Skip to main content

Clifford Chance

Clifford Chance
Data<br />

Data

Talking Tech

Featured

US-states_600x400px

US State Privacy Laws

U.S. data privacy has entered a new era. Historically, the data privacy legal landscape has been dominated by sector-specific legislation, such as the Graham-Leach-Bliley Act and Health Insurance Portability and Accountability Act, often with a focus on cybersecurity or preventing misuse of certain types of personal information. The California Consumer Privacy Act was the first comprehensive (i.e., broad sweeping) state data privacy law added to this U.S. regulatory framework that focused on consumer protection. Since its adoption, various state-level regulatory and legislative activity has been building momentum. Today, several states have enacted or are continuing to develop comprehensive data privacy laws with requirements that apply across nearly all business sectors. Understanding the scope, applicability, and requirements of these state data privacy laws are more crucial than ever for companies operating in the U.S.  Read our individual overviews of currently enacted comprehensive state data privacy laws to learn more.

Read

More Data Articles

Keeping Pace: The First Tranche of Australian Privacy Reforms versus the GDPR Regimes

For investors and corporates with interests across Australia, the EU, and the UK, this post addresses the reforms proposed in the Privacy Bill, and how and to what extent the changes will align the Privacy Act more closely with the EU General Data Protection Regulation (EU GDPR) and its essentially similar UK equivalent (UK GDPR, and together with the EU GDPR, GDPR).

Read

President Biden Issues Executive Order to Protect American's Sensitive Personal Data

This article examines EO 14117 and the subsequent Advance Notice of Proposed Rulemaking (ANPRM) detailing the framework of the forthcoming regulations it will issue to implement the order's directives and filling in the details on what transactions will be impacted. Together, EO 14117 and the accompanying ANPRM from DOJ will likely have important implications for companies that do business in or otherwise operate in countries of concern, including notably China and Russia.

Read

APAC Data Regulatory Themes and Strategies

Data regulation is rapidly developing across the Asia Pacific (APAC) region. Businesses need to understand how these regulations will affect their strategies and how to balance mitigating risk with building consumer trust and fostering innovation. In this extract from a recent Clifford Chance webinar, we explore data transfers and localisation, cybersecurity and the latest regulatory developments and enforcement trends in APAC.

Read
ECJ rules on vehicle data sharing obligations and GDPR (Gesamtverband v Scania)

ECJ rules on vehicle data sharing obligations and GDPR (Gesamtverband v Scania)

The recent decision of the European Court of Justice (ECJ) in Gesamtverband Autoteile-Handel eV v Scania CV AB clarifies requirements under EU Regulation 2018/858 for vehicle manufacturers to provide vehicle data to aftermarket participants, including manufacturers and distributors of spare parts.

Read
CJEU decisions on administrative fines under the GDPR
Data

CJEU decisions on administrative fines under the GDPR

On 5 December 2023, the Court of Justice of the European Union (CJEU) published its preliminary rulings in Cases C-683/21 (Nacionalis visuomenés sveikatos centros prie Sveikatos apsaugos ministerijos) (NVSC) and C-807-21 (Deutsche Wohnen SE) (DW). In these cases, factually unrelated but raising overlapping issues of principle, the CJEU reached several key decisions clarifying the position under the EU General Data Protection Regulation (GDPR) regarding the imposition of administrative fines by data protection supervisory authorities.

Read
German Data Protection Authority comments on required legal bases under the GDPR for processing of personal data using AI
Data

German Data Protection Authority comments on required legal bases under the GDPR for processing of personal data using AI

The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg has published a consultation paper concerning the relevant legal bases under the EU General Data Protection Regulation (GDPR) for processing personal data as part of the development and use of artificial intelligence (AI) systems.

Read
EU/UK-U.S data privacy framework approved
Data

EU/UK-U.S data privacy framework approved

On 10 July 2023, the European Commission reached an "adequacy decision" under the European Union General Data Protection Regulation (GDPR), approving transfers of personal data to organisations located in the United States that will be certified under the newly-established Trans-Atlantic Data Privacy Framework (DPF) agreed between the U.S. and the EU.This long-awaited decision replaces the EU-U.S. "Privacy Shield", which was invalidated by the Court of Justice of the European Union (CJEU) in the Schrems 2 case in 2020

Read
When does pseudonymized data stop being personal data?
Data

When does pseudonymized data stop being personal data?

Building on existing case law from the Court of Justice of the European Union (CJEU), a recent judgment from the General Court provides useful guidance as regards the concept of 'personal data' and provides comfort to organizations disclosing pseudonymized data to third-party recipients.

