The European Union’s General Data Protection Regulation, which became effective on May 25, began a new era in data privacy. Among other changes, the GDPR imposes new limits on the collection of personal information of EU residents and expands individuals’ rights with respect to companies’ use of such information, including the “right to be forgotten.” These requirements are backed up by substantial penalties—up to 4% of a company’s global revenue. But, does a U.S. company need to worry about the GDPR if it has no business operations in the EU? In a surprising number of cases, the answer is “yes.”
#NPLaw's Kirsten Small, CIPP/US, provides an overview of the GDPR and explores its implications for US businesses in this presentation.
This document provides an overview of key legal issues non-profit organizations need to be aware of when operating their websites. It discusses what constitutes a website, identifying potential risks based on website purpose such as providing information or fundraising. It also covers legal requirements around data protection, electronic marketing, accessibility, and contractual risks. Potential risks include inaccurate information, data protection issues, and liability depending on website use and content.
This document summarizes information presented by Robert Lands on recent EU developments regarding trade secrets and data protection. It discusses the proposed EU Trade Secrets Directive, which aims to standardize protection of trade secrets across EU member states. It also outlines the upcoming EU General Data Protection Regulation, which will significantly increase fines for non-compliance with data protection laws and enhance individual rights around personal data. The presentation advises being prepared for these changes by reviewing policies, contracts, and response protocols.
The GDPR is a new EU regulation that protects personal data and privacy rights. It applies broadly to any organization that handles EU citizens' data. Key provisions include:
- Significant fines for non-compliance up to €20 million or 4% annual global turnover
- Rights for data subjects to access, correct, and delete their personal data
- Mandates for consent, privacy by design, and data protection officers.
- Breach notification requirements for reporting certain data incidents within 72 hours.
The document provides an overview of the General Data Protection Regulation (GDPR). It begins with an outline of key GDPR terms, principles, rights of data subjects, and responsibilities of controllers and processors. It then discusses governance topics like the data protection officer and data protection impact assessments. The document outlines the GDPR timeline from 2016 to 2018 and compares GDPR to the EU-US Privacy Shield framework. It ends by discussing how companies are prioritizing GDPR compliance and questions to consider regarding readiness.
When Big Data is Personal Data - Data Analytics in The Age of Privacy LawsTara Aaron
As data sets and analytics sophistication grow, so do consumer's concerns about their privacy and what is being done with their personal information. Legislatures around the world are beginning to respond to these concerns. We present an overview of the General Data Protection Regulation and the California Consumer Protection Act to help companies comply with the law and engender trust with the consumers whose data they hold.
The new EU-US Privacy Shield, covering transatlantic exchanges of personal data for commercial purposes, went into effect in July 2016. Although this is a critical issue, many companies are not aware of the implications it has for them. What steps do companies need to take when transferring data from Europe to the US?
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
This document provides an overview of key legal issues non-profit organizations need to be aware of when operating their websites. It discusses what constitutes a website, identifying potential risks based on website purpose such as providing information or fundraising. It also covers legal requirements around data protection, electronic marketing, accessibility, and contractual risks. Potential risks include inaccurate information, data protection issues, and liability depending on website use and content.
This document summarizes information presented by Robert Lands on recent EU developments regarding trade secrets and data protection. It discusses the proposed EU Trade Secrets Directive, which aims to standardize protection of trade secrets across EU member states. It also outlines the upcoming EU General Data Protection Regulation, which will significantly increase fines for non-compliance with data protection laws and enhance individual rights around personal data. The presentation advises being prepared for these changes by reviewing policies, contracts, and response protocols.
The GDPR is a new EU regulation that protects personal data and privacy rights. It applies broadly to any organization that handles EU citizens' data. Key provisions include:
- Significant fines for non-compliance up to €20 million or 4% annual global turnover
- Rights for data subjects to access, correct, and delete their personal data
- Mandates for consent, privacy by design, and data protection officers.
- Breach notification requirements for reporting certain data incidents within 72 hours.
The document provides an overview of the General Data Protection Regulation (GDPR). It begins with an outline of key GDPR terms, principles, rights of data subjects, and responsibilities of controllers and processors. It then discusses governance topics like the data protection officer and data protection impact assessments. The document outlines the GDPR timeline from 2016 to 2018 and compares GDPR to the EU-US Privacy Shield framework. It ends by discussing how companies are prioritizing GDPR compliance and questions to consider regarding readiness.
When Big Data is Personal Data - Data Analytics in The Age of Privacy LawsTara Aaron
As data sets and analytics sophistication grow, so do consumer's concerns about their privacy and what is being done with their personal information. Legislatures around the world are beginning to respond to these concerns. We present an overview of the General Data Protection Regulation and the California Consumer Protection Act to help companies comply with the law and engender trust with the consumers whose data they hold.
The new EU-US Privacy Shield, covering transatlantic exchanges of personal data for commercial purposes, went into effect in July 2016. Although this is a critical issue, many companies are not aware of the implications it has for them. What steps do companies need to take when transferring data from Europe to the US?
GDPR Is Coming – Are Search Marketers Ready?MediaPost
The EU’s General Data Protection Regulation (GDPR) is the most significant change to consumer privacy laws in decades and the enforcement date is approximately 1 month away. The standards for data collection and use in the EU will significantly differ from those in the United States. This session will breakdown the differences and discuss methods for compliance going forward.
PRESENTER
Gary Kibel, Partner, Davis & Gilbert LLP @GaryKibel
This document provides an overview of key concepts regarding data privacy and security. It discusses the differences between privacy and security, with privacy focusing on data collection and use and security focusing on data protection. Key privacy principles like consent and purpose limitation are explained. The document also summarizes several US privacy laws like the FTC Act, COPPA, and data breach notification laws, as well as some international laws. Best practices around privacy policies, audits, and governance are also covered.
2017 09 13_VOKA The Big Refresh - GDPR - IFORIKarel Holst
The document provides an overview of the General Data Protection Regulation (GDPR) from a legal perspective. It summarizes the key changes and obligations under the GDPR, including expanded territorial scope, strengthened rights for data subjects, requirements for controllers and processors, data security measures, data breach notification, and increased administrative fines for noncompliance. The presentation emphasizes that organizations should take action to ensure compliance with the GDPR, which applies starting May 25, 2018.
