It was a tumultuous summer in the world of data privacy, so I wanted to keep legal and compliance teams updated on changes that may affect your business in the coming months. Below is a recap of important data privacy changes across multiple jurisdictions, as well as where to go to dive into these updates a little deeper. Keep in mind that some of these changes may mean heightened responsibilities for companies related to breach requirements and/or data subject rights.
U.S.
On September 17th, four U.S. Republican senators introduced the “Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act” (SAFE DATA). The Act is intended to provide Americans “with more choice and control over their data and direct businesses to be more transparent and accountable for their data practices.” The Act contains data privacy elements that are reminiscent of the GDPR and California Consumer Privacy Act (CCPA) of 2018, including requiring tech companies to provide users with notice of privacy policies, giving consumers the ability to opt in and out of the collection of personal information, and requiring businesses to allow consumers the ability to access, correct, or delete their personal data. See the press release issued by the U.S. Senate Committee on Commerce, Science and Transportation here: https://www.commerce.senate.gov/2020/9/wicker-thune-fischer-blackburn-introduce-consumer-data-privacy-legislation
California’s Proposition 24 (the “California Privacy Rights Act of 2020”) will be on the state ballot this November. In some ways, the Act expands upon the CCPA by creating a California Privacy Protection Agency and tripling fines for collecting and selling children’s private information. Proponents say it will enhance data privacy rights for California citizens and give them more control over their own data. Opponents are concerned that it will result in a “pay for privacy” scheme, where large corporations can downgrade services unless consumers pay a fee to protect their own personal data. See: https://www.sos.ca.gov/elections/ballot-measures/qualified-ballot-measures for access to the proposed Act.
In mid-August, the Virginia Legislative Commission initiated study commissions to begin evaluating elements of the proposed Virginia Privacy Act, which would impose similar data privacy responsibilities on companies operating within Virginia as the GDPR does for those in Europe and the CCPA does for those in California. To access the proposed Act, see: https://lis.virginia.gov/cgi-bin/legp604.exe?201+sum+HB473.
Europe
On September 8, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) concluded that the Swiss-US Privacy Shield does not provide an adequate level of protection for data transfers from Switzerland to the US. The statement came via a position paper issued after the Commissioner’s annual assessment of the Swiss-US Privacy shield regime, and was based on the Court of Justice of the European Union (CJEU) invalidation of the EU-US Privacy Shield. You can find more about the FDPIC position paper here: https://www.edoeb.admin.ch/edoeb/en/home/latest-news/media/medienmitteilungen.msg-id-80318.html
Similarly, Ireland’s data protection commissioner issued a preliminary order to Facebook to stop sending data transfers from EU users to the U.S., based on the CJEU’s language in the Schrems II decision which invalidated the EU-US Privacy Shield. In response, Facebook has threatened to halt Facebook and Instagram services in the EU. Check out the Wall Street Journal’s reporting on the preliminary order issued by the Ireland Data Protection Commission here: https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980. For Facebook’s response filing in Ireland, see: https://www.dropbox.com/s/yngcdv99irbm5sr/Facebook%20DPC%20filing%20Sept%202020-rotated.pdf?dl=0
Relatedly, in wake of the Schrems II judgment, the European Data Protection Board has also created a task force to look into 101 complaints filed with several data controllers in EEA member states related to Google/Facebook transfers of personal data into the United States. See the EDPB’s statement here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-seventh-plenary-session-guidelines-controller_en
Brazil
In September, the new Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) became retroactively effective after the end of a 15-business-day period imposed by the Brazilian Constitution. This was a surprising turn of events after the Brazilian Senate rejected a temporary provisional measure on August 26th that would have delayed the effective date to the summer of 2021. Companies should be aware that the law is similar to the GDPR in that it is extra territorial and bestows enhanced privacy rights to individuals (including right to access and right to know). Be aware too, although administrative enforcement will not begin until August of 2021, Brazilian citizens now have a private right of action against organizations that violate data subjects’ privacy rights under the new law. For more information, check out the LGPD site (that can be translated via Google Chrome) with helpful guides and tips, as well as links to the original law: https://www.lgpdbrasil.com.br/. The National Law Review also has a good overview of the sequence of events that led up to this change here: https://www.natlawreview.com/article/brazil-s-data-protection-law-will-be-effective-after-all-enforcement-provisions.
Egypt
In June, Egypt passed the Egyptian Data Protection Law (DPL), which is the first law of its kind in that country and aims to protect the personal data of Egyptian citizens and EU citizens in Egypt. The law prohibits businesses from collecting, processing, or disclosing personal information without permission from the data subject. It also prohibits the transfer of personal data to a foreign country without a license from Egypt. See the International Association of Privacy Professional’s reporting on the law here: https://iapp.org/news/a/egypt-passes-first-data-protection-law/
To discuss this topic further, please feel free to reach out to me at SMoran@lighthouseglobal.com.