On October 19, 2021, Sidley partner Alan Raul engaged in a fireside chat with Julie Brill, Corporate Vice President, Chief Privacy Officer, and Deputy General Counsel of Microsoft at the Reuters Events’ Legal Leaders 2021 Conference. (more…)
This summer, the Federal Trade Commission (“FTC”) hosted its sixth annual PrivacyCon, an event focused on the latest research and trends related to consumer privacy and data security. This years’ event was divided into six panels: Algorithms; Privacy Considerations and Understandings; Adtech; Internet of Things; Privacy-Children and Teens; and, Privacy and the Pandemic. Welcoming attendees and kicking off the event, Commissioner Rebecca Kelly Slaughter called for minimization of data abuses and for a move away from the notice and consent model of privacy in favor of data minimization. PrivacyCon topics are selected by the FTC and often seen as an indication of enforcement priorities. (more…)
On August 20, 2021, China’s National People’s Congress passed the Personal Information Protection Law (PIPL), which will become effective starting November 1, 2021. As an overarching law in China with respect to data privacy, PIPL shares many similarities with the EU General Data Protection Regulation (GDPR). If a company has already been GDPR compliant, its data privacy compliance system can basically work in China, while certain localizations are necessary in response to unique requirements under PIPL. In particular, a company should pay attention to the following differences between PIPL and GDPR:
In recent weeks, Connecticut passed An Act Concerning Data Privacy Breaches (“The Act”), and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”). With the growing patchwork of state data privacy laws continuing to pose challenges for compliance—and the potential for federal data privacy legislation at the forefront of policy debates—the UPDPA may provide state legislators with a path toward a standardized statutory scheme.
With the U.S. Congress continuing to stymie federal omnibus privacy legislation, states have decidedly taken up the call. Most recently, on July 8, 2021, Colorado Gov. Jared Polis signed into law Senate Bill 21-190, the Colorado Privacy Act (CPA). With the signing of the CPA, which will largely go into effect on July 1, 2023, Colorado became the third state to enact comprehensive privacy legislation following the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA). Other states have taken a more limited approach, most notably Nevada, which increased the scope of the right to opt out of personal data sales under its targeted privacy law.
Two years after the UK Government first put forward its intention to introduce a new regime to address illegal and harmful content online, the UK Government published the Online Safety Bill (“Bill”) on 12 May 2021. The Bill imposes duties of care on providers of digital services, social media platforms and other online services to make them responsible for content generated and shared by their users and to mitigate the risk of harm arising from illegal content (e.g., by minimising the spread of such content). The Bill also aims to ensure that users are able to express themselves freely online and requires platforms to consider the importance of freedom of expression when fulfilling their duties.
The European Data Protection Board (“EDPB”), adopted on 18 June 2021 its final recommendations describing how controllers and processors transferring personal data outside the European Economic Area (“EEA”) may comply with the Schrems II ruling (“Final Schrems II Recommendations”). The Final Schrems II Recommendations, together with the new Standard Contractual Clauses (“SCCs”) adopted by the European Commission on 4 June 2021, will now allow organizations to proceed with addressing international data transfers following the landmark Schrems II ruling by the Court of Justice of the European Union in July 2020.
The Final Schrems II Recommendations have maintained the requirement to carry out a 6 Step assessment prior to transferring personal data outside the EEA in reliance on a data transfer tool, such as SCCs. However, there have been some important amendments from the draft recommendations published in November 2020 in order to:
- better align with the new SCCs recently adopted by the European Commission; and
- allow more flexibility in carrying out the assessment of third country laws in Step 3 by being able to take into account practice in the third country as well as the documented practical experience of the data importer.
Our previous blog post on the draft EDPB’s Schrems II recommendations – accessible here – provides further details on the 6 Step process that organizations should follow when transferring personal data from the EEA to a third country such as the U.S. Here we summarise some of the key differences in the 6 Steps as between the draft recommendations and the Final Schrems II Recommendations.
The European Commission has formally launched its legislative initiative aimed at increasing access to and further use of data, so that more public and private actors can benefit from technologies such as Big Data and machine learning. The Commission has published its inception impact assessment on the forthcoming Data Act, on which interested stakeholders can submit comments until 25 June 2021. In parallel, the Commission has launched a public consultation for the legislative initiative, to be conducted by an online questionnaire, with a deadline of 3 September 2021. Feedback will be taken into account for further development and fine tuning of the initiative to be tabled in Q3-Q4 2021.
On June 2, 2021, Nevada Governor Steve Sisolak signed SB260, a bill that will amend the state’s existing privacy notice legislation, NRS 603A.300 to .360 (“Existing NV Privacy Law”). SB260 amends the Existing NV Privacy Law by exempting certain persons and information collected about a consumer from the law’s privacy requirements, expanding the types of entities that must facilitate consumer privacy opt-out rights, providing new and updated definitions, authorizing the opportunity to remedy a failure to comply with certain requirements, and updating other provisions to reflect the addition of data broker entities. Most notably, SB260’s addition of “data broker” to the existing statutory framework, in addition to the updated definition of “sale”, provides consumers with a broader opt-out right and likely brings more entities under the scope of the law. That said, even after the amendments, the Nevada law remains narrower than the California Consumer Protection Act (“CCPA”), as well as the forthcoming California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“VCDPA”) that go into effect on January 1, 2023.
Last year, to address the increasing overlaps between data protection and antitrust enforcement, the UK launched the Digital Regulatory Cooperation Forum (DRCF). The DRCF brings together the four UK regulators most involved in digital matters (i.e., the Competition and Markets Authority (CMA), the Information Commissioner’s Office (ICO), the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA)). Its main objective is to enable coherent and informed regulation of the UK digital economy.