Read
AEPD tries to clarify previous decision on inclusion of worker in company's WhatsApp groups
Data

AEPD tries to clarify previous decision on inclusion of worker in company's WhatsApp groups

This decision caused quite a stir in the Spanish data protection community, primarily because the AEPD offered only brief and generic reasoning in its decision, creating doubt as to the legal basis for this type of processing. This resulted in the AEPD receiving an enquiry from the privacy sector , asking it, , to identify the legitimate grounds for creating WhatsApp groups in the work environment.

Read
China Finalises Standard Contract on Cross-Border Transfer of Personal Information
Data

China Finalises Standard Contract on Cross-Border Transfer of Personal Information

The PRC Data Laws set out the supervisory approach of PRC regulators to different data- and PI- related matters. One of the key focuses for multinational companies that are subject to the PRC Data Laws is compliance with PRC regulatory requirements on international transfer of PI (i.e., exporting and/or receiving China-sourced PI, including by way of remote access), given the potential widespread implications on their global business and data management systems.

Read
The UK's Data Protection and Digital Information Bill – Further Reform on the Horizon
Data

The UK's Data Protection and Digital Information Bill – Further Reform on the Horizon

The UK’s Data Protection and Digital Information Bill (Bill) was laid before the UK Parliament on 18 July 2022, marking a significant step in the post-Brexit reform of the UK’s data protection regime. This long take analyses key aspects of the Bill and highlights areas that are likely to be the focus of engagement on potential further reform. To assist stakeholders in understanding the changes to legislation proposed by the draft Data Protection and Digital Information Bill, Clifford Chance has produced PDF redlines (called 'Keeling Schedules') of the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.

Read
The case for a risk-based approach to data transfers: Clifford Chance and DLA Piper publish joint paper arguing for proportionality
Data

The case for a risk-based approach to data transfers: Clifford Chance and DLA Piper publish joint paper arguing for proportionality

The leading European data protection teams at Clifford Chance and DLA Piper have collaborated on a joint paper setting out the case for a proportionate approach to conducting risk assessments of international transfers of personal data.

Read
Data Privacy: Preparing for 2023 (and beyond) in California
Data

Data Privacy: Preparing for 2023 (and beyond) in California

As 2023 approaches, a flurry of activity in California means big changes in the year ahead for data privacy. New obligations, an expanded scope of covered data, increasing enforcement, and scant regulations all mean it’s a good time for companies processing the personal information of California residents to make sure they’re prepared for the new year. Read ahead for insights into what’s coming and strategies for compliance, including Frequently Asked Questions.

READ
Data Centre Trends 2023

Data Centre Trends 2023

The data centre industry is poised for growth in 2023 due to increased demand from businesses. However, factors such as higher costs, a slowing economy, new capacity challenges and increased regulation due to sustainability concerns about energy and water consumption, will impact growth. The pandemic has fueled the growth of the global data centre market, projected to reach 235 billion euros by 2026 with a projected Compound Annual Growth Rate of 4.5%. Companies must consider the latest tech trends when selecting a data centre partner or colocation provider.

READ
Monitoring in the workplace: direction of travel
Data

Monitoring in the workplace: direction of travel

Monitoring employees in the workplace is not new but the methods by which this is achieved, the workplace itself and relevant regulatory regimes are continually evolving. The UK's Information Commissioner's Office (ICO) has published for consultation draft Guidance on Monitoring at Work. Coincidentally, in the same week the international press reported a Dutch case in which the courts awarded an employee in the region of €75,000 after being dismissed for refusing an instruction to keep his webcam on for the entire duration he was logged on to his work PC.

READ
Data Flows in a Modern World
Data

Data Flows in a Modern World

Data flows are the lifeblood of trade in digital services. Despite this, a growing number of jurisdictions are restricting cross-border data flows and implementing localisation requirements, often in the name of data sovereignty. There are two facets to this issue: data localisation and data transfer regimes, which we consider in this article

READ
Digital trade: an evolving concept and legal landscape
Tech

Digital trade: an evolving concept and legal landscape

The concept of "digital trade" does not have a universally recognised definition. It is commonly used to refer to both the online trade in goods and services and the physical trade in goods that is enabled though digital means (such as electronic customs clearance technology, enterprise freight management software or blockchain). For example, the OECD defines digital trade as "digitally enabled transactions of trade in goods and services that can either be digitally or physically delivered".

READ
Beyond adequacy: working together to ease multi-jurisdictional privacy compliance
Data

Beyond adequacy: working together to ease multi-jurisdictional privacy compliance

International trade in digital goods and services relies on the sharing of data across borders. As an increasing number of countries introduce and update data protection laws, complying with requirements across jurisdictions is becoming increasingly complex. Cross-border data governance is a significant, and seemingly ever-growing, cost of doing business.

