Right to be forgotten. A “right to erasure” requires controllers to delete personal data in a variety of cases, including if the data was collected when the data subject was still a child in need of parental consent, or if the data is sensitive. (This is similar to the so-called “right to be forgotten”). Cross Border Transfers Still Restricted. As provided in the EU Data Directive, the transfer of personal data to a location outside the EU remains restricted. The EU-US Safe Harbor was used for many years as a vehicle for such transfer until it was invalidated and replaced by the Privacy Shield program. Unfortunately the Privacy Shield program was also invalidated in 2020. As of the publication of this Guide in January 2024 the options available for businesses to transfer personal data of EU residents are express consent, Model Contracts, Binding Corporate Rules, and the Data Privacy Framework discussed below. While many privacy advocates have praised the GDPR as a reasonable compromise of multiple interests, some have expressed concern over the potential sanctions for non-compliance, such as the fines based on company revenue and fear that investors in Europe may move technology ventures to Asia or elsewhere to avoid potential fines. In any case, businesses with significant global operations even if via e-commerce must comply with the GDPR. Transfer of Personal Data Outside of the European Union A major concern of the GDPR is the protection of personal data that may be transferred outside the EU and the jurisdiction of the DPA over a country (such as the USA) that does not adhere to the same privacy principles set forth in the GDPR. According to EU privacy law, personal data may only be transferred outside the EU where it is afforded an adequate level of protection. Such transfers are particularly easy with respect to personal information transmitted via the Internet. The United States has been one
141
Made with FlippingBook - Online Brochure Maker