In 2017, the Swiss government issued a draft bill for a new Swiss Data Protection Act (“nDPA”) with two main goals: (1) to enhance the level of protection of personal data provided in the current Swiss Data Protection Act which dates back to 1992 (largely, to align with the EU GDPR); and (2) to ensure that there is an “adequate” level of data protection to allow for the continued flow of personal data from the EEA to Switzerland.
On 2 September 2020, the European Data Protection Board (EDPB) published draft guidelines on the concepts of controller and processor under the GDPR (Draft Guidelines). The Draft Guidelines are intended to expand on and ultimately replace the guidance issued by the former Article 29 Working Party in 2010 (WP29 Guidance). The Draft Guidelines should be reviewed carefully to assess whether: (i) the understanding of an organisation’s role as a controller, joint controller or processor should be revised; and (ii) changes to existing vendor processes and contracts are needed in light of the assessment of guarantees provided by vendors and the more detailed processing provisions and ongoing diligence now required.
The Draft Guidelines consist of two parts. The first part seeks to further clarify the meaning of these concepts—which are crucial in determining compliance responsibilities under the GDPR—by reference to various examples. The second part provides detailed guidance on their respective roles and responsibilities, and the relationships between them.
The Draft Guidelines, accessible here, are subject to public consultation until 19 October 2020.
Following the Court of Justice of the European Union’s (“CJEU”) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) concluded in a position paper published on 8 September that the Swiss-US Privacy Shield no longer provides a valid mechanism for the transfer of personal data from Switzerland to the US.
The National Association of Insurance Commissioners (NAIC) held its Summer 2020 National Meeting (Summer Meeting) from July 27 to August 14, 2020. As a result of the COVID-19 pandemic, the NAIC held the Summer Meeting in a virtual format, with conference calls taking place over a three-week period. Despite not being able to meet in-person, the NAIC utilized the Summer Meeting as an opportunity to host conversations among insurance regulators, industry members and consumers regarding recent events, including the impact of COVID-19 on the insurance industry as well as racial inequality and the promotion of diversity in the insurance industry. (more…)
The U.S. Department of Commerce, Bureau of Industry and Security (BIS) published an advance notice of proposed rulemaking (ANPRM) soliciting comments to identify foundational technologies essential to U.S. national security by October 26, 2020 (the Foundational Technologies ANPRM). The ANPRM is only one step in a multiyear process through which the U.S. government transforms the regulations restricting the availability of U.S.-sourced technology in the global marketplace.
This long-awaited ANPRM launches an intra-agency review process required under Section 1758 of the Export Control Reform Act of 2018 (ECRA), which Congress passed in the National Defense Authorization Act for Fiscal Year 2019 (2019 NDAA). ECRA directed BIS to identify and establish controls on the export, reexport, or transfer (in country) of emerging and foundational technologies essential to the national security of the United States. On November 19, 2018, BIS issued an ANPRM on identification of emerging technologies (the Emerging Technologies ANPRM), indicating that a separate notice for foundational technologies was forthcoming.
Today’s Foundational Technologies ANPRM can be found here. Sidley’s prior updates on ECRA and the Emerging Technologies ANPRM can be found here.1 Here we summarize five key takeaways from today’s notice.
On August 14, 2020, California’s Office of Administrative Law approved and filed with the California Secretary of State final regulations implementing the California Consumer Privacy Act. The regulations, drafted by California’s Office of the Attorney General (OAG), went through three rounds of changes during the rulemaking process and were finally enacted more than two years after the CCPA was signed into law. The CCPA is a landmark state privacy law that grants consumers new privacy rights, and requires businesses to enhance disclosures about their data practices and facilitate consumer privacy rights. (more…)
Posting revised August 13, 2020
On July 2, 2020, Sidley partner Alan Raul, founder and co-head of Sidley’s Privacy and Cybersecurity practice, hosted Adam Klein, Chairman of the Privacy and Civil Liberties Oversight Board (“PCLOB” or “the Board”), for a Monitor-Side Chat.
The discussion focused largely on the Commission’s work since Mr. Klein became Chairman in October, 2018. Key topics of the chat included:
- Mission, Operation and Access of PCLOB
- Balancing Counter-Terrorism and Privacy
- Comparison of U.S. and Foreign Checks and Balances
- FISA Reform
- Emerging Technologies
On July 13, the Department of Health and Human Services’ Substance Abuse and Mental Health Services (“SAMHSA”) announced final revisions to the Confidentiality of Substance Use Disorder Patient Records regulation codified at 42 CFR Part 2 (so-called “Part 2” regulations). These regulations—which apply to certain information relating to patients being treated for substance use disorders (“SUDs”)—impose restrictions above and beyond those in the Health Insurance Portability and Accountability Act (“HIPAA”). While the final rule does not fundamentally change the basic requirements of the Part 2 regulations, it relaxes some of the restrictions the regulations impose on holders of Part 2 information, in particular, to facilitate care coordination.
On July 23, 2020, the European Data Protection Board (the “EDPB”) published a set of important responses to a set of 12 frequently asked questions put forward to supervisory authorities regarding the recent Court of Justice of the European Union (“CJEU”) decision in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) (“FAQs”).
Below is a summary of the key take-aways from the EDPB’s FAQs, which is intended to address a range of topics including the lack of a grace period following the decision and the conditions surrounding the use of certain data transfer mechanisms:
In a decision with significant implications for international trade and cross-border data flows, the EU’s highest court – the Court of Justice of the European Union (“CJEU”) ruled on 16 July 2020 that a key legal mechanism (called the EU-US Privacy Shield program) used to enable transfers of personal data from the European Union (“EU”) was invalid, while also potentially requiring additional protections to be implemented when another key transfer mechanism (called Standard Contractual Clauses) is used. The case – Data Protection Commissioner v. Facebook Ireland, Max Schrems (“Schrems II”) – considered the validity of the EU-US Privacy Shield (“Privacy Shield”) program (a privacy certification made available for US organizations through an agreement between the European Commission and the US government) and Standard Contractual Clauses (“SCC”) (a form of international data transfer agreement made available for use by the European Commission).