Welcome back to Shhhh…(a Privacy Blog). Lots have happened in the privacy world in the past few months, and we thought we’d catch our readers up on the biggest headlines.
Updated Standard Contractual Clauses
The first part of Step 2 involves taking the country list from Step 1 and determining whether the European Commission has found the privacy protections of those countries adequate under GDPR. Remember: this is for data exports outside of the European Economic Area versions. As a quick reminder, the SCCs continue to be the most common and, for many US-based companies, the most feasible transfer mechanism for transfers of personal data from Europe to the United States and to any other country without an adequacy decision from the European Commission. The updated SCCs are designed to reflect a broader range of data transfer scenarios, including processor-to-subprocessor and processor-to-controller transfers, and scenarios where the data exporter (the entity transferring data outside of the EU) is itself established outside of the EU. However, there is a lot to unpack about how to implement the new SCCs. For example, according to the European Data Protection Board’s recommendations addressing cross-border data transfers, a company seeking to transfer data outside the EU must verify on a case-by-case basis whether the law or practice of the third-country importer might compromise the effectiveness of the SCCs. This verification process is lengthy and will be particularly impactful on smaller companies with limited resources to carry out the risk analysis, documentation, and monitoring it requires. Still, the additional guidance is a step forward. Could it eventually propel the US and Europe to reach a political solution? We will follow up on this topic with a separate post, in which we take a closer look at the transfer tools available for transferring data outside the EU and into the US, in particular the updated SCCs and the supplementary measures that must accompany them.
California Introduces New Privacy Tools
State-side, the California Attorney General’s office recently announced two newsworthy tools that may impact readers. The first is the Global Privacy Control (“GPC”), a universal widget that companies subject to the “Do Not Track” requirements can incorporate on their website to automate the process. This opt-out tool, developed by an independent group of stakeholders, allows users to automatically signal their privacy preferences to participating websites. Companies and businesses that have implemented a California Consumer Privacy Act (“CCPA”) “Do Not Sell My Personal Information” opt-out mechanism may want to consider taking advantage of the GPC. Will big tech companies lead the charge in adopting this tool? We shall see.
California also introduced the Consumer Privacy Tool, an interactive Q&A form on the Attorney General’s (“AG’s”) website designed to help consumers draft notices of non-compliance and send them to businesses directly, rather than relying on the AG’s office to do it. This notice, if properly sent, could in theory start the CCPA’s 30-day cure period during which a business must bring itself into compliance with the CCPA or face fines from the AG’s office. The tool is currently limited to failures to post “Do Not Sell” links on a business website, but could eventually be used to track other types of CCPA violations.
Colorado Joins the Privacy Pack
As you have probably heard by now, Colorado became the third state to pass a comprehensive data privacy law with the Colorado Privacy Act, scheduled to take effect on July 1, 2023. Colorado joins Virginia, where the Virginia Consumer Data Protection Act takes effect on January 1, 2023, and California, where the CCPA became operative on July 1, 2020, and where most provisions of the California Privacy Rights Act will take effect on July 1, 2023. Stay tuned as we unpack the main similarities and differences between each state’s approach to privacy and track movements in other states.
Pressure Mounts for a Uniform Federal Approach to Data Privacy
Finally, we want to share two pieces of news on the push for a uniform federal approach to data privacy. The Uniform Law Commission (the agency responsible for drafting laws that many states implement in all subject areas) has drafted and released an initial draft Uniform Personal Data Protection Act (“UPDPA”). The stated goal of the UPDPA is to provide a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with regimes like California, Virginia and now Colorado. Designed for states to adopt as written or use as a model in creating their own legislation, the law would apply to controllers and processors conducting business in a state and maintaining personal data of more than 50,000 residents during a calendar year or earning more than 50% if gross annual revenue from maintaining personal data. Importantly, while the law would provide individuals with limited rights to access and correct personal data, it would not include a private right of action. We will be watching closely to see what happens next with the UPDPA.
Lastly, just last week U.S. lawmakers introduced a draft federal privacy bill, entitled “Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act.” If approved, the bill would require companies to post privacy notices and appoint a designated privacy officer, would give consumers subject access rights similar to those currently found in California, Virginia, and Colorado, and would require businesses to conduct a privacy impact assessment for risk data processing activities. The bill would also give enhanced powers to the Federal Trade Commission.
Stay tuned for more privacy news from the Carney Badley Spellman team of privacy attorneys.
Have questions? Please contact us at privacygroup@carneylaw.com for more assistance! Or visit us at Carneylaw.com
Disclaimer: this post is for informational/educational purposes only. It is not intended to provide any legal advice.
Copyright © 2021 Carney Badley Spellman, P.S.