For over two and a half years, California has enjoyed the spotlight of having the most comprehensive data privacy law in the United States. On March 2, 2021, Virginia forced California to share the honors, when Democratic Gov. Ralph Northam signed into law the Virginia Consumer Data Protection Act (VCDPA).
The VCDPA, which will not enter into effect until January 1, 2023, borrows heavily from the California Consumer Privacy Act (CCPA) and the European Union (EU) General Data Protection Regulation (GDPR). Perhaps because Virginia was able to benefit from the experience of businesses that have spent the better part of the last five years implementing the GDPR or the CCPA, the Virginia law is less prescriptive and more straightforward than its predecessors, with (one would hope) a correspondingly lighter implementation burden on companies. Nonetheless, there is just enough different in the VCDPA that businesses with a connection to Virginia will need to evaluate whether the law applies to them and how they will comply.
While an exegesis of the VCDPA is beyond the scope of today’s Data Matters post, this alert is designed to assist such efforts in three ways. First, we lay out the VCDPA’s scope, providing preliminary insight into which businesses the law will cover. Second, we highlight the key ways the VCDPA differs from — and, more important, extends beyond — the CCPA and GDPR so that businesses will have an initial sense of what, if any, unique obligations the VCDPA will place on them. Finally, for completeness’s sake, the post briefly summarizes the law’s key elements.
On February 19, 2021, the European Commission (EC) published two draft implementing decisions to enable the continuing free-flow of personal data from the EU to the UK (the Draft Adequacy Decisions) i.e., post-Brexit: (i) for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) for transfers of personal data under the Law Enforcement Directive (LED). This will come as a huge relief to companies across all industries who are in parallel already grappling with the repercussions of Schrems II. In fact, the Draft Adequacy Decisions (which collectively run to almost 140 pages) are the first of their kind in a post-Schrems II world and will likely be closely reviewed—including by privacy advocate Max Schrems who has promised his Twitter followers to “take a look at” the Draft Adequacy Decisions in particular with regard to the LED (i.e., which addresses UK government surveillance activities).
Case: R (on the application of KBR, Inc) (Appellant) v Director of the Serious Fraud Office (Respondent)  UKSC 2
On February 5, 2021, the UK Supreme Court ruled that the Serious Fraud Office (SFO) cannot compel foreign companies with no presence in the jurisdiction to produce documents held abroad using its powers under Section 2(3) of the Criminal Justice Act 1987 (CJA 1987).
After losing its ability to use European Investigation Orders to obtain evidence located in other EU member states due to Brexit, the judgment is a further setback for the SFO in terms of the extraterritorial reach of its investigative powers and may in certain circumstances affect its ability to investigate fully cross-border serious fraud cases. When seeking documents or electronic data held abroad from foreign companies that are not registered in the UK or do not carry on business there, the SFO will now have to rely on mutual legal assistance or an overseas production order (where such mechanisms are available).
However, the Supreme Court’s ruling will provide foreign companies with greater certainty regarding documents that may have to be produced to the SFO, particularly where production could be resisted in their own jurisdiction on grounds of privilege.
On February 4, 2021, the New York Department of Financial Services (NYDFS) issued Circular Letter No. 2 announcing a Cyber Insurance Risk Framework (the Framework) that describes industry best practices for New York-regulated property/casualty insurers. Issuance of the Framework is notable as it represents the first official guidance by a U.S. regulator concerning the increasingly critical issue of cyberinsurance. And while circular letters do not establish new legal requirements or have the force of law, they do set forth the department’s interpretation of the requirements of existing laws and regulations.1
Released on February 1, the Financial Industry Regulatory Authority (FINRA) 2021 Report on its Examination and Risk Monitoring Program (Report) provides a roadmap for member firms to use to prepare for examinations and to review and assess compliance and supervisory procedures related to business practices, compliance, and operations. The Report replaces two of FINRA’s prior annual publications: (1) the Report on Examination Findings and Observations, which provided an analysis of prior examination results, and (2) the Risk Monitoring and Examination Program Priorities Letter, which highlighted areas FINRA planned to review in the coming year.
Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.
On January 19, 2021, the U.S. Department of Commerce (Commerce) issued interim final regulations (interim rules) implementing Executive Order 13873, Executive Order on Securing the Information and Communications Technology Services Supply Chain (EO), which was intended to address alleged threats against information and communications technology and services (ICTS) in the United States. The new review mechanism focuses on transactions involving any acquisition, importation, transfer, installation, dealing in, or use of ICTS that has been designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction or direction of “foreign adversaries.”
While the focus on the rules is not foreign investment per se, it will complement the Committee on Foreign Investment in the United States’ (CFIUS) investment security review mechanisms. Indeed, the interim rules borrow several concepts and definitions from CFIUS’s recently amended regulations.
Commerce invited interested parties to submit comments on the interim rules. Parties must submit comments by March 22, 2021. Commerce will publish final regulations after considering any comments submitted.
This post provides key takeaways and a brief summary of Commerce’s new review mechanism.
Foreign investment in many entities regulated by the U.S. Federal Communications Commission (FCC) has long been subject to an interagency review process for the consideration of national security, foreign policy, and trade policy issues, referred to as “Team Telecom.” Pursuant to an April 2020 executive order and an October 2020 report and order of the FCC, this process has been formalized and streamlined under the new Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (Committee).
Taking a step into the digital age, the European Commission announced that the 2020s shall become the EU’s Digital Decade. The EU’s digitalization, including in the area of health, is one of the Commission’s key priorities and covers a wide range of actions and related initiatives.
Building on prior initiatives, in 2019 the Commission announced six key priorities (since supplemented by the COVID-19 recovery plan) that would shape the coming five years of policy making. One of these six key priorities is to create a Europe fit for the digital age and work on a digital strategy that will empower people with a new generation of technologies.
On January 14, 2021, the U.S. Office of the Comptroller of the Currency (OCC) issued its controversial final rule (Rule)1 to establish a new requirement for covered banks to provide “fair access” to financial services to both natural persons and legal entities.2 The preamble to the Rule explains that it is intended to address situations in which large banks have denied access to financial services on the basis of a prospective customer’s industry affiliation or connection with a politically unpopular, but lawful, activity. The Rule instead requires, among other things, that access to all financial services at covered banks be provided on the basis of a person’s individual characteristics evaluated under quantitative, impartial risk-based criteria. The OCC claims that these fair access standards do not, however, require that a covered institution provide any specific type of financial service, do business with a particular person or industry, or operate in a particular market. Nonetheless, in part because of the perception that the Rule will impair the ability of banks to take into account issues like climate change in making underwriting decisions, the fate of the Rule under the Biden administration remains uncertain.