California Privacy Law Overhaul – Proposition 24 Passes
The results are in, and California voters have approved the California Privacy Rights Act (CPRA) which was listed on the ballot as Proposition 24. The law, most of which does not go into effect until January 1, 2023, will substantially overhaul and amend the California Consumer Privacy Act (CCPA) which went into effect just this year, on January 1, 2020, with final regulations issued just a few months ago, on August 14, 2020. And indeed, CCPA obligations continue to evolve, with proposed amendments to the regulations proposed by the Attorney General’s Office mid-October 2020.
An Early Recap of Privacy in 2020: A US Perspective
*This article was adapted from “Global Overview,” appearing in The Privacy, Data Protection and Cybersecurity Law Review (7th Ed. 2020)(Editor Alan Charles Raul), published by Law Business Research Ltd., and first published by the International Association of Privacy Professionals Privacy Perspectives series on September 28, 2020.
Privacy, like everything else in 2020, was dominated by the COVID-19 pandemic. Employers and governments have been required to consider privacy in adjusting workplace practices to account for who has a fever and other symptoms, who has traveled where, who has come into contact with whom, and what community members have tested positive or been exposed.
As a result of all this need for tracking and tracing, governments and citizens alike have recognized the inevitable trade-offs between exclusive focus on privacy versus exclusive focus on public health and safety.
Swiss Data Protection Authority Concludes Swiss-US Privacy Shield No Longer Valid for Swiss-US Transfers
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.
Schrems II Fallout — Understanding Essential Equivalence and What Businesses Should Do Now
Schrems II — Legal Analysis
With the EU-U.S. Privacy Shield declared invalid as a result of the Schrems II decision, there will be an immediate impact on the future of international data flows and potentially for your business.
Join OneTrust DataGuidance, Sidley, and speakers from industry for a webinar taking a detailed look at the Schrems II decision and discussing what additional safeguards may be required for international transfers following the decision, as well as legal analysis into whether there is essential equivalence between U.S. and EU privacy protections.
EDPB Publishes FAQs on Recent Schrems II Judgment
On July 23, 2020, the European Data Protection Board (the “EDPB”) published a set of important responses to a set of 12 frequently asked questions put forward to supervisory authorities regarding the recent Court of Justice of the European Union (“CJEU”) decision in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) (“FAQs”).
Below is a summary of the key take-aways from the EDPB’s FAQs, which is intended to address a range of topics including the lack of a grace period following the decision and the conditions surrounding the use of certain data transfer mechanisms:
The EU’s Highest Court Announces Significant Decision Regarding Cross-Border Data Flows: Invalidates EU-US Privacy Shield Program and Upholds Standard Contractual Clauses
In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).
UK Supreme Court Grants Google Permission to Appeal Class Action Claim in Lloyd vs Google LLC
The Supreme Court has recently granted Google permission to appeal the Court of Appeal’s decision in the case of Lloyd v Google LLC ([2019]) EWCA Civ 1599). The class action brought against Google by Richard Lloyd, the former editor of consumer protection rights group “Which?”, relates to the alleged tracking of personal data by Google of 4.4 million iPhone users and subsequent selling of the users’ data to advertisers, without the users’ knowledge and consent. Google is now appealing the Court of Appeal’s decision granting Mr Lloyd permission to serve his representative action on Google. This landmark case is of particular importance as it has the potential to significantly widen the scope for claims to be brought in respect of a failure to protect data under the GDPR.
Schrems II – Live Reaction to the Key Landmark Decision on the Future of International Data Transfers
Join Us for Post-Decision Coverage of the Schrems II Case
On July 16, the Court of Justice of the European Union will release its much anticipated decision in the Schrems II case, evaluating the validity of key data transfer mechanisms, including Standard Contractual Clauses. The decision could impact the future of international data flows and your business.
We will host an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact and what the future may hold.
Two Rulings in Two Weeks on the TCPA’s Autodialer Restrictions
The last two weeks have brought two important (although unrelated) rulings on the TCPA’s Autodialer Restrictions. First, on June 25, the Federal Communications Commission limited the applicability of the autodialer restrictions in the Telephone Consumer Protection Act, 47 U.S.C. § 227 (the “TCPA”), to an emerging texting technology. Second, less than two weeks later, the Supreme Court ruled that an exception to the TCPA’s autodialer restrictions for calls to collect federal debts was unconstitutional and expanded the statute’s reach.
French Council of State Upholds €50m CNIL Fine against Google
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.