The report discusses considerations for U.S. Congress, including:
- that executive action could address some intelligence collection concerns raised in Schrems II, for example by limiting bulk intelligence collections and providing additional redress mechanisms through an Executive Order;
- negotiating a diplomatic solution between the US and EU, which could include a new framework to replace Privacy Shield, or enter into a treaty governing data transfers; or
- adopting statutory requirements addressing the CJEU's concerns, such as by amending the Foreign Intelligence Surveillance Act or creating a cause of action that would allow foreign subjects to bring complaints before a tribunal.
France: CNIL updates FAQs on cookies guidelines and recommendations ahead of entry into force
The French data protection authority released an updated version of its FAQs on its guidelines and recommendations on cookies and other trackers, which will come into force on 1 April.
CNIL announced that the updated FAQs include further detail on tracking devices which are exempted from the requirement to obtain prior valid consent from the data subject, such as those not used for audience measurement purposes, as well as guidance on social media plug-ins and implementing the principles of Privacy by Design.
The FAQs also cover other general questions regarding audience measurement cookies, requirements for obtaining valid consent, and opt-out methods.
Maine: Insurance Data Security Act signed into law by Governor
The Maine Insurance Data Security Act, which implements the NAIC's Insurance Data Security Model Law, was signed by the Governor.
The Act requires the investigation and notification of cybersecurity events, and the development, implementation, and maintenance of a written information security program which contains administrative, technical, and physical safeguards for the protection of nonpublic information and the licensee's information systems.
The Act will take effect on 1 January 2022.