By: Nick Whisler and Josh Stevens The past several weeks have brought a flurry of U.S. and international privacy developments. To help you stay on top of the everchanging landscape, here is a high-level summary of recent news and upcoming events.
Federal Developments
- On September 17, a group of Republican senators announced a proposed federal privacy law called the SAFE DATA Act. Among other things, the law would increase transparency requirements for businesses, give consumers more control over their data, place restrictions on the collection and use of sensitive data, require businesses to conduct privacy impact assessments on certain data processing activities, and impose data security requirements. The law preempts state privacy and data security laws that purport to regulate entities covered by the federal law. It does not preempt state data breach notification laws. The law would also expand the FTC’s jurisdictional and enforcement authorities and require it to adopt privacy regulations and establish a data broker registry.
- On September 23, the Senate Committee on Commerce, Science, and Transportation held a hearing titled “Revisiting the Need for Federal Data Privacy Legislation.” The hearing included testimony from former FTC commissioners and current California Attorney General, Xavier Becerra. In addition to providing high-level recommendations on the ideal framework for federal privacy laws, the witnesses addressed subtopics such as government enforcement powers, preemption of state laws, the impact of privacy laws on racial equality, and whether privacy laws should include a private right of action.
State Developments
- The California Attorney General’s enforcement powers under the California Consumer Privacy Act (CCPA) began July 1. Shortly thereafter, the state released the text of the approved CCPA Regulations. AG Becerra’s Congressional testimony confirmed widely held beliefs that the AG’s initial enforcement efforts would focus on companies with non-compliant privacy policies or missing “Do Not Sell My Personal Information” links and investigations stemming from consumer complaints. He also noted that the office has been reviewing service provider contracts to ensure they include the CCPA-required use and sharing limitations.
- Earlier this month, the legislature extended the partial CCPA exemptions for businesses that process personal information related to: (1) employees, contractors, and job applicants; and (2) business contacts. These partial exemptions now sunset on January 1, 2022.
- This month the California Legislature also passed AB 713, which expands the scope of the CCPA’s HIPAA exemption to cover certain types of deidentified health and medical information. The bill provides additional CCPA exemptions for business associates that act on behalf of covered entities and information collected and used solely for specified research purposes. The bill does, however, impose disclosure and contract requirements on businesses that share deidentified information.
- In November, California residents will vote on the California Privacy Rights Act (CPRA). The initiative, which is widely expected to pass, would give consumers the right to correct inaccurate personal information held by businesses, impose additional restrictions on the use of sensitive personal information, create a new government agency (the California Privacy Protection Agency) to enforce privacy laws, require certain businesses to conduct annual security audits and risk assessments, and require the state to adopt regulations to restrict automated decision-making processes.
- The Washington Privacy Act has been reintroduced after having narrowly failed to pass in the last legislative session due to late disagreements over the private right of action. Modeled on GDPR, the Washington Privacy Act would apply to businesses that control personal information of over 100,000 Washingtonians in a calendar year, or derive at least 25% of revenue from the sale of personal information and process personal information of over 25,000 Washingtonians in a calendar year. Personal data regulated under other frameworks like HIPAA, GLBA, and FCRA would be exempt, as would employee records. The Act would preempt local regulations except for those in effect as of July 1, 2020. Importantly, the Act does not include a private right of action, instead giving the AG sole enforcement authority with penalties of up to $7,500 per violation if not cured within 30 days of notice. The Act would also come into effect 120 days after enactment, so businesses will need to be prepared to respond quickly if the Act passes this term.
International Developments
- The European Court of Justice, in its Schrems II decision, invalidated the EU-U.S. Privacy Shield framework for EU-U.S. data transfers. At a high level, the Court found that the framework did not provide European residents with privacy rights like those in Europe due to U.S. national security laws and a lack of judicial review of privacy rights violations for European residents. Shortly thereafter, the Swiss data protection authority similarly invalidated Privacy Shield as applied to Swiss-U.S. data transfers. Data exporters & importers must now turn to alternative mechanisms such as standard contractual clauses to provide adequate safeguards for EU-U.S. data transfers under GDPR; however, these mechanisms are also subject to quickly growing scrutiny.
- Following the Schrems II decision, the Irish Data Protection Commissioner ordered Facebook to cease transferring personal data to the U.S. Although currently on appeal, this decision demonstrates growing concern by EU data protection authorities that transfers of personal data to the U.S. may be in violation of GDPR requirements even if alternative adequate safeguards are utilized.
- Brazil’s new General Data Protection Law (LGPD) went into effect on September 18, 2020, although enforcement will not begin until August 1, 2021. LGPD, like GDPR, has extraterritorial scope and applies generally to businesses with only minor exceptions. LGPD gives consumers many familiar rights such as access, deletion, data portability, correction, and consent. Consumers also have the right to be informed not only about how their information will be used and shared, but also the entities with whom their information is shared, and the consequences of refusal to consent to sharing. Companies doing business in Brazil or with Brazilians should carefully review the LGPD.