This document provides an overview of the General Data Protection Regulation (GDPR) from a legal perspective. It discusses key changes and obligations under the GDPR, including territorial scope, lawfulness of processing, rights of data subjects, roles of controllers and processors, data security requirements, and sanctions for noncompliance. The GDPR aims to strengthen and harmonize data protection across the EU by directly applying in all member states and ensuring free flow of personal data. It applies from May 25, 2018 and organizations should take action now to ensure compliance.
GDPR and evolving international privacy regulationsUlf Mattsson
The document discusses evolving international privacy regulations, focusing on the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). It notes that many countries are passing new privacy laws influenced by GDPR. Technologies like data tokenization, encryption, and anonymization play an important role in complying with these regulations by protecting personal data throughout its lifecycle. The document provides examples of how technologies can be deployed across on-premises and cloud environments to ensure consistent privacy protection of data.
This document provides an overview of data protection and freedom of information laws as they relate to schools in the UK. It discusses the Data Protection Act of 1998, which implements the EU Data Protection Directive and establishes eight principles of fair and lawful personal data processing. It also covers the Freedom of Information Act of 2000, which gives individuals the right to request information held by public authorities. The document outlines exemptions to disclosure and provides school-specific examples and guidance around data encryption and impact levels.
Changing legislation – General Data Protection Regulation (GDPR) and librarie...CILIPScotland
The document discusses the new General Data Protection Regulation (GDPR) that will replace the Data Protection Act 1998 and take effect in May 2018. It outlines key changes and requirements of the GDPR, including stricter rules around consent, data subject rights, accountability, data breaches, and children's data. Libraries and other organizations will need to audit their information practices, ensure they have a valid legal basis for processing personal data, and may need to appoint a Data Protection Officer to comply with the new regulation. Non-compliance could result in substantial fines of up to 4% of annual global turnover or €20 million.
This document discusses how the GDPR will require organizations to have a unified "customer 360" view of all customer data in order to comply with data subject rights like access, rectification, and erasure. It summarizes how the DataStax Enterprise graph database can help organizations integrate siloed customer data sources to provide a real-time, contextual view of each customer to facilitate GDPR compliance and enable features like personalization. The presentation covers how DSE graph can model complex customer relationships, support analytics, and guarantee access to customer data anywhere while maintaining high performance and availability required for real-time use cases.
All You Need To Know About Data Law Changes in 2018The Drum
With the introduction of the General Data Protection Regulation, everything changes for digital media. The reason? GDPR applies to cookies, IP addresses, tags, digital finger printing - in fact, anything that tracks individuals and is used to make decisions or analyse behaviour. So how do you get fit and not get into a fight with the regulator?
Slides from Niall Rooney FP Logue presentation at Food & Drink Business Europe event at Citywest Dublin on 05/09/2019 - *For Information Only, Not Legal Advice*
The document summarizes key aspects of the EU's General Data Protection Regulation (GDPR) that takes effect in May 2018, including:
- It expands the territorial scope of EU data protection law and sets a higher standard for consent.
- It establishes principles of accountability, data protection by design/default, and data protection impact assessments to demonstrate compliance.
- It strengthens individual rights around access, rectification, erasure, data portability, and objection to processing.
- It imposes new rules around international data transfers and increases maximum fines for noncompliance.
- Organizations should review their governance, policies, procedures and consent mechanisms to prepare for the GDPR's requirements.
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersIAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a training by Matthias Matthiesen, Director Public Policy & Privacy and Chris Hartsuiker, Public Policy Officer, IAB Europe. Which provisions in the General Data Protection Regulation are the most relevant to digital publishers and advertisers? What is the guidance of the European Data Protection Board (former Article 29 Working party) on these topics? This training session, provided by IAB Europe will provide insight into applying the GDPR to the digital advertising supply chain.
The document provides an overview of data protection legislation in Guernsey. It summarizes that the legislation was modeled after the UK's 1998 Data Protection Act and aims to provide uniform standards for data handling. It defines key terms like personal data, data controller, and sensitive personal data. It outlines requirements for data controllers including notification, data subject rights, and adhering to eight data protection principles around fair and lawful processing, data quality, security, and international transfers. Enforcement is through the Data Protection Commissioner who can issue notices but primarily encourages education and compliance.
Talk by Polina Zvyagina, Airbnb (San Francisco), at Stanford Engineering on February 25 2019, Session #6: 'Growing ‘Bitcoin Cities’ Across the Globe from Slovenia || GDPR Compliance Case Study || EU Digital Economy Policy'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
This document discusses key aspects of the EU's General Data Protection Regulation (GDPR) in 16 pages. It covers definitions of personal and sensitive personal data; individual rights like access, rectification, and erasure; pseudonymization; data management considerations; and codes of conduct and certification. The document aims to explain major provisions of the new privacy law and implications for companies' data practices.
This document provides an agenda for a meeting that will highlight the following topics:
- 9.3 highlights for the SAP B1 software including new approval procedures, settings support, and data import/copy features.
- An overview of the GDPR and how it relates to SAP B1, including key terms and tools for personal data protection and management.
- A comparison of the GDPR to the Data Privacy Act of the Philippines which establishes requirements for data protection and appointing a data protection officer.
This document discusses the General Data Protection Regulation (GDPR) and its implications for companies. It begins by explaining what the GDPR is and how it strengthens data privacy for EU citizens. It then discusses some of the top issues companies face in complying with the GDPR, such as the right to be forgotten, consent requirements, and proving compliance. It notes that GDPR compliance is important for US companies too if they have EU customers or their data. Finally, it provides recommendations for steps companies should take to comply with the GDPR, including mapping data processes, identifying gaps, appointing a data protection officer, and integrating privacy practices.
