Tag Archives: Jeffrey P. Cunard

Post-Election Law Privacy Law Prospects

by Jeremy Feigelson, Avi Gesser, Jim Pastore, Frank Colleluori, Mengyi Xu, Jeffrey Cunard, Luke Dembosky, and Tigist Kassahun

California voters have approved the new California Privacy Rights Act (“CPRA”). The margin was 56% – 44% – comfortable, if significantly tighter than pre-election polling that showed CPRA winning in a landslide. That comes on the heels of the California Attorney General’s release of still more proposed amendments to the regulations for the existing California Consumer Privacy Act (“CCPA”). Below we sum up these important changes emerging from Sacramento. We also note some possible Election Day impacts on the privacy law reforms that have been percolating in Washington, D.C.

Continue reading

Schrems II: Privacy Shield Invalid and Severe Challenges for Standard Contractual Clauses

by , and  

Yesterday, the Court of Justice of the European Union (CJEU), the EU’s highest court, invalidated the EU-U.S. Privacy Shield for cross-border transfers of personal data.  The CJEU’s decision also cast significant doubts over whether companies can continue to use the European Commission-approved Standard Contractual Clauses (SCCs) to transfer EU personal data to the U.S., or to other jurisdictions with similarly broad surveillance regimes.  The CJEU’s lengthy decision is here and its short-form press release is here (PDF: 319.62 KB).

What does this mean for organizations that rely on Privacy Shield or SCCs?  History suggests that privacy enforcement authorities in the EU may hold their fire while efforts are made to come up with a replacement system for data transfers.  EU authorities hopefully will clarify their enforcement intentions soon.  In any event, organizations that have relied on Privacy Shield will have to turn immediately to considering what practical alternatives they might adopt.  U.S. government authorities will also have to turn to the knotty question of what data transfer mechanisms might ever satisfy the CJEU, given persistent EU concerns about U.S. government surveillance of personal data.

Continue reading

CCPA Regulations Submitted to the California Office of Administrative Law for Publication

by Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, and Avi Gesser

It looks like the California Attorney General’s implementing regulations for the California Consumer Privacy Act (“CCPA”) are, finally, final. On June 1, 2020, the California Attorney General submitted for publication the final proposed regulations.

The California Office of Administrative Law now has 30 working days, plus an additional 60 calendar days under an Executive Order issued in connection with the COVID-19 pandemic, to review and approve the regulations. This means the regulations may not take effect until October 1, 2020. The California Attorney General has requested expedited review in hopes that the regulations can be published by July 1, 2020. Continue reading

Fifteen Ways to Reduce Regulatory and Reputational Risks for Your AI-Powered Applications – Lessons from Recent Court Decisions and Regulatory Activity

by Avi Gesser, Henry Lebowitz, Jeffrey P. Cunard, Jim Pastore, Lisa Zornberg, Luke Dembosky, Anna R. Gressel, and Steve Tegrar

It is only February, but, so far, 2020 looks like it is going to be the year that courts and regulators look seriously at artificial intelligence (“AI”).

Recent developments in both Europe and the United States provide some insight into where AI is likely to face tough scrutiny and ways to mitigate risks of using AI. Continue reading

Proposed Modifications to CCPA Regulations—Top Takeaways

by Jeffrey P. Cunard, Luke Dembosky, Jeremy Feigelson, Avi Gesser, Jim Pastore, Javier Alvarez-Oviedo, Jeremy C. Beutler, H Jacqueline Brehmer, Christopher S. Ford, and Kate Saba

On Friday evening, February 7, the California Attorney General released a new round of proposed changes to the draft regulations implementing the California Consumer Privacy Act. Some thoughts to help guide interested parties through the AG’s dense 32-page release (PDF: 1.25 MB), which redlines the proposed modifications against the prior draft regulations:

Guidance on “Personal Information”

The draft proposes to clarify the definition of “personal information,” which turns on whether the information can be associated or linked with a particular consumer or household. It then provides an example: “[I]f a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be ‘personal information.’” Continue reading