On March 17, 2021, California officials announced the appointment of five board members of the California Privacy Protection Agency ( the “CPPA”), the first data protection agency in the United States. The CPPA, created by the California Privacy Rights Act (“CPRA”) which California voters approved in November 2020, is charged with promulgating the CPRA regulations; enforcing the CCPA and CPRA; and educating consumers about their privacy rights.
Most cybersecurity professionals are aware of the New York Department of Financial Service’s requirement imposed on DFS-licensed entities to certify their cybersecurity program’s compliance on an annual basis (by April 15th of each year), but less well known is that numerous other states impose similar requirements on regulated insurance entities and that deadline for many states is coming up on February 15, 2021.
On December 18, 2020, the Financial Crimes Enforcement Network (FinCEN) issued a notice of proposed rulemaking (NPR) regarding a proposal to impose on banks1 and money service businesses (MSBs) new recordkeeping, reporting, and identity verification requirements in relation to certain transactions involving convertible virtual currency (CVC) or digital assets with legal tender status (legal tender digital assets or LTDA)2 if the counterparty to the transaction does not have an account with, including a digital asset wallet hosted by, a financial institution regulated under the U.S. Bank Secrecy Act (BSA) or certain foreign financial institutions not located in designated problematic jurisdictions. If adopted, the proposed rule will impose significant new burdens only on banks and MSBs involved in digital asset businesses and undercut the role of U.S. institutions in digital asset economies, including in the growing area of “decentralized finance.” The NPR proposes to exclude broker-dealers, futures commission merchants, and mutual funds, among others that are subject to the BSA from these new reporting requirements, but specifically requests the industry’s comment on whether these types of institutions should also be included within the scope of the rule.
Affected institutions will have very limited time to assess and comment on the NPR, as the comment period closes on January 4, 2021, notwithstanding two intervening federal holidays.
On December 15, 2020, the U.S. Federal Deposit Insurance Corporation (FDIC) approved and the federal banking agencies jointly announced on December 18 a notice of proposed rulemaking, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (NPR).1 The NPR is a joint proposal by the Office of the Comptroller (OCC), the Board of Governors of the Federal Reserve System (Board), and the FDIC.
The EU Dual-Use Regulation regulates exports outside the EU, transfers inside the EU, transit through the EU and the brokering of certain sensitive goods, services, software and technology (referred to as “items”) that are considered “dual-use.” Dual-use items have both military and civil applications. The EU has updated its export control rules for dual-use items to (1) take account of Brexit, (2) ensure consistency with recent developments in international non-proliferation regimes and export control arrangements, and (3) address cyber-surveillance and other security threats stemming from new technologies, reinforce cooperation among competent EU authorities, and impose enhanced compliance obligations (including a requirement to adopt internal compliance programs) on businesses. These updates, which are addressed in turn, will have significant implications for businesses dealing in dual-use items.
On December 15, the European Commission (Commission) proposed drafts of two landmark digital legislative packages — the Digital Markets Act (DMA), which proposes new competition rules for so-called “gatekeeper” platforms to address alleged unfair practices and make them more contestable by competitors, and the Digital Services Act (DSA), which recommends revamping content moderation rules for “very large online platforms.”
The new rules, if they pass into law in their current form, would impose a stringent regulatory regime on Big Tech and give the Commission new enforcement powers. The draft regulations foresee severe fines for noncompliance — up to 10% of a company’s global revenues under the DMA and up to 6% under the DSA. The Commission would also be able to impose structural remedies, such as obliging a gatekeeper to sell all or part of a business, on companies that repeatedly engage in anticompetitive behavior prohibited by the DMA.
The proposals mark the beginning of a legislative process that is likely to be controversial and hotly contested, as there are marked differences of opinion on whether these proposals go too far, do not go far enough, or are necessary at all in light of preexisting competition powers.
On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule (the Proposed Rule) that would make a number of key changes to the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, HIPAA). HHS stated that the Proposed Rule is intended to reduce burdens that may limit or discourage care coordination and case management communications among individuals and HIPAA-covered entities while continuing to protect the privacy of individuals. The proposed changes are designed to lead to increased data access, sharing, and portability and to further HHS’s emphasis on patients’ right of information access, which has been highlighted through a series of enforcement actions in 2020. If enacted as proposed, the amendments would require healthcare providers and electronic health records (EHR) vendors to update policies and disclosures related to information access and perhaps even to redesign certain EHR processes. Comments are due 60 days after publication in the Federal Register.
The European Commission (EC), on 12 November 2020, published a draft decision implementing revised Standard Contractual Clauses (draft SCCs) – (the EC’s Draft). The EC’s Draft was published following the Court of Justice of the European Union’s (CJEU) decision in Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems on 16 July 2020 (Schrems II), which found (amongst other things) that supplementary protections may need to be implemented when SCCs are used to ensure an ‘essentially equivalent’ level of data protection. The publication of the EC’s Draft comes just one day after the European Data Protection Board (EDPB) published its draft recommendations describing how controllers and processors transferring personal data outside the European Economic Area (EEA) may comply with the Schrems II ruling. The EC’s Draft is open for public consultation until 10 December 2020, after which it will undergo a process of review by representatives of every EU Member State (the Committee) who will each need to provide a positive opinion in relation to the EC’s Draft as part of the EU examination procedure. The European Data Protection Supervisor must also be consulted and it is recommended that the EDPB is consulted. The EC’s College of Commissioners may then adopt the EC’s final decision
New privacy developments continue to come from California, with a new proposed modifications to CCPA regulations, continuing CCPA litigation, and voting beginning on Proposition 24, an initiative to overhaul the CCPA. We provide insight into each below.
Proposed Third Modified CCPA Regulations
In mid-October 2020, just a few months after the “finalization” of the regulations, the California Office of Attorney General proposed a handful of proposed modifications to regulations implementing the California Consumer Privacy Act. The abbreviated comment period for the proposed modifications closed on October 28th, which means the Attorney General must now review the comments, draft a response, and either further modify the proposed regulations or submit them in their current form for approval by the California Office of Administrative Law (OAL).
On July 23, 2020, the European Data Protection Board (the “EDPB”) published a set of important responses to a set of 12 frequently asked questions put forward to supervisory authorities regarding the recent Court of Justice of the European Union (“CJEU”) decision in Case C-311/18 – Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”) (“FAQs”).
Below is a summary of the key take-aways from the EDPB’s FAQs, which is intended to address a range of topics including the lack of a grace period following the decision and the conditions surrounding the use of certain data transfer mechanisms: