Keypoint: The EDPB takes the position that geographical boundaries – and not GDPR’s jurisdictional reach – govern the restricted transfer determination.

On November 19, 2021, the European Data Protection Board (EDPB) published draft guidelines on the interplay between the application of GDPR Article 3 and its provisions on international transfers in Chapter V.

The draft guidelines answer the question of whether a transfer of personal data occurs when the data leaves GDPR’s jurisdictional scope or when it leaves the European Union’s geographic scope. The draft guidelines also provide three criteria and a number of illustrative examples to guide controllers and processors to identify restricted transfers.

Restricted transfers are of heightened focus in light of the Court of Justice of the European Union’s decision in Schrems II, the European Commission’s issuance of new standard contractual clauses, and the EDPB’s recommendations on supplementary measures for cross-border data transfers. The guidelines – once finalized – will provide entities with further guidance on how to navigate this complex legal issue.

The draft guidelines will be open to public comment until the end of January.

Below is a summary.

Continue Reading EDPB Issues Draft Guidelines on Interplay Between GDPR’s Jurisdictional Scope and Cross-Border Data Transfer Requirements

In the ninth episode of our Legislating Data Privacy series, we continue our conversation with Colorado Senator Robert Rodriguez.

In July 2021, Colorado became the third state to pass broad consumer privacy legislation – the Colorado Privacy Act. Senator Rodriguez was the primary architect of the bill and spearheaded its passage.

In this two-part conversation, Senator Rodriguez provides extensive details on the drafting and negotiation of the Colorado Privacy Act. If you want the “behind the scenes” story on the nation’s third state consumer privacy law, do not miss this episode.

Click here to listen to the interview. You can hear Part I of our conversation by clicking here.

In the eighth episode of our Legislating Data Privacy series, we talk with Colorado Senator Robert Rodriguez.

In July 2021, Colorado became the third state to pass broad consumer privacy legislation – the Colorado Privacy Act. Senator Rodriguez was the primary architect of the bill and spearheaded its passage.

In this two-part conversation, Senator Rodriguez provides extensive details on the drafting and negotiation of the Colorado Privacy Act. If you want the “behind the scenes” story on the nation’s third state consumer privacy law, do not miss this episode. Check back for Part II in the coming days.

Click here to listen to the full interview.

Keypoint: The VCDPA Work Group’s final report contains 17 “points of emphasis” derived from six Work Group meetings; however, the Work Group’s recommendations for modifying the VCDPA will not be presented until the legislature opens in January 2022.

On November 1, 2021, the Virginia Consumer Data Protection Work Group issued its 2021 Final Report. By way of background, § 59.1-581.2 of the Virginia Consumer Data Protection Act (VCDPA) required the Chairman of the Joint Commission on Technology and Science to create a work group to “review the provisions of [the VCDPA] and issues related to its implementation.” The Chairman was required to “submit the work group’s findings, best practices, and recommendations regarding the implementation of [the VCDPA] to the Chairmen of the Senate Committee on General Laws and Technology and the House Committee on Communications, Technology and Innovation no later than November 1, 2021.”

The Work Group met six times from June to August 2021. A summary of those meetings is contained in the Final Report and copies of materials relating to those meetings are available on the Joint Commission’s webpage.

Ultimately, the Work Group identified 17 “points of emphasis” from its six meetings but stated that the Work Group’s “recommendations based on these points of emphasis” would be presented by Delegate Hayes and Senator Marsden (the VCDPA’s sponsors) during the upcoming legislative session.

Below is a summary of the points of emphasis along with some analysis. For ease of reference, we have grouped the points of emphasis into seven categories.

Continue Reading Virginia Consumer Data Protection Act Work Group Issues 2021 Final Report

What U.S. Companies Need to Know about China’s New Privacy LawKeypoint: China’s Personal Information Protection Law is a complicated regulatory regime that will require U.S. entities subject to its requirements to undertake substantial compliance efforts.

Effective November 1, 2021, China will become the latest country to enact a national data privacy law akin to Europe’s General Data Protection Regulation (GDPR). The new law – entitled the Personal Information Protection Law of the People’s Republic of China or “PIPL” – will require foreign companies, including U.S. companies, operating in China (and in some cases, operating purely outside of China) to undertake new compliance efforts.

To facilitate that process, below is a general discussion of PIPL and some of its more notable provisions. For reference, PIPL has been translated into English by DigiChina, which has a wealth of resources available on its website for those interested in further reading on this new law.