This document summarizes a workshop on privacy and missing persons in natural disasters. It discusses key definitions and privacy aspects related to missing persons data. It analyzes major privacy issues for data controllers, including issues around data collection, use and individual rights. It provides options for organizations involved in missing persons efforts and for policymakers, such as guidance from data protection authorities, to help address privacy concerns in natural disasters.
USA and Europe (EU) do have a different way of looking into privacy. This PPT is about who is responsible and what kind of rules are in place. This is a A Medved Consultants LLC Presentation. This may not be considered as a legal advice.
The document provides an introduction to the General Data Protection Regulation (GDPR). It defines personal data and data privacy, explaining that the GDPR aims to strengthen data protection for individuals in the EU. It outlines key areas the GDPR covers such as consent, transparency, profiling, data transfers, and rights of individuals. It discusses penalties for non-compliance, which include fines of up to 20 million Euros or 4% of annual global turnover. The document provides an overview of the GDPR's requirements and changes organizations need to make to be compliant, such as conducting data audits and impact assessments, and establishing governance frameworks with accountability.
This document discusses key issues related to privacy and the internet. It outlines different approaches to defining and protecting privacy, noting that privacy means different things to different people and cultures. It also discusses the trade-offs associated with privacy regulation and the challenge of controlling information online given factors like digitization, ubiquitous networks, and the user generation of large amounts of content. The document advocates for an alternative approach focused on education, empowerment, and targeted enforcement rather than anticipatory regulation.
This document provides an overview of key concepts regarding data privacy and security. It discusses the differences between privacy and security, with privacy focusing on data collection and use and security focusing on data protection. Key privacy principles like consent and purpose limitation are explained. The document also summarizes several US privacy laws like the FTC Act, COPPA, and data breach notification laws, as well as some international laws. Best practices around privacy policies, audits, and governance are also covered.
2017 09 13_VOKA The Big Refresh - GDPR - IFORIKarel Holst
The document provides an overview of the General Data Protection Regulation (GDPR) from a legal perspective. It summarizes the key changes and obligations under the GDPR, including expanded territorial scope, strengthened rights for data subjects, requirements for controllers and processors, data security measures, data breach notification, and increased administrative fines for noncompliance. The presentation emphasizes that organizations should take action to ensure compliance with the GDPR, which applies starting May 25, 2018.
This document provides an overview of the General Data Protection Regulation (GDPR) from a legal perspective. It discusses key changes and obligations under the GDPR, including territorial scope, lawfulness of processing, rights of data subjects, roles of controllers and processors, data security requirements, and sanctions for noncompliance. The GDPR aims to strengthen and harmonize data protection across the EU by directly applying in all member states and ensuring free flow of personal data. It applies from May 25, 2018 and organizations should take action now to ensure compliance.
GDPR and evolving international privacy regulationsUlf Mattsson
The document discusses evolving international privacy regulations, focusing on the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). It notes that many countries are passing new privacy laws influenced by GDPR. Technologies like data tokenization, encryption, and anonymization play an important role in complying with these regulations by protecting personal data throughout its lifecycle. The document provides examples of how technologies can be deployed across on-premises and cloud environments to ensure consistent privacy protection of data.
This document provides an overview of data protection and freedom of information laws as they relate to schools in the UK. It discusses the Data Protection Act of 1998, which implements the EU Data Protection Directive and establishes eight principles of fair and lawful personal data processing. It also covers the Freedom of Information Act of 2000, which gives individuals the right to request information held by public authorities. The document outlines exemptions to disclosure and provides school-specific examples and guidance around data encryption and impact levels.
Changing legislation – General Data Protection Regulation (GDPR) and librarie...CILIPScotland
The document discusses the new General Data Protection Regulation (GDPR) that will replace the Data Protection Act 1998 and take effect in May 2018. It outlines key changes and requirements of the GDPR, including stricter rules around consent, data subject rights, accountability, data breaches, and children's data. Libraries and other organizations will need to audit their information practices, ensure they have a valid legal basis for processing personal data, and may need to appoint a Data Protection Officer to comply with the new regulation. Non-compliance could result in substantial fines of up to 4% of annual global turnover or €20 million.
This document discusses how the GDPR will require organizations to have a unified "customer 360" view of all customer data in order to comply with data subject rights like access, rectification, and erasure. It summarizes how the DataStax Enterprise graph database can help organizations integrate siloed customer data sources to provide a real-time, contextual view of each customer to facilitate GDPR compliance and enable features like personalization. The presentation covers how DSE graph can model complex customer relationships, support analytics, and guarantee access to customer data anywhere while maintaining high performance and availability required for real-time use cases.
All You Need To Know About Data Law Changes in 2018The Drum
With the introduction of the General Data Protection Regulation, everything changes for digital media. The reason? GDPR applies to cookies, IP addresses, tags, digital finger printing - in fact, anything that tracks individuals and is used to make decisions or analyse behaviour. So how do you get fit and not get into a fight with the regulator?
Slides from Niall Rooney FP Logue presentation at Food & Drink Business Europe event at Citywest Dublin on 05/09/2019 - *For Information Only, Not Legal Advice*
The document summarizes key aspects of the EU's General Data Protection Regulation (GDPR) that takes effect in May 2018, including:
- It expands the territorial scope of EU data protection law and sets a higher standard for consent.
- It establishes principles of accountability, data protection by design/default, and data protection impact assessments to demonstrate compliance.
- It strengthens individual rights around access, rectification, erasure, data portability, and objection to processing.
- It imposes new rules around international data transfers and increases maximum fines for noncompliance.
- Organizations should review their governance, policies, procedures and consent mechanisms to prepare for the GDPR's requirements.
Interact 2018 - GDPR for digital publishers, digital agencies and advertisersIAB Europe
Held in Milan on 23-24 May, IAB Europe’s annual 2-day conference Interact 2018 featured a training by Matthias Matthiesen, Director Public Policy & Privacy and Chris Hartsuiker, Public Policy Officer, IAB Europe. Which provisions in the General Data Protection Regulation are the most relevant to digital publishers and advertisers? What is the guidance of the European Data Protection Board (former Article 29 Working party) on these topics? This training session, provided by IAB Europe will provide insight into applying the GDPR to the digital advertising supply chain.
