European Top Court Confirms Companies Need to Name “Recipients” of Personal Data When Responding to Access Requests, Not Just Categories

On January 12, 2023, the Court of Justice of the European Union (“CJEU”) ruled in case C-154/21 | Österreichische Post AG that controllers must provide the specific identity of any “recipient” of personal data in response to a GDPR access request. While the GDPR itself states that controllers may inform…

Read More

6 Predictions, 6 Attorneys - Goodwin's 2023 Data, Privacy & Cybersecurity Outlook

In honor of Data Privacy Week, and as we kick off 2023, many of us are wondering what this year’s hot topics and trends will be in the privacy and cybersecurity sector. How will the new Privacy Shield in the EU and UK affect data regulation? How will state privacy…

Read More

New Swiss Data Protection Law Will Become Effective September 1st, 2023 – What You Need to Know

On September 25, 2020, the Swiss Parliament approved revisions to Switzerland’s data protection law, the Federal Act on Data Protection of June 19, 1992 or FADP (“Revised FADP”). On August 31, 2022, the Swiss Federal Council decided that the Revised FADP will be brought into force on September 1st, 2023…

Read More

Crystal Ball Privacy in 2023: US States, Kids and AI

Last year was a rollercoaster year for data protection and privacy professionals, but expect 2023 to call and raise 2022’s activity at the state, federal and international levels. Privacy, as we all know, is recession-proof. These will be some of the highlights: US state laws go into force The most…

Read More

Banking on an Exemption: Do Universities Qualify as Financial Institutions Exempt from the Illinois Biometric Information Privacy Act?

Is a university a financial institution governed by the Gramm-Leach Bliley-Act (“GLBA”), or are they subject to the Illinois Biometric Information Privacy Act (“BIPA”) and its heightened protections for individuals’ biometric data? This question has animated a series of BIPA cases in Illinois courts over the years, and has spawned…

Read More

EU Commission Publishes Draft Adequacy Decision on Privacy Shield 2.0

On December 13, 2022, the European Commission published a draft adequacy decision on the EU-US Data Privacy Framework (the “Framework”), the successor to the EU-US Privacy Shield Framework that was famously struck down by Europe’s top court two years ago. While the purpose of the draft adequacy decision, once adopted,…

Read More

EU Standard Contractual Clauses Need Replacing by December 27, 2022

Introduction On June 4, 2021, the European Commission (the “EC”) abolished the old Standard Contractual Clauses (the “Old SCCs”) and published a new more flexible set of clauses (the “New SCCs”) for companies that wish to export personal data from the EU to elsewhere to rely on (for more information,…

Read More

NYDFS Escalates and Expands Cybersecurity Enforcement

On October 18, 2022, the New York Department of Financial Services (“NYDFS”) announced the execution of its sixth consent order for alleged violations of Cybersecurity Regulation, Part 500 of Title 23 of the New York Codes, Rules, and Regulations (“Part 500”).  This latest settlement imposes a $4.5 million fine on…

Read More

A Long-Awaited Privacy Measure Finally Becomes Law in Indonesia

Indonesia joins its Southeast Asian neighbors, Singapore, Malaysia, Thailand, and the Philippines, with its adoption of a comprehensive data protection law. The new measure, the Personal Data Protection Law (“PDPL”), which appears to have taken inspiration from the European General Data Protection Regulation (“GDPR”) was long anticipated after the various…

Read More