California privacy update: New state enforcement agency leadership discuss extending CPRA rulemaking deadline and doubling the number of current CCPA regulations

California’s new enforcement agency, the Consumer Privacy Protection Agency (CPPA), recently held a meeting of its Board of Directors (Board), where they discussed the possible need to extend the July 1, 2022 CPRA rulemaking deadline and estimated that the updated privacy law, which takes effect in 2023, may require doubling the existing body of CCPA regulations. Key rulemaking topics discussed at the board meeting included rules covering new topics such as rules related to automated decision-making and the CPRA’s new data protection assessment and auditing requirements.

CPPA executive director and staff to be appointed

With a little over nine months until the CPRA regulations are supposed to be finalized, the CPPA is still working on making key staff and leadership appointments. The Board recently held an all-day closed session to review and discuss the applications for the executive director post, indicating it may be close to making a decision on that leadership post. In the preceding open session, members discussed the Chief Privacy Auditor role and the requirements for that new position. As for staff, the Board noted that the Attorney General’s (AG) office already has 10 people dedicated to CCPA-related work and discussed hiring five retired state employees that are attorneys for part-time positions.

Extension of the July 1, 2022 rules deadline

With the CPRA rulemaking deadline looming on July 1, 2022, Board members expressed concern about the CPPA’s ability to draft, revise, and finalize a large number of new rules in the time that remains. Based on this concern, the Board discussed asking the legislature for an extension, enacting temporary “emergency” regulations, or adding grace periods for compliance with the new rules. Emergency rules would allow the CPPA to introduce new rules on an expedited basis while extending the final rulemaking beyond the July 1, 2022 deadline.  Continue Reading

DCMS launches public consultation on reforms to the UK’s data protection regime

On 10 September 2021, the Department for Digital, Culture, Media & Sport (DCMS) launched a public consultation on its proposed reforms to the UK’s data protection regime, with a view to assessing the case for legislative change.

The consultation comes as the first step in the government’s plans to deliver on ‘Mission 2’ of its National Data Strategy, published in 2020: to secure a data regime that promotes growth and innovation for UK businesses, while also maintaining public trust.

The UK’s data protection regime has not received a substantive update since 2018 when the European Union’s General Data Protection Regulation (GDPR) took effect, alongside the introduction of the UK’s Data Protection Act 2018. The government’s National Data Strategy has suggested that the UK may start to move away from EU law when it comes to data protection.

According to the Secretary of State, the ultimate aim of the consultation is to ‘create a more pro-growth and pro-innovation data regime, whilst maintaining the UK’s world-leading data protection standards’. Continue Reading

Key rules of PRC’s new Personal Information Protection Law

During the thirtieth meeting of the Standing Committee of the Thirteenth National People’s Congress of the People’s Republic of China on August 20, 2021, they finally passed the long-awaited Personal Information Protection Law (PIPL), which will come into force on November 1, 2021.

Our recent client alert, the first in a series which we will be producing, provides a brief introduction to the key rules in the PIPL, focusing on the requirements that multinational companies with operations in China need to be aware of.

In our subsequent alerts, we will also address the particular challenges that companies across different sectors (such as TMT, health care, automotive, and financial services) may face in the context of the PIPL.

The ICO approves the first UK GDPR certification schemes

Controllers and processors can demonstrate their compliance with the GDPR by adhering to approved data protection certification mechanisms established by data protection authorities. The ICO has approved such certification mechanism  for three UK GDPR certification schemes, in the following areas:

  1. IT asset disposal – the Asset Disposal and Information Security Alliance (ADISA) have developed a standard that ensures personal data has been handled appropriately when IT equipment is re-used or destroyed. This scheme is for companies who provide IT asset disposal services and focuses on IT asset recovery and data sanitisation. There are currently no certification bodies listed on the ICO’s website to deliver this scheme;
  2. Age assurance – Age Check Certification Scheme (ACCS) have developed this scheme which includes data protection criteria for organisations operating or using age assurance products. These allow organisations to estimate or verify a person’s age so that they can access age restricted products or services; and
  3. Age appropriate design, specifically children’s online privacy. Again developed by ACCS, this scheme provides criteria for the age appropriate design of information society services which are based on the ICO’s Children’s Code. The certification body for both ACCS schemes is Age Check Certification Services Ltd.

The ICO has commented that for these “constantly evolving” areas “enhanced trust and accountability in how personal data is protected is vital”. Continue Reading

Ohio Attorney General Yost discusses consumer protection and privacy laws

In a recent Q&A with Ohio Attorney General (AG) Dave Yost published in the IAPP Privacy Advisor, the first term AG discusses how he continued Ohio’s role as a vigorous enforcer of consumer protection and privacy laws, with a lengthy track record of looking out for the needs of the government, business and consumers equally. Since he took office, Attorney General Yost has proven he is prepared to take privacy and consumer protection in Ohio to the next level. AG Yost also shares his views on privacy trends among the states, federal privacy laws, the FTC, preventing ransomware, and data breach litigation safe harbors. Read more in the IAPP Privacy Advisor article here.