The document provides an overview of data protection legislation in Guernsey. It summarizes that the legislation was modeled after the UK's 1998 Data Protection Act and aims to provide uniform standards for data handling. It defines key terms like personal data, data controller, and sensitive personal data. It outlines requirements for data controllers including notification, data subject rights, and adhering to eight data protection principles around fair and lawful processing, data quality, security, and international transfers. Enforcement is through the Data Protection Commissioner who can issue notices but primarily encourages education and compliance.
Talk by Polina Zvyagina, Airbnb (San Francisco), at Stanford Engineering on February 25 2019, Session #6: 'Growing ‘Bitcoin Cities’ Across the Globe from Slovenia || GDPR Compliance Case Study || EU Digital Economy Policy'.
Website: http://www.StanfordEuropreneurs.org
YouTube Channel: https://www.youtube.com/user/StanfordEuropreneurs
Twitter: @Europreneurs
The Privacy Advantage 2016 - Ruth BoardmanKrowdthink
This document discusses key aspects of the EU's General Data Protection Regulation (GDPR) in 16 pages. It covers definitions of personal and sensitive personal data; individual rights like access, rectification, and erasure; pseudonymization; data management considerations; and codes of conduct and certification. The document aims to explain major provisions of the new privacy law and implications for companies' data practices.
This document provides an agenda for a meeting that will highlight the following topics:
- 9.3 highlights for the SAP B1 software including new approval procedures, settings support, and data import/copy features.
- An overview of the GDPR and how it relates to SAP B1, including key terms and tools for personal data protection and management.
- A comparison of the GDPR to the Data Privacy Act of the Philippines which establishes requirements for data protection and appointing a data protection officer.
This document discusses the General Data Protection Regulation (GDPR) and its implications for companies. It begins by explaining what the GDPR is and how it strengthens data privacy for EU citizens. It then discusses some of the top issues companies face in complying with the GDPR, such as the right to be forgotten, consent requirements, and proving compliance. It notes that GDPR compliance is important for US companies too if they have EU customers or their data. Finally, it provides recommendations for steps companies should take to comply with the GDPR, including mapping data processes, identifying gaps, appointing a data protection officer, and integrating privacy practices.
This document summarizes a workshop on privacy and missing persons in natural disasters. It discusses key definitions and privacy aspects related to missing persons data. It analyzes major privacy issues for data controllers, including issues around data collection, use and individual rights. It provides options for organizations involved in missing persons efforts and for policymakers, such as guidance from data protection authorities, to help address privacy concerns in natural disasters.
USA and Europe (EU) do have a different way of looking into privacy. This PPT is about who is responsible and what kind of rules are in place. This is a A Medved Consultants LLC Presentation. This may not be considered as a legal advice.
The document provides an introduction to the General Data Protection Regulation (GDPR). It defines personal data and data privacy, explaining that the GDPR aims to strengthen data protection for individuals in the EU. It outlines key areas the GDPR covers such as consent, transparency, profiling, data transfers, and rights of individuals. It discusses penalties for non-compliance, which include fines of up to 20 million Euros or 4% of annual global turnover. The document provides an overview of the GDPR's requirements and changes organizations need to make to be compliant, such as conducting data audits and impact assessments, and establishing governance frameworks with accountability.
This document discusses key issues related to privacy and the internet. It outlines different approaches to defining and protecting privacy, noting that privacy means different things to different people and cultures. It also discusses the trade-offs associated with privacy regulation and the challenge of controlling information online given factors like digitization, ubiquitous networks, and the user generation of large amounts of content. The document advocates for an alternative approach focused on education, empowerment, and targeted enforcement rather than anticipatory regulation.
This chapter discusses privacy and the right to privacy under the law. It outlines several key US privacy laws that protect personal information, including financial data privacy laws and health privacy laws. It also discusses issues around identity theft, consumer profiling, workplace monitoring, and advanced surveillance technologies. The chapter examines ethical issues around how organizations should treat consumer data responsibly. It concludes by discussing laws around freedom of expression online and efforts to control access to information, especially for minors.
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...AltheimPrivacy
This is a new set of slides, adapted after the 10/21/2013 LIBE Committee vote on the proposed amendments to the Regulation. Quite a few of the original GDPR rules have changed so far.
This document discusses privacy issues related to information technology. It covers several topics: laws protecting privacy of personal data; identity theft; electronic discovery; consumer profiling; treating consumer data responsibly; workplace monitoring; and advanced surveillance technologies. The chapter aims to balance the needs of businesses to collect and use data with individuals' rights to privacy.
General Data Protection Regulation (GDPR) tidal wave that has hit, are you ready? Is your organization prepared for the extensive privacy requirements GDPR puts forth for any organization handling EU Data Subjects' personal Data? At this point, organizations must have a complete inventory of personal data and have conducted a DPIA against it. A handful of supervisory authorities have issued compliance guidelines, but your organizations must be able to assess compliance with this ambiguous regulation at any time.
Many aspects of GDPR define the distinction between a data collector and a data processor, their respective responsibilities and compliance requirements. Those responsibilities will have an effect on the contracts you negotiate with third parties, the way in which you evaluate the risks involved with establishing a business relationship and the policies you develop to maintain compliance to the regulations.
Join this webinar to learn:
*More information about GDPR and what the industry is experiencing to date
*What minimum requirements you should have had in place by May 25, 2018
*What you should plan to do for the next 12-18 months if you are not completely ready
*What the SEC Privacy Shield program is and why you should self-certify
*How to continuously monitor vendor risk KPIs
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
Check out this link for the latest version: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
The European Commission's proposal for a new General Data Protection Regulation (GDPR), represents the most significant global development in data protection law since Directive 95/46. It will considerably impact cross-border e-discovery in the EU.
The document summarizes the key points of the proposed European Union Data Protection Package. It discusses the reform of the 1995 EU Data Protection Directive and the proposed Regulation and Directive. The Regulation would apply broadly to any processing of personal data and introduce the "right to be forgotten". It would require consent for data processing and transparency about data collection and use. The Regulation establishes the authority of national data protection agencies and penalties for noncompliance.