Continue Reading What U.S. Companies Need to Know about China’s New Privacy Law

CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking ProcessKeypoint: The California Privacy Protection Agency initiates preliminary rulemaking activities under the California Privacy Rights Act.

On Wednesday, September 22, 2021, the California Privacy Protection Agency (Agency) issued an Invitation for Preliminary Comments on Proposed Rulemaking Under the California Privacy Rights Act of 2020.

California voters approved the California Privacy Rights Act (CPRA) in November 2020. The CPRA, which goes into effect on January 1, 2023, significantly revises the California Consumer Privacy Act (CCPA).

Continue Reading CPRA Regulations: California Privacy Protection Agency Commences Preliminary Rulemaking Process

In the seventh episode of our Legislating Data Privacy series, we talk with Connecticut Senator James Maroney.

Senator Maroney is the author of Senate Bill No. 893, which would have granted Connecticut residents various privacy rights regarding their personal data.

In this episode, Senator Maroney discusses the fascinating path of S.B. 893 during the 2021 legislative session. He also provides background on S.B. 893 and what to expect in the 2022 session. Senator Maroney is clearly an expert in this field and offers incredible insight to anyone interested in emerging state privacy law.

Click here to listen to the full interview.

Oklahoma Privacy BillKeypoint: The 2022 legislative session of proposed state consumer privacy legislation kicks off with the filing of a new bill in Oklahoma.

On September 9, 2021, Rep. Collin Walke (D) and Majority Leader Rep. Josh West (R) filed the Oklahoma Computer Data Privacy Act of 2022. The Oklahoma legislature is not scheduled to convene until February 7, 2022, such that there is ample time for policymakers and lobbyists to study the bill. We spoke with Representative Walke earlier this year about his goal of passing a privacy law in 2022.

In an accompanying press release, Representative Walke stated: “The National Security Commission on Artificial Intelligence explained that America is ill-prepared for the next decade of technological development, and part of that is due to a lack of governmental action in regulating things like data privacy. It is time that we heed the advice of security experts like the National Security Commission and pass meaningful data privacy legislation. We must be part of the solution and not the problem.”

In 2021, the Oklahoma House passed another privacy bill but it did not make it out of the Senate Judiciary Committee. According to Rep. Walke, the 2021 version will still be alive when the 2022 legislative session convenes such that Oklahoma lawmakers will have two bills to consider.

Below is an overview of the 2022 bill (as introduced).

In addition, members of Husch Blackwell’s privacy and data security practice will be hosting a webinar on September 28 to discuss developments in U.S. privacy law, including the 2022 Oklahoma bill. Click here to register.

Continue Reading 2022 Oklahoma Computer Data Privacy Act Filed

Over the past few months, there have been numerous developments in U.S. and international privacy law. In the United States, Colorado and Virginia passed consumer privacy laws, and California voters passed a substantial amendment to the CCPA. Abroad, the European Commission issued new standard contractual clauses for cross-border data transfers, and China and Brazil are enacting new laws.

Join us on Tuesday, September 28, 2021, for a live webinar exploring these new developments. Topics include:

  • Update on proposed state consumer privacy legislation and expectations for the 2022 legislative session
  • Status of California Consumer Privacy Act (CCPA) enforcement
  • Update on the California Privacy Rights Act (CPRA), including the creation of the California Privacy Protection Agency and upcoming rulemaking process
  • Status of the Virginia Consumer Data Protection Act and Colorado Privacy Act
  • Analysis of the European Commission’s new standard contractual clauses for cross-border data transfers and what it means for U.S. companies
  • Update on new developments in Brazil and China

Click here to register.

 

In the sixth episode of our Legislating Data Privacy Series, we talk with Joseph Duball, staff writer at the International Association of Privacy Professionals.

In 2021, no one covered state privacy legislation more than Joe Duball. If there was a committee hearing or floor debate, Joe was listening and reporting. In his work contributing to the IAPP’s daily news alerts, Joe published articles on every major state privacy law development in 2021, many times interviewing the lawmakers who were making the decisions.

In this wide-ranging interview, Joe discusses how he kept track of all the proposed bills, his thoughts on the 2021 session, and what he expects to happen when legislatures reconvene in 2022. If you are interested in state privacy legislation, do not miss this interview.

Click here to listen to the full interview.