Intellectual Property, Information Technology & Cybersecurity

Authors: Susan Kohn Ross and Aaron Wais

In a compromise to avoid a ballot measure, at the very last moment on the very last day, just before the stroke of midnight, on June 29, 2018, the California legislature passed and Governor Brown signed into law the California Consumer Privacy Act of 2018 (the “Act”), which takes effect on January 1, 2020. Many of its provisions are similar to the General Data Protection Regulations (“GDPR”), which took effect in Europe at the end of May, and required companies to institute new internal data privacy regimes. So, while those companies which prepared for the GDPR are well on their way to gaining compliance with this new law, there is still much to be done by them and especially those companies which were not impacted by the GDPR.

Read more: California Consumer Privacy Act of 2018 - GDPR Lite?

It will not have escaped organisations’ attention that data protection laws have undergone significant reforms lately. The GDPR came into force on 25 May 2018, however we also have a new Data Protection Act 2018 (DPA 2018) which is now in force, thanks to some last-minute prompt progress through Parliament.

A lot of media attention centred around how the new laws enhance the rights of individuals and the potential fines organisations could face for data breaches (of up to the greater of €20 million (the DPA 2018 provides that the conversion rate for sterling will be set based on the date the penalty notice is issued) or 4% of annual global turnover). Of course, the new laws also change the way businesses may interact with each other when there is likely to be a sharing of personal data.

Read more: GDPR: Commercial realities

Contact: Jovan Rajković & Dušan Romčević; Gecic Law (Serbia)

General Data Protection Regulation (GDPR) is currently a global hot topic – and for a good reason. It practically revamps the legal framework concerning Data Protection rules, introduces a whole set of new obligations while imposing massive fines for non-compliance. While the GDPR came into the force recently, it is no surprise that many are worried how it will affect their organizations as the legislation, under certain conditions, is to be applied worldwide —both inside and outside of the EU.

Given that compliance with the GDPR will be no mean feat, requiring vast amount of time and resources, no matter how big or small the organization, the Data Protection regime imposed on Serbia and other non-EU countries can be considered somewhat ‘softer’, as it does not affect all companies. This alone can be considered a competitive advantage to foreign investors as it will make doing business in these countries easier in some cases. Namely, as per the GDPR, non-EU companies will be subject to the new Data Protection rules if their personal data processing activities are related to:

  • the offering of goods or services to natural persons who are in the EU, irrespective of whether a payment is required from these persons; or
  • the monitoring of the behavior of natural persons who are in the EU, as far as their behavior takes place within the EU.

Read more: GDPR in Serbia (and Other Non-EU Countries) – A Foreign Investors’ Perspective

Authors: By Dana B. Rosenfeld, Alysa Zeltzer Hutnik, Crystal N. Skelton, Sharon Kim Schiavetti, Christopher M. Loeffler, Ilunga Kalala, Katie Townley and Lauren Myers

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

Read the entire article.


Background – the GDPR

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force across the EU. Many businesses and their advisers outside the UK and the EU will be familiar with it. For the GDPR applies not just to businesses established in the EU – where there is a broad concept of an establishment under EU law which extends beyond a subsidiary to include branches and even sales agents of offshore businesses.   The GDPR also applies to businesses with no physical presence in the EU if the business either monitors the behaviour of people in the EU (e.g. via cookies or Internet tracking or profiling) or it offers goods or services to people in the EU (including free of charge).

Read more: The Data Protection Act 2018, the GDPR and non EU Businesses – Beware the long arm of UK and EU law