This document discusses privacy issues related to drones, IoT, and cross-border data regulations. It provides an overview of privacy laws and approaches in the US, EU, and Canada. The US takes a sectoral approach to privacy while the EU uses a comprehensive approach. Drones pose new privacy challenges regarding reasonable expectations of privacy. IoT devices increase risks of malfunctions, hacking, and privacy/security breaches. Risk from IoT will be greatest for first-generation devices. The document recommends identifying and minimizing privacy risks through measures like privacy impact assessments.
The Countdown is on: Key Things to Know About the GDPRCase IQ
The EU’s General Data Protection Regulation (GDPR) comes into effect on May 25th. This powerful legislation strengthens data privacy laws in Europe and has implications for companies all over the world that store, process or transfer the information of the EU’s citizens.
Failure to comply with the regulation can expose a company to fines based on global revenue and reputation damage, yet many companies are struggling to comply in time.
Join information security expert and CEO/Founder of AsTech Consulting, Greg Reber, as he walks participants through a plan for GDPR compliance.
The document discusses privacy and its aspects. It defines privacy as the right to be left alone and free from public attention or disturbance from others. It notes that privacy involves aspects like secrecy, limiting access to personal information, personhood and autonomy. The document outlines different types of private information and how privacy can be violated through surveillance, hacking, blackmail and identity theft. It discusses privacy concerns related to search engines, social media, Google Maps and Street View. Finally, it provides tips on preserving privacy and regulations around privacy like the EU Data Protection Directive and laws in the UK and US.
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Data breach protection from a DB2 perspectiveCraig Mullins
The document discusses data breach protection from a DB2 perspective. It provides an overview of data breach legislation and compliance issues. It discusses examples of recent data breaches and resources for tracking breaches. It also covers the significant costs associated with data breaches for organizations. The document recommends several best practices for protecting data, including data masking, database security and encryption, data access auditing, database archiving, and metadata management.
Cybersecurity laws are designed to protect digital systems and data from cybercrime. Major cybersecurity laws include the Computer Fraud and Abuse Act, Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry Data Security Standard. These laws mandate cybersecurity practices, data privacy and security requirements, and set guidelines for sharing threat information. Federal agencies like the Department of Homeland Security, FBI, and FTC enforce these laws and work to safeguard critical infrastructure from cyberattacks.
Similar to What is the GDPR & What does it mean for YOUR business? (20)
Are Hospital Physician Networks Ready for TPE Audits?Nexsen Pruet
The document discusses CMS Targeted Probe and Educate (TPE) audits conducted by Medicare Administrative Contractors. TPE audits target providers for questionable billing practices or high claim error rates. The TPE process involves reviewing documentation for 20-40 claims and providing education, with potential consequences if a provider fails three reviews like extrapolated overpayments or fraud investigations. The document outlines the five-level Medicare appeals process and notes that appealing TPE denials should be determined on a case-by-case basis. Finally, the document lists common service areas Palmetto GBA is focusing their TPE audits on, including major joint replacements, emergency room visits, and home health eligibility and medical necessity.
Current payor audits are conducted by various entities including RACs, QIOs, UPICs, and private insurers' SIUs. These auditors use data analytics to target statistical outliers and identify potential overpayments. The CMS TPE program educates providers who fail audits to improve compliance or face penalties like prepayment reviews or fraud investigations. Providers must return any identified overpayments within 60 days to avoid False Claims Act liability. Multiple levels of administrative appeal exist for Medicare and Medicaid overpayment disputes, while private payors each have their own appeal processes. Providers can prevent audits by protecting their NPI, complying with payor policies, and conducting regular self-audits to identify and address
The UPIC program aims to simplify and strengthen Medicaid integrity by replacing Zone Program Integrity Contractors with United Program Integrity Contractors to conduct unified audits across Medicare, Medicaid, and other federal health programs; UPICs will focus on identifying fraudulent providers, strengthening oversight of state financial policies, and collaborating between federal and state agencies to combat fraud, waste, and abuse. Providers can expect increased scrutiny of billing practices and medical records from UPIC audits starting in 2018.
Opportunity Zones Update - November 2018Nexsen Pruet
On October 19, 2018, the Internal Revenue Service (IRS) and the Treasury Department issued their proposed regulations relating to the Opportunity Zone program. The proposed regulations have provided helpful guidance on many of the questions regarding the new program.
In this presentation, Burnie Maybank, two-time former Director of the S.C. Department of Revenue and Nexsen Pruet tax attorney, provides insight on the Opportunity Zone program including background of the program, the lucrative tax incentives, the proposed regulations, additional guidance that may be coming and what opportunity zones mean for you.
#NPLaw's Mark C. Moore's presentation for the South Carolina Bar Association's April 13, 2018 False Claims Act/Qui Tam Whistleblower Litigation Involving Health Care Providers CLE.
Title IX Breakfast Briefing: FERPA 101Nexsen Pruet
#NPLaw's Kirsten Small, CIPP/US is a member in Nexsen Pruet’s Greenville, South Carolina office, where her practice focuses on privacy law. Kirsten has been certified in U.S. privacy law by the International Association of Privacy Professionals (IAPP). Her practice includes assisting her clients in developing policies and procedures that are compliant with privacy-related regulations. Kirsten came to the field of privacy law through her work as a litigator and appellate lawyer, a background that gives her a unique insight on how her clients’ privacy-related policies and actions can help mitigate or avoid liability.
The document is a presentation by Burnet R. Maybank, III on incentives for real estate developers under the South Carolina Textile Communities Revitalization Act. The act provides tax credits for renovating abandoned textile mill sites. Developers can claim a 25% credit against income taxes or property taxes. To qualify, developers must file a Notice of Intent before starting rehabilitation and spend a minimum amount on eligible rehabilitation expenses. The credits can be transferred between taxpayers and carried forward for unused amounts.
