ebook img

Determann’s Field Guide to Data Privacy Law: International Corporate Compliance PDF

250 Pages·2022·2.826 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Determann’s Field Guide to Data Privacy Law: International Corporate Compliance

Determann’s Field Guide to Data Privacy Law Elgar Compliance Guides Series Editor: James Fanto, Brooklyn Law School, USA Titles in the series include: Strategies for Minimizing Risk Under the Foreign Corrupt Practices Act and Related Laws Mike Koehler Determann’s Field Guide to Data Privacy Law International Corporate Compliance, Fourth Edition Lothar Determann Anti-Corruption Compliance A Guide for Small and Mid-Sized Organizations Gemma Aiolfi Anti-Money Laundering Regulation and Compliance Key Problems and Practice Areas Alexander Dill Determann’s Field Guide to Data Privacy Law International Corporate Compliance, Fifth Edition Lothar Determann Cheltenham, UK • Northampton, MA, USA Determann’s Field Guide to Data Privacy Law International Corporate Compliance FIFTH EDITION LOTHAR DETERMANN Baker McKenzie LLP, Palo Alto, USA, Freie Universität Berlin, Germany, University of California, Berkeley School of Law and Hastings College of the Law, USA Elgar Compliance Guides CChheelltteennhhaamm,, UUKK •• NNoorrtthhaammppttoonn,, MMAA,, UUSSAA © Lothar Determann 2022 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical or photocopying, recording, or otherwise without the prior permission of the publisher. Published by Edward Elgar Publishing Limited The Lypiatts 15 Lansdown Road Cheltenham Glos GL50 2JA UK Edward Elgar Publishing, Inc. William Pratt House 9 Dewey Court Northampton Massachusetts 01060 USA A catalogue record for this book is available from the British Library Library of Congress Control Number: 2021952126 This book is available electronically in the Law subject collection http://dx.doi.org/10.4337/9781802202915 ISBN 978 1 80220 290 8 (cased) ISBN 978 1 80220 291 5 (eBook) ISBN 978 1 80220 292 2 (paperback) EEP BoX Content overview Table of contents vi About this fifth edition, contributors and your guide ix Introduction xii Key terms xiv Key concepts xvi The Field Guide 1 Starting a compliance program 1 2 International data transfers – selecting compliance mechanisms 30 3 Drafting documentation 55 4 Maintaining and auditing compliance programs 105 5 Data privacy A to Z 111 Checklist: Data Privacy Law Compliance Program 198 Resources 202 List of abbreviations 204 Index 208 v Table of contents About this fifth edition, contributors and your guide ix Introduction xii Key terms xiv Key concepts xvi The habitat: data protection, privacy and security xvi The territory: Europe, U.S. and the Rest of the World xix The species: personal data, personally identifiable information and sensitive data xxi Activities encountered: transfers and other forms of processing xxiv The observed: controllers and processors xxvi The game wardens: data protection authorities, officers xxvii The Field Guide 1 Starting a compliance program 1 Taking charge 1 Tools and automation 3 Working with internal stakeholders and outside advisors 4 Appointing a privacy officer 5 Preparing a task list 13 Executing tasks 28 2 International data transfers – selecting compliance mechanisms 30 Three hurdles 32 vi TABLE OF CONTENTS vii Options to clear hurdle 3 – prohibition of international transfers 36 Compliance mechanisms compared 40 Implementation 49 Data transfers from other jurisdictions 53 3 Drafting documentation 55 Why are you creating the document? 55 Who is your audience? 59 Categories and examples of documentation 60 Notices 66 Consent 75 How to obtain valid consent 78 Opt in, opt out and in between 80 Above and beyond opt-in consent 84 Other considerations for consent drafting 86 Agreements 88 Protocols 95 Data subject requests, questionnaires and data submission forms 96 Documenting decisions and compliance efforts 98 Records of Processing Activities (RoPAs), data maps and flowcharts 101 Government notifications, approvals 102 4 Maintaining and auditing compliance programs 105 5 Data privacy A to Z 111 Advertising 112 Big data and brokers 114 Cloud computing 117 Data retention and residency requirements 129 Employee data and monitoring 133 Financial information 145 Government investigations, information requests 146 Health information 150 viii DETERMANN’S FIELD GUIDE TO DATA PRIVACY LAW Internet of Everything, connected devices 153 Jurisdiction 154 K-Contracts 157 Location data 160 Minors 161 Notification of data security breaches 162 Ownership and monetization 166 Privacy by design 169 Questionnaires 171 Rights, remedies, enforcement 172 Social media 177 Tracking 179 Unsolicited communications 183 Vendor management 187 Wiretapping 189 X-rays, genes and biometric data 190 Y-Why protect data privacy? 192 ZIP codes, IP addresses and anonymity 195 Checklist: Data privacy law compliance program 198 Resources 202 Abbreviations 204 Index 208 About this fifth edition, contributors and your guide Since the fourth edition of this Field Guide went to print in 2019, privacy laws have changed, particularly in the United States. The California Consumer Privacy Act (CCPA) took effect in 2020 and was cemented and significantly expanded in the same year by the California Privacy Rights Act (CPRA), which establishes the first dedicated data protection author- ity in the United States and adopts many of the same types of omnibus restrictions on personal data processing contained in the EU General Data Protection Regulation (GDPR). The California Legislature cannot easily amend the CCPA anymore, because the CPRA was enacted by way of a ballot initiative by voters at the general election, limiting legislative discretion. The California Legislature can and should, however, adjust or repeal its myriad existing sector-, situation- and harm-specific privacy laws, given that many of these laws are now obsolete or superseded by the CCPA. Meanwhile, Nevada, Virginia and Colorado have adopted some CCPA rules with modifications and many other U.S. states are working on similar legislation. Congress seems unable to agree on federal legislation that could override or harmonize diverging state laws. Consequently, companies doing business in the United States face the worst of all worlds: an overgrown thicket of existing sector-, situation- and harm-specific privacy laws at the state and federal level plus new omnibus state laws adding EU-style data processing regulations, but with diverging rules and terminology in each state and very active enforcement by private plain- tiffs’ lawyers and attorneys general. Outside the United States, privacy law changes have been more gradual and have largely followed the GDPR that took effect in the EU in 2018. Brazil’s GDPR-like data protection law took effect in 2020 but with ix

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.