Since 2018, the General Data Protection Regulation (GDPR) has wielded a significant impact on privacy practices across the globe. Aside from offering strong protection for the personal data of European Union citizens, GDPR has effected many changes in the way companies conduct business when EU data is part of the equation. Likewise, it has become the gold standard and a model for privacy legislation in many jurisdictions within the United States, as well as around the world.

DPAs (Data Protection Agreements or Exhibits (Addenda)) are common in commercial arrangements involving access to the personal data of end users. When you are the customer in such a transaction and your end users’ data will be accessed by a vendor, it is important that you fully understand the scope of the protections being afforded this data under the DPA, especially when the DPA is drafted by the vendor.

Many states are grappling with privacy issues and considering data privacy legislation due to the absence of a comprehensive federal data protection law. This effort is being fueled, in large part, by consumers pushing for data privacy protection in the face of businesses’ expanded use and sale of personal data. With the recent passage of a privacy law in Connecticut, 5 states (California, Colorado, Connecticut, Utah and Virginia) now have state privacy laws. At least 13 states and the District of Columbia are currently considering privacy legislation, and another 15 states considered, but did not pass, privacy legislation in the last year.

Just as the ink had dried on what we thought was the CA Attorney General’s final set of regulations for the California Consumer Privacy Act (CCPA), a new, fourth draft set was submitted earlier this month, building upon the third draft set issued in October. Both sets of regs have yet to be finalized.

After years of uncertainty, the fate of the EU-U.S. Privacy Shield (“Shield”) has finally been determined. On July 16^th, the EU’s highest court, the Court of Justice of the European Union (CJEU), declared the Shield to be invalid as a lawful mechanism for transferring the personal data of EU residents to the U.S.

It didn’t take long for other states to follow California’s lead in pursuing rigorous data privacy protections for their residents. Although New York was unsuccessful in passing its own version of the California Consumer Protection Act (CCPA) this year, legislation expanding data breach notification protocols was signed into law by Governor Andrew Cuomo on July 25, 2019¹. The SHIELD Act (the Stop Hacks and Improve Electronic Data Security Act) signals a growing trend in the U.S. toward strengthening data privacy protections in the wake of high-profile data breaches through the adoption of more comprehensive and enforceable regulations.

Despite the global angst preceding the GDRP’s effective date, there’s been seemingly little news about enforcement efforts against noncompliant businesses. But, the reality is that EU regulators have been very busy working behind the scenes. As of February, 2019, nearly 100,000 claims under the GDPR have been lodged with EU national data protection authorities (“DPAs”), many relating to telemarketing and promotional e-mails. Similarly, just over 40,000 data breaches were reported to the DPAs; and 255 investigations into EU cross-border processing activities were initiated, mostly as a result of complaints filed by individuals.