Municipal Improvement Districts (MIDs) allow municipalities to finance public improvements through assessments on real property located within the district. [1] MIDs are created by ordinance and allow municipalities to acquire, own, construct, enlarge, install, sell or lease improvements. [2] Common improvements include streets, parks, parking garages, and waterways. [3] Assessments placed on property within the MID have a superior lien to fund improvements and are determined based on factors like assessed value, front footage, or per parcel basis.
City of Columbia and Mast General Store Case StudyNexsen Pruet
The document summarizes a deal between the City of Columbia and Mast General Store to open a new location on Main Street. The city provided Mast with a $2 million loan at tax-exempt rates to incentivize the project, hoping Mast's proven ability to attract other retailers would revitalize the area. Though complex with multiple parties involved, the deal was successfully structured to minimize interest costs while controlling risk. The new Mast store has generated sales and spin-off activity from other businesses, achieving the city's goals.
The document discusses South Carolina's Infrastructure Tax Credit incentive for real estate developers. It provides that developers can claim a tax credit of up to 50% of expenses for constructing roads, water/sewer lines, and related facilities that are dedicated for public use. The maximum credit per project is $40,000, with unused amounts carried forward for 3 years. To qualify, projects cannot exclusively benefit the developer and must meet applicable standards.
Fee-in-Lieu Tax and Multi-County Park / Special Source Revenue Credit Arrange...Nexsen Pruet
This document discusses fee-in-lieu of tax (FILOT) arrangements and multi-county park/special source revenue credit (MCP/SSRC) incentives for developers. It covers the basics of FILOTs, a common developer FILOT project scenario, key issues that can arise for developers in FILOT arrangements including investment periods, minimum investment requirements, and events of default. It also discusses using MCP/SSRC incentives coupled with or separate from FILOT agreements.
Retail Facilities "Closed Big Box" Revitalization CreditNexsen Pruet
This document summarizes South Carolina's Retail Facilities Revitalization Credit. It provides incentives for developers who improve abandoned shopping centers or freestanding retail buildings of at least 40,000 square feet. Developers can claim a 25% property tax credit or 10% income tax credit based on rehabilitation expenses. To receive the property tax credit, the project must be approved by the local government and any affected taxing entities through public hearings and ordinances. Both credits are taken over 8 years to encourage redevelopment of closed retail properties.
This document discusses brownfield voluntary cleanup incentives in South Carolina, including an income tax credit and property tax exemption. The income tax credit is 50% of cleanup costs up to $50,000 per year and any unused amount can be carried forward for 5 years. There is also a 10% additional credit up to $50,000 in the final cleanup year. The property tax exemption exempts the county portion of property taxes for 5 years when cleanup is complete. These incentives are underutilized likely due to lack of awareness and the credits not aligning with who incurs cleanup costs versus development costs.
The New Markets Tax Credit program provides tax credits to investors in community development entities to encourage investment in low-income communities. The tax credits total 39% of the investment amount over a 7 year period. Qualified low-income community investments must be in operating businesses or real estate projects located in qualified low-income census tracts. The structure often involves a CDE obtaining an investment and using the funds to provide financing to projects, with tax credits going to investors and benefits to borrowers in the form of below-market interest rates and partial loan forgiveness.
FLSA: Exempt or Not Exempt, That is the QuestionNexsen Pruet
This summary discusses the key points from a presentation on exemptions under the Fair Labor Standards Act (FLSA). The presentation covered:
- Trends in FLSA enforcement by the Department of Labor including more investigations.
- The exemptions for executive, administrative, professional, computer, and sales employees and the salary and duties tests for each.
- Common mistakes made by employers around misclassifying employees and improper salary deductions.
- Recent court cases related to applying the exemptions.
Responding to Grand Jury: Subpoenas & Search WarrantsNexsen Pruet
The document discusses responding to criminal subpoenas, with a focus on subpoenas duces tecum for documents. It notes that criminal subpoenas are broader than civil subpoenas and provides tips for initial review of a subpoena, potential challenges, document search and production process, and expenses of compliance. It also discusses responding if a search warrant is executed, including establishing an advance planning and response protocol to protect legal interests while cooperating.
An effective compliance program has several key components: conducting a legal risk assessment to identify areas of focus, ensuring the program meets regulatory guidelines, tailoring the program to a company's unique operations, establishing standards and procedures to minimize risks and demonstrate commitment to ethical conduct, and providing training, monitoring, reporting, and investigations to foster a pro-compliance culture. An effective program is process-oriented, integrated into daily operations, and subject to continuous improvement.
Genocide in International Criminal Law.pptxMasoudZamani13
Excited to share insights from my recent presentation on genocide! 💡 In light of ongoing debates, it's crucial to delve into the nuances of this grave crime.
This document briefly explains the June compliance calendar 2024 with income tax returns, PF, ESI, and important due dates, forms to be filled out, periods, and who should file them?.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
Lifting the Corporate Veil. Power Point Presentationseri bangash
"Lifting the Corporate Veil" is a legal concept that refers to the judicial act of disregarding the separate legal personality of a corporation or limited liability company (LLC). Normally, a corporation is considered a legal entity separate from its shareholders or members, meaning that the personal assets of shareholders or members are protected from the liabilities of the corporation. However, there are certain situations where courts may decide to "pierce" or "lift" the corporate veil, holding shareholders or members personally liable for the debts or actions of the corporation.
Here are some common scenarios in which courts might lift the corporate veil:
Fraud or Illegality: If shareholders or members use the corporate structure to perpetrate fraud, evade legal obligations, or engage in illegal activities, courts may disregard the corporate entity and hold those individuals personally liable.
Undercapitalization: If a corporation is formed with insufficient capital to conduct its intended business and meet its foreseeable liabilities, and this lack of capitalization results in harm to creditors or other parties, courts may lift the corporate veil to hold shareholders or members liable.
Failure to Observe Corporate Formalities: Corporations and LLCs are required to observe certain formalities, such as holding regular meetings, maintaining separate financial records, and avoiding commingling of personal and corporate assets. If these formalities are not observed and the corporate structure is used as a mere façade, courts may disregard the corporate entity.
Alter Ego: If there is such a unity of interest and ownership between the corporation and its shareholders or members that the separate personalities of the corporation and the individuals no longer exist, courts may treat the corporation as the alter ego of its owners and hold them personally liable.
