Photo of David Stauss [Former Attorney]

David Stauss [Former Attorney]

 

Formerly with Husch Blackwell, David routinely counseled clients on complying with privacy laws such as the EU's General Data Protection Regulation, the California Consumer Privacy Act, the Colorado Privacy Act, and other state privacy laws.

Keypoint: App developers will need to navigate a new privacy questionnaire designed to provide users with an easy to understand presentation of an App’s privacy practices.

As of December 8, 2020, Apple now requires all newly submitted applications (Apps) on its App Store, or updates to Apps, to include a privacy nutrition label describing the App’s privacy practices. This is in addition to Apple’s existing requirement that all Apps provide a link to a publicly accessible full privacy policy.

The privacy nutrition label is automatically generated based on a developer’s answers to a series of questions about the types of data the App collects (both first party and third-party collection), how each data type is used, whether the data is linked to the user, and whether the data is used for tracking purposes.

In the below post, we outline the four steps required by Apple.

Keypoint: Once finalized, US entities can use the new Standard Contractual Clauses to legally transfer data out of the EEA when combined with appropriate supplementary measures.

As discussed in our prior post, on November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses (SCCs) for the transfer of personal data to third countries and draft standard contractual clauses. Once finalized, the SCCs will replace the existing SCCs for data transfers out of the EEA.

As explained in the implementing decision, the SCCs “needed to be updated in light of new requirements in” GDPR. The SCCs also needed to be updated to consider “important developments . . . in the digital economy, with the widespread use of new and more complex processing operations often involving multiple data importers and exporters, long and complex processing chains as well as evolving business relationships.” The draft SCCs are also heavily influenced by the CJEU’s Schrems II decision.

The implementing decision and draft SCCs are open for public feedback until December 10, 2020. The European Commission presented the draft SCCs to the European Data Protection Board (EDPB) at the EDPB’s 42nd plenary session and requested a joint opinion from the EDPB and the European Data Protection Supervisor. For reference, the EDPB’s recommendations on draft supplementary measures was discussed in this blog post.

Once finalized, there will be a one-year implementation period in which entities can continue to rely on the existing SCCs for contracts entered into prior to the new SCCs going in effect, provided that the contract remains unchanged. However, the parties to the contract still must institute supplementary measures to allow for appropriate safeguards in light of the Schrems II judgment.

A discussion of some of the relevant takeaways from the draft SCCs follows:

Keypoint: In the wake of Schrems II, the EDPB’s much-anticipated recommendations provide extensive guidance on supplementary measures parties can use to legally transfer data out of the EEA in the absence of an adequacy decision.

In a flurry of activity last week, the European Data Protection Board (EDPB) and the European Commission made major announcements affecting cross-border data transfers out of the EEA.

First, the EDPB announced the adoption of draft recommendations on measures that supplement cross-border data transfer tools as well as recommendations on the European Essential Guarantees for surveillance measures. The recommendations were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. The following day, the European Commission published a draft set of new standard contractual clauses. Taken together, these documents will, once finalized, fundamentally change data transfers out of the EEA.

The below post will examine the EDPB’s draft recommendations on supplementary measures. The draft new standard contractual clauses will be discussed in a separate post.

Keypoint: The EDPB’s much-anticipated recommendations will help companies identify the supplementary measures they need to put into place to comply with the CJEU’s Schrems II decision.

Today, the European Data Protection Board (EDPB) announced that it has adopted recommendations on measures that supplement cross-border data transfer tools and recommendations on the European Essential Guarantees for surveillance measures. The recommendations – which are not yet publicly available – were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. Once available, the recommendations will be submitted for public consultation. As is customary, the recommendations are subject to legal, linguistic and formatting checks prior to being published on the EDPB’s website.

According to the San Francisco Chronicle and Californians for Consumer Privacy, California voters have passed Proposition 24 – the California Privacy Rights Act (CPRA). The CPRA substantially modifies the California Consumer Privacy Act (CCPA), which just went into effect on January 1, 2020.

Members of Husch Blackwell’s privacy and data security practice will host

Keypoint: The California Attorney General’s office once again published proposed modifications to its CCPA regulations. The modifications primarily focus on making changes to the provisions dealing with the right to opt out and authorized agent requests.

On October 12, 2020, the California Department of Justice published a third set of proposed modifications to its California Consumer Privacy Act (CCPA) regulations. The deadline to submit written comments is October 28, 2020.

The proposed modifications were published less than two months after the CCPA regulations went into effect on August 14, 2020. In general, the proposed changes focus on the provisions concerning the notice of the right to opt-out, requests to opt-out, and the use of authorized agents for making requests.

The proposed modifications are as follows:

Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.

Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.

In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.

Keypoint: LGPD is a complicated regulatory regime that will required U.S. entities subject to its requirements to undertake substantial compliance efforts.

As documented in Dirceu Santa Rosa’s article for the IAPP’s Privacy Tracker, efforts to delay the effective date of Brazil’s General Data Protection Law – Lei Geral de Proteção de Dados or LGPD – recently failed, and the law is expected to go into force in the coming days. Brazil’s federal government also published a decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados, i.e., Brazil’s national data protection authority.

LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed because of COVID-19. However, in a year that started with the CCPA going into effect, descended into chaos with COVID-19 (and its numerous privacy issues), took a “what just happened?” turn with the invalidation of Privacy Shield, and will close with a vote on CCPA 2.0, the unexpected start of LGPD feels like par for the course for privacy professionals.

For U.S. companies trying to comply with these laws, LGPD may seem like another insurmountable task. To facilitate that process, below is a general discussion of LGPD and some of its more notable provisions. For reference, LGPD has been translated into English by Ronaldo Lemos and his team at Pereira Neta Macedo and is available here.

Keypoint: The report provides five recommendations for proposed privacy legislation in Texas but does not propose specific statutory language or make recommendations on many key issues.

In a reminder that winter is likely to bring another round of proposed CCPA-like state privacy legislation, earlier this month, the Texas Privacy Protection Advisory Council issued an interim report with findings and recommendations for privacy legislation in Texas.