Privacy Compliance & Data Security Blog

Odia is a frequent contributor to the firm's Privacy Compliance & Data Security blog, writing regularly on a wide variety of emerging international data privacy and cybersecurity issues. Topics include the European Union's General Data Protection Regulation, the California Consumer Privacy Act and Pacific Rim data privacy initiatives.

Read Odia's most recent posts below or view a complete list of all her articles.

Recent Blog Posts

  • EDPB Issues Final Guidelines on the Extraterritorial Application of GDPR The European Data Protection Board has issued long-awaited final guidelines for the extraterritorial application of the General Data Protection Regulation (GDPR). Key changes: GDPR can apply extraterritorially to some streams of data processing and not others, and not to the entire entity. GDPR applies to many non-EU data processors, including cloud storage providers for data processing activities captured by GDPR. This will mean non-EU data processors will need to look for compliance with the GDPR data processor obligations not subsumed in the Article... More
  • Polish Data Protection Authority Fines Website for Overly Complicated Consent Withdrawal Process The Polish data protection authority has fined ClickQuickNow €47,126.97 for violating the General Data Protection Regulation (GDPR) by requiring too difficult a process for revoking consent. The process in question required the person who submits the statement of withdrawal of consent to indicate the reason for his request after the site provided the person with a message saying “Your withdrawal of consent today […]!”. Only following this did the company inform the person about how to withdraw consent. The data protection authority took... More
  • Danish Data Protection Authority: Auto-Complete Not Prohibited by GDPR The auto-complete function is not prohibited by GDPR, says the Danish data protection authority. The search function suggested certain search suggestions automatically including the complainant’s name.  The purpose of the function was to offer a better service to citizens. The municipality also stated that when a user performs a search only the entered keyword is stored in the search engine.  All keywords are stored as simple text strings, so it is basically impossible for the feature to distinguish whether the keyword is a personal... More
  • China Orders App Developers to Halt Illegal Personal Data Collection “Regulators ordered China’s app developers and third-party service providers to halt illegal collection and use of personal data in a sweep targeting some of the country’s largest apps,” reports “The latest crackdown signals the government’s determination to clean up unauthorized data collection from any and every company violating data privacy laws, particularly bigger players.” “The platforms have until Nov. 10 to carry out self-inspections and make changes.” Authorities will take action against non-compliant apps during the first three weeks of December,... More
  • FTC Alleges Nevada Data Center Company Made False Privacy Shield Claims In a complaint, the Federal Trade Commission alleges that between January 2017 and October 2018, RagingWire Data Centers, Inc. claimed in its online privacy policy that the company participated in the Privacy Shield framework and complied with the program’s requirements, even though it had allowed its certification to lapse in January 2018. The Department of Commerce warned Raging Wire twice to either remove the claims or take steps to recertify its participation in the Privacy Shield program. The company, however, failed... More
  • Canadian Privacy Officials Urge Update of Country’s Data Privacy Laws Information and Privacy Ombudspersons and Commissioners from across Canada are urging their governments to modernize access to information and privacy laws some of which have not been updated in 35 years. Their joint resolution calls for: a legislative framework to ensure the responsible development and use of artificial intelligence and machine learning technologies all public and private sector entities engaged in handling personal information to be subject to privacy laws enforcement powers, such as legislating order-making powers and the power to impose penalties,... More
  • ‘Online Privacy Act’ Would Create New Federal Enforcement Agency Democratic U.S. Reps. Anna Eshoo and Zoe Lofgren have announced the Online Privacy Act, a proposal that would create a federal enforcement agency to protect privacy rights. “The bill proposes the creation of the Digital Privacy Agency (DPA) that would have the power to enforce privacy rights for users and make sure companies follow the law. The independent agency would be funded for up to 1,600 employees and could impose damages up to the same maximum amount as the FTC’s, which... More
  • Isle of Man Issues Guidance on Accountability Under GDPR The Information Commissioner of the Isle of Man has issued guidance on “accountability” under GDPR. Key takeaways: You need to develop, embed and maintain a culture of data protection in your processing activities, with compliance demonstrably supported from the top. All processing of personal data should be subject to overview, governance and demonstrable compliance. Key components: Effective data protection policies and procedures, in particular regarding security arrangements Records of processing activities Ongoing review and testing of security arrangements, and compliance with policies and procedures. Providing staff appropriate... More
  • Impact Assessment: CCPA Privacy Notice Regs Will Have Little Economic Impact Do the draft CCPA Regulations make a big difference in compliance costs where it comes to privacy notices? Standardized Regulatory Impact Assessment (SRIA) of the economic impact of the draft CCPA Regulations says – maybe not. The SRIA issued together with the draft regs does not see any incremental economic impact to the regulations’ provisions on privacy notices, stating that the proposed requirements are what businesses would likely do anyway. “Because notification requirements are required under the CCPA, the economic impacts of... More
  • California AG: No CCPA Safe Harbor for GDPR Compliance The California Attorney General considered and rejected the creation of a safe harbor exemption from the CCPA for businesses that are already complying with GDPR, says the statement of reasons that accompanies the draft CCPA Regulations. “The Attorney General rejected this alternative because CCPA and GDPR have different requirements, different definitions, and different scopes. For example, GDPR prohibits collection without express consent; CCPA does not prohibit collection. GDPR does not have a right to opt-out of sale; the right to opt-out... More