Group Enterprises: In some cases, where multiple corporations are closely related or form part of a single economic unit, courts may pierce the corporate veil to achieve equity, particularly if one corporation's actions harm creditors or other stakeholders and the corporate structure is being used to shield culpable parties from liability.
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
What are the common challenges faced by women lawyers working in the legal pr...lawyersonia
The legal profession, which has historically been male-dominated, has experienced a significant increase in the number of women entering the field over the past few decades. Despite this progress, women lawyers continue to encounter various challenges as they strive for top positions.
3. www.nexsenpruet.comto Upstate Alliance 3
‣ 1937
‣ 1890
‣ 1985
‣ 1964
When was the first major publication advocating a right to privacy published?
POP QUIZ!
4. www.nexsenpruet.comto Upstate Alliance 4
Louis Brandeis & Samuel Warren, “The Right to Privacy,”
Harvard Law Review (1890)
Defining “privacy” as “the right to be let alone.”
When was the first major publication advocating a right to privacy published?
1890
5. www.nexsenpruet.comto Upstate Alliance
HOW DO WE DEFINE PRIVACY IN THE 21ST CENTURY?
5
“Privacy encompasses the rights and obligations of individuals and organizations
with respect to the collection, use, retention, disclosure, and disposal of personal
information.” – American Institute of Certified Public Accountants
• Two key principles:
• The appropriate use of personal information under the circumstances.
• The individual’s right to control the collection, use, and disclosure of personal
information.
6. www.nexsenpruet.comto Upstate Alliance
HOW DO WE DEFINE PRIVACY IN THE 21ST CENTURY?
6
Rights
Of the individual
Of the organization
Obligations
Of the Individual
Of the organization
7. www.nexsenpruet.comto Upstate Alliance
U.S. vs. EU Treatment of Privacy
7
United States
Some constitutional protection
Commercial processing of personal
information accepted (“Opt Out”)
Controls on processing are sectoral
European Union
Privacy as a human right
Default = No processing (“opt in”)
Uniform, across-the-board regulation
8. www.nexsenpruet.comto Upstate Alliance
U.S. vs. EU Treatment of Privacy
8
United States
“Sensitive Personal Information”
• Social Security Number
• Financial Information (account
numbers, etc.)
• Driver’s License Number
• Medical Records
European Union
“Special Categories of Data”
• Racial or Ethnic Origin
• Political Opinions
• Trade Union Membership
• Criminal Convictions
9. www.nexsenpruet.comto Upstate Alliance
U.S. = Sectoral Approach
aka “Land of the Acronym”
9
• CAN-SPAM
• VPPA
• COPPA
• FERPA
• FCRA
• FACTA
• GLBA
• HIPAA
• HI-TECH
• GINA
Medical Financial
ConsumerEducational
11. www.nexsenpruet.comto Upstate Alliance
EU Approach: Across-the-Board Regulation
11
Council of Europe
Convention for the Protection of Individuals with regard to
Automatic Processing of Personal Data, 1981
Public/Private Sectors
Trans-border Data Flows
Mutual Assistance
12. www.nexsenpruet.comto Upstate Alliance
EU Approach: Across-the-Board Regulation
12
European Data Directive (Directive 94/95/EC), 1995
Encompasses many principles now found in
the GDPR
Intended to encourage uniformity within the
EU, but
Not binding on member states
14. www.nexsenpruet.comto Upstate Alliance
GDPR
14
• Adopted 14 April 2016
• Effective 25 May 2018
• Binding on EU countries (no enabling
legislation necessary)
• Britain is not Brexiting from GDPR
15. www.nexsenpruet.comto Upstate Alliance
GDPR
15
• Data Subject: A living, natural person who is in the EU, regardless of residence or nationality.
• Personal Data: Any information relating to an identified or identifiable Data Subject (“PII”).
• Sensitive Personal Data: Origin, beliefs, opinions, union membership, biometric data, sex life/orientation
• Processing: Any operation performed on PII, from collection through disposal.
• Controller: The person (natural or legal) who decides what PII will be collected and how it will be processed.
• Processor: The person (natural or legal) who processes PII on behalf of a controller
GDPR Glossary
16. www.nexsenpruet.comto Upstate Alliance
GDPR
16
• Data Protection by Design & Default
• Transparency
• Minimization
• Lawful Basis for Processing
• Data Subjects’ Rights
• Accountability
Key Points
17. www.nexsenpruet.comto Upstate Alliance
GDPR
17
• Data Protection by Design
• Address information security at the front end of software development,
not as an afterthought;
• De-identification of PII;
• Standards for international transfers
• Data Protection by Default
• Privacy settings “on” by default
• Opt-in, not opt-out
Data Protection
18. www.nexsenpruet.comto Upstate Alliance
GDPR
18
• Disclosure: Data subjects are entitled to know:
• What PII is being collected & how long it will be kept
• How PII is being used
• The specific legal basis for each and every use of PII
• Their rights, and how to exercise them
• Accessibility: Disclosures must be:
• Written in “clear and plain language”
• Easy to locate
Transparency
19. www.nexsenpruet.comto Upstate Alliance
GDPR
19
• Collection of PII should be:
• Limited in scope to the data that is adequate and relevant to
the intended use
• Limited in time to the period necessary to achieve the
purpose for which the data was collected
• As accurate as reasonably possible
Minimization
20. www.nexsenpruet.comto Upstate Alliance
GDPR
20
• Consent
• Genuine choice
• Affirmative opt-in
• Specific and granular
• Contract
• Provide information
• Fulfill a contract
• Legal obligation
• Vital Interests
Lawful Basis for Processing
• Public Tasks
• Legitimate Interests of the
Controller
• Consider data subject’s expectations
• Requires assessment/analysis
• For example:
• Security/network integrity
• Analytics
• Performance improvement
• B2B marketing
21. www.nexsenpruet.comto Upstate Alliance
GDPR
21
• To Be Informed
• To Object
• To Restrict Processing
• To Access
Data Subjects’ Rights
• To Correction
• To Portability
• To Erasure (aka “the right
to be forgotten”)
22. www.nexsenpruet.comto Upstate Alliance
GDPR
22
• Compliance
• Documentation of Legitimate Interests Analysis, Data
Protection Impact Assessment
• Designated Privacy Officer
• Supervising Processors
• Enforcement
• Data Protection Authority (each EU member state)
• Remedies range from reprimand to fine of 4% of worldwide
revenue or €20,000,000 – whichever is higher
Accountability
23. www.nexsenpruet.comto Upstate Alliance
GDPR
23
• Controller or processor with an establishment in the EU
• Controller or processor not in the EU, but
• Offering goods or services (regardless of payment) in the EU; or
• Monitoring behavior of data subjects in the EU
Who is subject to the GDPR?
