September 2020

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Keypoint: LGPD is a complicated regulatory regime that will required U.S. entities subject to its requirements to undertake substantial compliance efforts.

As documented in Dirceu Santa Rosa’s article for the IAPP’s Privacy Tracker, efforts to delay the effective date of Brazil’s General Data Protection Law – Lei Geral de Proteção de Dados or LGPD – recently failed, and the law is expected to go into force in the coming days. Brazil’s federal government also published a decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados, i.e., Brazil’s national data protection authority.

LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed because of COVID-19. However, in a year that started with the CCPA going into effect, descended into chaos with COVID-19 (and its numerous privacy issues), took a “what just happened?” turn with the invalidation of Privacy Shield, and will close with a vote on CCPA 2.0, the unexpected start of LGPD feels like par for the course for privacy professionals.

For U.S. companies trying to comply with these laws, LGPD may seem like another insurmountable task. To facilitate that process, below is a general discussion of LGPD and some of its more notable provisions. For reference, LGPD has been translated into English by Ronaldo Lemos and his team at Pereira Neta Macedo and is available here.

Keypoint: The report provides five recommendations for proposed privacy legislation in Texas but does not propose specific statutory language or make recommendations on many key issues.

In a reminder that winter is likely to bring another round of proposed CCPA-like state privacy legislation, earlier this month, the Texas Privacy Protection Advisory Council issued an interim report with findings and recommendations for privacy legislation in Texas.

The fallout from the Schrems II judgment continued on Tuesday with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”

Keypoint: Representatives of the European Commission and EDPB advised that further guidance on cross-borders data transfers are forthcoming.

Last week, Didier Reynders, European Commissioner for Justice, and Dr. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), appeared at a hearing conducted by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and updated committee members on their work since the Schrems II decision.