Keypoint: In the wake of Schrems II, the EDPB’s much-anticipated recommendations provide extensive guidance on supplementary measures parties can use to legally transfer data out of the EEA in the absence of an adequacy decision.

In a flurry of activity last week, the European Data Protection Board (EDPB) and the European Commission made major announcements affecting cross-border data transfers out of the EEA.

First, the EDPB announced the adoption of draft recommendations on measures that supplement cross-border data transfer tools as well as recommendations on the European Essential Guarantees for surveillance measures. The recommendations were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. The following day, the European Commission published a draft set of new standard contractual clauses. Taken together, these documents will, once finalized, fundamentally change data transfers out of the EEA.

The below post will examine the EDPB’s draft recommendations on supplementary measures. The draft new standard contractual clauses will be discussed in a separate post.

Continue Reading Analyzing the EDPB’s Draft Recommendations on Supplementary Measures

Keypoint: The EDPB’s much-anticipated recommendations will help companies identify the supplementary measures they need to put into place to comply with the CJEU’s Schrems II decision.

Today, the European Data Protection Board (EDPB) announced that it has adopted recommendations on measures that supplement cross-border data transfer tools and recommendations on the European Essential Guarantees for surveillance measures. The recommendations – which are not yet publicly available – were adopted during the EDPB’s 41st plenary session and in response to the CJEU’s Schrems II ruling. Once available, the recommendations will be submitted for public consultation. As is customary, the recommendations are subject to legal, linguistic and formatting checks prior to being published on the EDPB’s website.

Continue Reading EDPB Announces Recommendations on Schrems II Supplementary Measures

Key Point: California AG Becerra’s investigation into security flaws in the Glow fertility app results in a settlement agreement that resembles recent enforcement agreements in New York but is also unique in requiring the app’s developer to consider gender-specific concerns within its privacy-by-design principles.

“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” according to California’s Attorney General Becerra. The consequences of not having the appropriate data protections? It means “a digital disclosure of your private medical records is instantaneously and eternally available to the world” per Becerra.

For these reasons, especially in the new era of telemedicine, developers of medical applications (health app) understand that consumers’ privacy and security must be protected. “Excuses are not an option,” Becerra warns. California’s settlement agreement with Upward Labs Holdings, Inc. (Upward Labs) and its subsidiary Glow, Inc. (Glow), is an example that Becerra’s warning should not be ignored.

Continue Reading Settlement Agreement With Health App Developer Part of Emerging Trend But Adds Unique Gender-Based Requirement

According to the San Francisco Chronicle and Californians for Consumer Privacy, California voters have passed Proposition 24 – the California Privacy Rights Act (CPRA). The CPRA substantially modifies the California Consumer Privacy Act (CCPA), which just went into effect on January 1, 2020.

Members of Husch Blackwell’s privacy and data security practice will host a webinar on November 10, 2020, to analyze the CPRA and how it will modify the CCPA.  To register, click here. During the webinar, our team will discuss the following topics:

  • Implementation timeline
  • New/modified consumer rights
  • New enforcement mechanisms
  • New/modified definitions and terms such as “sensitive personal information”
  • Changes to third-party data transfers
  • Key takeaways for businesses

The Department of Health and Human Services, Office of the National Coordinator for Health Information Technology released its final rule on Information Blocking as part of the 21st Century Cures Act in May. Implementation of the HHS Final Rule on Information Blocking Begins November 2. The HHS Final Rule on Information Blocking concerns the access, exchange, or use of electronic health information (EHI) and applies to healthcare providers and related entities who handle EHI. For more on the HHS Final Rule on Information Blocking and it’s exceptions, read our related post on Healthcare Law Insights.

UPDATE: With the publication of the Interim Final Rule, HHS extended the compliance deadline to April 5, 2021. Read our update on Healthcare Law Insights.

Keypoint: The California Attorney General’s office once again published proposed modifications to its CCPA regulations. The modifications primarily focus on making changes to the provisions dealing with the right to opt out and authorized agent requests.

On October 12, 2020, the California Department of Justice published a third set of proposed modifications to its California Consumer Privacy Act (CCPA) regulations. The deadline to submit written comments is October 28, 2020.

The proposed modifications were published less than two months after the CCPA regulations went into effect on August 14, 2020. In general, the proposed changes focus on the provisions concerning the notice of the right to opt-out, requests to opt-out, and the use of authorized agents for making requests.

The proposed modifications are as follows:

Continue Reading CCPA Update: AG’s Office Publishes Another Set of Proposed Changes to CCPA Regulations

Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.

Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.

In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.

Continue Reading Analyzing the EDPB’s Guidelines on Article 28 Data Processing Agreements

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Continue Reading New York’s Investigation of Dunkin Donuts Results in a Promise to Abide by the SHIELD Act’s Requirements

As reported by numerous Brazilian privacy professionals, Brazil’s new privacy law – Lei Geral de Proteção de Dados or LGPD – is now in full effect with the sanction of Law 14508 by Brazilian President Jair Bolsonaro. The birth of a new national privacy law is a unique day for privacy professionals. That is particularly true here given that Brazil is the largest country in South America and the sixth largest country in the world by population.

There is still work to be done to fully implement LGPD – such as the establishment of Brazil’s national data protection authority. However, based on its scope – including its purported extra-territorial jurisdiction and GDPR-like regulation of cross-border data transfers – LGPD could impact businesses across the globe if it is fully implemented and enforced.

For a deeper dive into LGPD’s provisions, see our blog post here.


Keypoint: LGPD is a complicated regulatory regime that will required U.S. entities subject to its requirements to undertake substantial compliance efforts.

As documented in Dirceu Santa Rosa’s article for the IAPP’s Privacy Tracker, efforts to delay the effective date of Brazil’s General Data Protection Law – Lei Geral de Proteção de Dados or LGPD – recently failed, and the law is expected to go into force in the coming days. Brazil’s federal government also published a decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados, i.e., Brazil’s national data protection authority.

LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed because of COVID-19. However, in a year that started with the CCPA going into effect, descended into chaos with COVID-19 (and its numerous privacy issues), took a “what just happened?” turn with the invalidation of Privacy Shield, and will close with a vote on CCPA 2.0, the unexpected start of LGPD feels like par for the course for privacy professionals.

For U.S. companies trying to comply with these laws, LGPD may seem like another insurmountable task. To facilitate that process, below is a general discussion of LGPD and some of its more notable provisions. For reference, LGPD has been translated into English by Ronaldo Lemos and his team at Pereira Neta Macedo and is available here.

Continue Reading What U.S. Companies Should Know about LGPD – Brazil’s New General Data Protection Law