2021 was a busy year for data protection law in China. On June 10, 2021, the Standing Committee of the National People’s Congress of the People’s Republic of China adopted the Data Security Law (DSL), which went into effect on September 1, 2021. On August 20, 2021, the Standing Committee of the National People’s Congress enacted the Personal Information Protection Law (PIPL), which went into effect just last month, in November 2021. The DSL applies broadly to processing of all data, not just personal information or electronic data and expands on the provisions from China’s Cybersecurity Law, which was enacted in 2016. In contrast, the PIPL applies only to the processing of personal information and has been compared to Europe’s General Data Protection Regulation (GDPR), although that comparison may obscure the contours of China’s law more than it enlightens.

Consistent with the course of Chinese administrative law, the laws’ key terms, analyses, and processes will continue to be fleshed out and perhaps materially enhanced or diminished in a series of regulations, measures, standards, and guidance documents. The latest draft measures on cross-border transfers, which are being closely watched by organizations contemplating cross border data transfers, were published at the end of October, and comments were accepted through November. We expect China to continue finalizing the laws’ terms and measures in 2022.Continue Reading What China’s New Data Laws Could Mean for 2022

Attorneys for Blackbaud and the putative class action plaintiffs allegedly impacted by the publicly-traded software company’s data breach last year were scheduled to meet last month to discuss a possible resolution of the remaining claims in the multi-district litigation. But the only filings in the case since then concern a contemplated amended complaint, suggesting the MDL is entering a new phase rather than nearing a conclusion.

The planned mediation and order regarding the expected new pleading came several days after Blackbaud announced, along with strong third-quarter financial results, that it has nearly exhausted its $50 million in relevant insurance coverage.

“Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding,” the company reported, referring to hundreds of customer requests for reimbursement in addition to the putative consumer class actions in the U.S. and Canada, “we believe that total costs related to the Security Incident will exceed the limits of our insurance coverage during the fourth quarter of 2021.” The company, whose fundraising and constituent-relationship software is widely used by nonprofits, noted that breach-related costs would “negatively impact our [Generally Accepted Accounting Principles] profitability and cash flow for the foreseeable future.”Continue Reading Blackbaud Ransomware Litigation Update

The Court of Justice of the European Union (CJEU) dealt a blow to transatlantic data flows in July with its decision in Schrems II, invalidating the EU-U.S. Privacy Shield while conditionally approving the continued use of Standard Contractual Clauses (SCC). In a white paper published late last month, the U.S. government responded to the CJEU’s critical appraisal of American intelligence agencies’ data-collection practices by identifying Schrems II’s shortcomings and offering guidance to companies seeking to comply with it. Schrems II is problematic in various ways, the multi-agency paper concludes, but with minor adjustments, most EU-U.S. digital dealings should be able to continue as before.
Continue Reading What the CJEU Missed in Schrems II: American Agencies Respond

Article29Latin American privacy laws may pose special challenges for businesses considering when and how to reopen their facilities during the coronavirus pandemic.  As elsewhere, many companies operating in Latin America may decide to screen employees for their COVID-19 risk-levels before allowing them to enter a shared workspace.  Already in place in many European and Asian countries, screening options primarily involve contact tracing or temperature checks. As they focus on health and safety, however, companies should also bear in mind a potentially competing interest: protecting employees’ privacy.
Continue Reading Returning to the Office – Data Privacy Concerns for Companies in Latin America