On 13 April 2021, the European Data Protection Board (EDPB) adopted two Opinions on the draft UK adequacy decisions: (i) Opinion 14/2021 for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) Opinion 15/2021 for transfers of personal data under the Law Enforcement Directive (LED).
With the roll-out of the COVID-19 vaccine and the start of easing of social distancing measures, the latest initiative being considered at a national as well as an international level is the introduction of so-called “digital health passports” or “immunity passports,” i.e., a tool to record and share the immune status of an individual whether by virtue of a COVID-19 test result or vaccination record – indeed, it is estimated there are currently more than 70 digital health passports and 14 vaccine passport apps in operation globally. However, the privacy concerns (and indeed the broader ethical implications) of introducing such measures, without the implementation of appropriate safeguards are significant and a current topic of intense debate.
On March 29, 2021, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (EXAMS) issued a risk alert to remind broker-dealers of their obligations related to anti-money-laundering (AML) rules and regulations as well as to provide the staff’s observations of compliance items related to those obligations. The risk alert also is designed to assist broker-dealers with reviewing and enhancing their AML programs. The staff noted that mutual funds may benefit from the examination observations.
This is the latest EXAMS announcement of its expansion deeper into AML issues. This expansion further demonstrates that broker-dealers need to be prepared to address questions and concerns from both the SEC and the Financial Industry Regulatory Authority (FINRA) in a coordinated and efficient matter even if these overlap.
On March 17, 2021, California officials announced the appointment of five board members of the California Privacy Protection Agency ( the “CPPA”), the first data protection agency in the United States. The CPPA, created by the California Privacy Rights Act (“CPRA”) which California voters approved in November 2020, is charged with promulgating the CPRA regulations; enforcing the CCPA and CPRA; and educating consumers about their privacy rights.
On 5 March 2021, the Federal Data Protection and Information Commissioner (FDPIC) published a short position paper on the revised Swiss Data Protection Act (revDPA). The position paper provides guidance for companies that are subject to the revDPA as to how to meet its requirements once it enters into force, which is expected to be in the second half of 2022 after the Federal Administration has completed drafting the associated implementing ordinances.
On February 10, 2021, the Council of the European Union (which includes representatives of the European Union (EU) member states, hereinafter Council) reached an agreement on the ePrivacy Regulation proposal that governs the protection of privacy and confidentiality of electronic communications services (ePrivacy Regulation).
The first draft of the ePrivacy Regulation was approved by the European Commission in 2017 and has since been under discussion in the Council. The current agreement in the Council comes shortly after Portugal took over the Council presidency (on January 1, 2021) and released a revised draft of the ePrivacy Regulation (on January 5), which was the 14th draft including the original EU Commission proposal. The present agreement is therefore a breakthrough in the negotiation process and allows the Portuguese Council presidency to start negotiations with the European Parliament on the final text.
On February 12, 2021, the European Commission (Commission) published an “Assessment of the EU Member States’ rules on health data in the light of GDPR” (the Assessment). The Assessment concludes, amongst other things, that there are variations in the implementation of the EU General Data Protection Regulation (GDPR) at a national level with regards to the processing of health data. In turn, this has led to a fragmented approach to the processing of health data for health and research purposes across the EU. To avoid further fragmentation, the Assessment proposes various future EU-level actions, including stakeholder-driven Codes of Conduct as well as new targeted and sector-specific legislation.
For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).
The VCDPA, which will not enter into effect until January 1, 2023, borrows heavily from the California Consumer Privacy Act (CCPA) and the European Union (EU) General Data Protection Regulation (GDPR). Perhaps because Virginia was able to benefit from the experience of businesses that have spent the better part of the last five years implementing the GDPR or the CCPA, the Virginia law is less prescriptive and more straightforward than its predecessors, with (one would hope) a correspondingly lighter implementation burden on companies. Nonetheless, there is just enough different in the VCDPA that businesses with a connection to Virginia will need to evaluate whether the law applies to them and how they will comply.
While an exegesis of the VCDPA is beyond the scope of today’s Data Matters post, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the post briefly summarizes the law’s key elements.
On February 19, 2021, the European Commission (EC) published two draft implementing decisions to enable the continuing free-flow of personal data from the EU to the UK (the Draft Adequacy Decisions) i.e., post-Brexit: (i) for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) for transfers of personal data under the Law Enforcement Directive (LED). This will come as a huge relief to companies across all industries who are in parallel already grappling with the repercussions of Schrems II. In fact, the Draft Adequacy Decisions (which collectively run to almost 140 pages) are the first of their kind in a post-Schrems II world and will likely be closely reviewed—including by privacy advocate Max Schrems who has promised his Twitter followers to “take a look at” the Draft Adequacy Decisions in particular with regard to the LED (i.e., which addresses UK government surveillance activities).
Case: R (on the application of KBR, Inc) (Appellant) v Director of the Serious Fraud Office (Respondent)  UKSC 2
On February 5, 2021, the UK Supreme Court ruled that the Serious Fraud Office (SFO) cannot compel foreign companies with no presence in the jurisdiction to produce documents held abroad using its powers under Section 2(3) of the Criminal Justice Act 1987 (CJA 1987).
After losing its ability to use European Investigation Orders to obtain evidence located in other EU member states due to Brexit, the judgment is a further setback for the SFO in terms of the extraterritorial reach of its investigative powers and may in certain circumstances affect its ability to investigate fully cross-border serious fraud cases. When seeking documents or electronic data held abroad from foreign companies that are not registered in the UK or do not carry on business there, the SFO will now have to rely on mutual legal assistance or an overseas production order (where such mechanisms are available).
However, the Supreme Court’s ruling will provide foreign companies with greater certainty regarding documents that may have to be produced to the SFO, particularly where production could be resisted in their own jurisdiction on grounds of privilege.