READ
The Data Act: A proposed new framework for data access and porting within the EU
Data

The Data Act: A proposed new framework for data access and porting within the EU

The proposed Regulation seeks to redefine rules and practices on data access and use in order to foster data (re)use.

READ
Next steps after U.S. President Biden issues Executive Order on U.S. data transfers from 'qualified states'
Data

Next steps after U.S. President Biden issues Executive Order on U.S. data transfers from 'qualified states'

On 7 October 2022, U.S. President Joe Biden issued an Executive Order "On Enhancing Safeguards for United States Signals Intelligence Activities" (the Order) to effectuate the preliminary agreement between U.S. President Biden and European Commission President Ursula von der Leyen for promoting trans-Atlantic data flows. The Order does not establish a mechanism for transfers of personal data from the EEA to the U.S., but is expected to pave the way for an adequacy decision from the European Commission in due course, which would permit such trans-Atlantic personal data flows.

READ
E-Privacy check-in: where we are, and where we're headed
Data

E-Privacy check-in: where we are, and where we're headed

Are we any closer to EU institutions reaching an agreement on the final regulation text

READ

US Data Laws Focus

Colorado joins California and Virginia with a comprehensive data privacy law
Data

Colorado joins California and Virginia with a comprehensive data privacy law

The Colorado Privacy Act (CPA) will give Colorado consumers certain rights with respect to their personal data. The new law will go into effect on 1 July 2023

READ
Connecticut Data Privacy Act Becomes Nation's Fifth State Privacy Law, Setting Stricter Standards
Data

Connecticut Data Privacy Act Becomes Nation's Fifth State Privacy Law, Setting Stricter Standards

The Act is the latest stitch in the patchwork of state and federal privacy laws that is growing ever more complex. And as has become a trend, while the law shares many similarities with its counterparts in other states, the Act also has certain unique provisions that companies that do business in Connecticut will need to carefully consider before the law goes into effect on July 1, 2023

READ
Utah Becomes Fourth State To Pass Consumer Privacy Act, First With Republican-Controlled House And Senate
Data

Utah Becomes Fourth State To Pass Consumer Privacy Act, First With Republican-Controlled House And Senate

On March 24, 2022, Utah Governor Spencer Cox signed the Utah Consumer Privacy Act into law, making Utah the fourth state to pass a comprehensive consumer privacy law

READ
US Lawmakers Release Draft of Comprehensive Federal Data Privacy Bill

US Lawmakers Release Draft of Comprehensive Federal Data Privacy Bill

On June 3, 2022, a coalition of lawmakers from the United States House and Senate released a discussion draft of the American Data Privacy and Protection Act ("ADDPA). The 64-page bill represents a crucial bipartisan and bicameral compromise1 to give Americans unprecedented rights over their data.

READ
One "Fine" Day? Insights from the first fine issued by the California Attorney General under the CCPA

One "Fine" Day? Insights from the first fine issued by the California Attorney General under the CCPA

On August 24, 2022, the California Attorney General (CAG) announced a $1.2 million settlement with Sephora to resolve allegations that the consumer goods retailer violated the California Consumer Privacy Act (CCPA) by failing to disclose to consumers that it was selling their personal information. The settlement is notable not only because it is the first civil penalty issued under the statute, but also because it confirms a broad interpretation of what constitutes a "sale" of personal information under the law and the requirement for websites to respond to global privacy controls.

READ
Virginia passes the Consumer Data Protection Act

Virginia passes the Consumer Data Protection Act

2021 is projected to be a pivotal year in privacy legislation and the year is off to a fast start. On2nd March, the Commonwealth of Virginia became the first state to enact a comprehensive consumer privacy law in 2021. The Virginia Consumer Data Protection Act draws heavily from the California Consumer Privacy Act and the EU General Data Protection Regulation and will impose significant new obligations on certain companies that process personal information of Virginia residents. The new law will go into effect in 2023.

READ

Upcoming events

10 October 2024: TradFi Meets Blockchain Policy Summit (New York)

We are delighted to be hosting the 2024 TradFi Meets Blockchain Policy Summit on behalf of Capitol Asset Strategies at our office in New York. Join us for thoughtful panel conversations focused on traditional capital markets use of distributed ledger technology to sell and distribute regulated "tokenized" financial products and the real business and regulatory challenges to wider adoption. You will hear from expert business leaders, legal professionals and policy leaders with panelists and attendees spanning traditional finance and crypto-native, all together in one room for insights on this growing market. | See the full agenda and speaker line up or register here.

Time: from 11:00 EDT