The UK’s ICO launches public consultation on employment practices

The ICO has announced plans to replace its existing employment practices guidance with a more user-friendly online resource. The new resource will be divided into specific topics such as recruitment and selection, employment records, monitoring of workers, and information about workers’ health.

In particular, the new guidance aims to:

  • Address the changes in data protection law,
  • Reflect the changes in the way that employers use technology and interact with staff, and
  • Meet the needs of people using the ICO’s guidance products.

To this end, the ICO has launched a public consultation to gather views on these and related subject areas.

The consultation

The ICO has prepared a survey for completion by those wishing to take part in the consultation. Contributions may be submitted by responding to an online survey or by completing and returning a word document by email or post.

The deadline for responding is midnight on Thursday 21 October 2021.

Continue Reading

Is an Article 27 GDPR representative liable for a controller’s breach? Not according to the English High Court

The English High Court delivered an important judgement earlier this year in Sanso Rondon v LexisNexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB). You can read the judgment here.

Where an organisation based outside the EU is subject to the EU General Data Protection Regulation (GDPR) either because they sell goods or services to, or monitor the behaviour of, individuals, they are usually required to appoint a representative. Since Brexit where such processing involves individuals in the UK, a UK based representative is also required under the UK GDPR.

This case concerned the liability of the UK representatives of data controllers based outside the UK. The High Court struck out the claim and held that Article 27 GDPR does not create ‘representative liability’.

Background

The claimant Mr Sansó Rondón brought a claim against LexisNexis Risk Solutions, the designated ‘representative’ of U.S. company World Compliance Inc. (WorldCo). WorldCo is the controller of a database containing millions of profiles of individuals. The claimant argued WorldCo’s processing of his personal data in producing a profile of him breached the GDPR. The defendant applied for the claim to be struck out, or alternatively for summary judgment, arguing that a representative cannot be held liable for the actions of a controller and the remedies sought can only be obtained from a controller.

Continue Reading

California AG marks the one-year anniversary of the CCPA’s enforcement with new activities

In preparation for the California Privacy Rights Act (CPRA), effective January 1, 2023, the California AG Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) and providing updated guidance for consumers and businesses. The AG recently held a press conference to discuss enforcement proceedings brought by his office over the last year and to announce a new tool designed to simplify consumer reporting of complaints related to personal information “sales” opt-outs. The AG’s office also recently released a summary of its CCPA enforcement activities as well as updated CCPA FAQs.

Our recent client alert details a number of key takeaways from the AG’s office recent announcements

New automated data transfer tool launched

Reed Smith announced the launch of DaTA Transfer Pathway, an innovative new automated data transfer tool designed to assist organisations comply with recent changes in EU case law and EU data protection guidelines.

Stemming from the Court of Justice of the European Union’s (CJEU) Schrems II decision relating to EU-US data transfers and in light of the new EU-Standard Contractual Clauses (SCCs), before transferring personal data outside the EU, all businesses need to undertake a data transfer impact assessment. The tool can also be used to cover onward transfers between non-EU organizations that must comply with the SCCs. In most cases businesses are likely to need to change their contractual arrangement with customers, suppliers and affiliates to ensure compliance with the new rules. The deadline to change to the new SCCs is December 27, 2022.

Reed Smith’s DaTA Transfer Pathway provides an automated value-driven legal solution. It is a user-friendly web solution application that automates the generation of data transfer assessment reports and Standard Contractual Clauses (SCCs) in accordance with the EU General Data Protection Regulation (GDPR).

 Learn more about the DaTA Transfer Pathway in our press release.

The UK’s ICO launches public consultation on new Standard Contractual Clauses

In our previous post here we discussed the ICO’s announcement that it is working on new Standard Contractual Clauses (SCCs) to facilitate transfers of personal data outside the UK. The new UK SCCs will be known as the UK’s International Data Transfer Agreement (IDTA).

The ICO has now launched the public consultation on its IDTA and accompanying guidance (available here). The consultation is open for feedback until 5pm on 7 October 2021.

Purpose of the IDTA

The IDTA will replace the current UK SCCs. The ICO has already made it clear that any transfers to third countries will need to take into account the Schrems II decision and apply supplementary measures, where required. The IDTA is a contract which organisations will be able to use when making a ‘restricted transfer’. The ICO is also consulting on how to define a ‘restricted transfer’ in light of the UK GDPR. In particular, the ICO is consulting on whether to keep its current guidance that says a restricted transfer only takes place where the importer’s processing of the personal data is not subject to UK GDPR. Recognising the complexity of international transfers for businesses, the ICO Executive Director of Regulatory Strategy, Steve Wood, has said that the new guidance is designed to be accessible and to support the full range of organisations, from SMEs to multi-national companies.

Continue Reading

LexBlog