24. www.nexsenpruet.comto Upstate Alliance
GDPR
24
• A controller or processor outside the EU but subject to the GDPR must:
• Comply with GDPR requirements; and
• Appoint a Designated Privacy Officer in the EU, *unless*
• “Occasional” processing that
• Doesn’t involve large-scale processing of special categories of data or data
related to criminal convictions; and
• Is unlikely to result in a risk to the rights and freedoms of natural persons
Who is subject to the GDPR?
Brandeis - Associate Justice of the US Supreme Court 1916-1939
Brandeis & Warren graduated 1st & 2d in their class at Harvard Law in 1877, then went out and practiced law together.
Article prompted by increasing newspaper coverage of peoples’ private lives (specifically, the wedding of Warren’s daughter).
“The press is overstepping in every direction the obvious bounds of propriety and of decency. Gossip is no longer the resource of the idle and of the vicious, but has become a trade, which is pursued with industry as well as effrontery. To satisfy a prurient taste the details of sexual relations are spread broadcast in the columns of the daily papers. To occupy the indolent, column upon column is filled with idle gossip, which can only be procured by intrusion upon the domestic circle.”
The law protected the right of the creator of the content to keep the profit (e.g., copyright protection) but not the right of the subject to avoid the publication.
Processing: Does not apply to purely personal or household activity; also excludes certain activities of EU member states in the area of foreign policy/national security.
Controller/processor are not mutually exclusive roles.
Accessibility: There must be clarity as to who is collecting the information
Easy to Locate: “unsubscribe” links; cookie policy pop-ups
Scope limitation: If you want to send an electronic newsletter to a customer, what do you need?
Time limitation: Are you keeping subscribers’ information after they have unsubscribed? Employees’ information after they have left the company?
Accuracy: What are you doing to avoid corruption or inaccurate cross-linking of data?
Legal Obligation: Not just to perform a contract; must be a specific, documented obligation (subpoena, EEOC compliance).
Vital Interests: “to protect an interest which is essential to the life of the data subject” – think medical emergency, mandated reporters (maybe), suicide hotlines
Public Tasks: Primarily applicable to government agencies, affiliates, contractors. Authority doesn’t need to be as specific as under “legal obligation,” but must have a clear foundation in law.
Legitimate Interest: The most flexible basis, but care is required.
Data subject’s expectations based on relationship with the controller.
--Legitimate Interest Analysis (record of your reasoning)
- what is the legitimate interest (purpose test)
- Is the processing necessary to achieve it (necessity test)
- Balance against the individual’s rights and freedoms (balancing test).
Examples – remember the balancing test. This is not an exception that swallows the rule.
To be informed: The right to know what data is being collected and what is being done with it. The flip side of the controller’s disclosure obligation.
Included in the right to be informed is the right of choice. Can deny access; it’s okay if certain features of your site don’t work as well.
Notify before collection of information
Consent—we’ll talk more about this in a few slides.
To Object: The right to stop processing of data for marketing purposes. Must be notified of right in every communication, and once objection is made, full stop on use.
None of this “it takes 90 days to get you off the list”
To Restrict Processing: This is the right to limit the way the controller uses your data. Tied to disclosure/consent. Specific/granular.
To Access: Data subjects have the right to see the data a controller has collected about him/her.
“Subject access request” can be written (incl. electronic) or verbal.
30 days to respond, can’t charge a fee.
To Correction: Data subject has the right to have inaccurate or incomplete data corrected or completed.
Verbal or written request; respond w/in 30 days; no fees
To Portability: This is the right to re-use data across difference services without loss of functionality
Think QuickBooks to Peachtree – it’s your information so they have to let you move it.
To Be Forgotten:
Same as others: written or verbal, 30 days (but can get an extension), no charge.
This right is only available in specific circumstances:
1. PII no longer necessary for the purpose for which it was collected;
2. Consent has been withdrawn and there is no other legal ground;
3. Data subject objects and there are no overriding legitimate grounds to process;
4. Unlawfully processed PII;
5. Compliance with a legal obligation;
6. PII collected for “information society services” offered to children (younger than 16)
EU Establishment: Doesn’t matter if data processing occurs in the EU.
Monitoring: It’s not entirely clear what this means, not much official guidance. The EU Commission has suggested a broad definition: ““[i]n order to determine whether a processing activity can be considered to monitor the behavior of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”
That definition is potentially so broad that it probably won’t become regulatory reality. But, it points in the direction of tracking technologies (geo-location data, persistent cookies).
Designated Privacy Officer: Must be in one of the member states where the data subjects whose activities are being monitored are located.
“Unlikely to result in a risk” must take context into account; must apply EU conception of “rights and freedoms.”
CCPA is the result of a game of chicken between the CA legislature and a group called “Californians for Consumer Privacy.” CCP got 600,000 signatures for a ballot initiative (1.5% of population) that enacted in late June by legislature to avoid more stringent ballot initiative.
CCPA and AB-375 provide a lot of the same protections as the GDPR – right to know what information is being collected about you; the right to opt-out of the sale of your personal information; right of access; right to equal service.
What the CCPA would have done, which AB-375 does not do, is give consumers extensive rights to sue (individually or collectively) to sue for violations of the act or for data breaches where information was not reasonably protected. AB-375 tempers those aspects of the bill, including by creating a 30-day right to cure a violation.