On Monday, the Chair of the European Data Protection Board (EDPB) issued a statement on the processing of personal data in the context of the COVID-19 outbreak. In that statement, the Chair acknowledged that although the EU General Data Protection Regulation (GDPR) provides broad and comprehensive privacy rights to individuals, it does have mechanisms in place that allow certain data collectors/processors, such as employers, as well as competent public health authorities, to process personal data in the context of epidemics without the need to obtain the consent of the data subject. Articles 6 and 9 of the GDPR, for example, permit the nonconsensual processing of personal data where it is necessary for reasons of public interest in the area of public health or to protect vital interests.

The statement also addressed the fact that additional rules apply to the processing of electronic personal data, such as geolocation data, even during a pandemic. Per national laws implementing the ePrivacy Directive, if a data operator cannot obtain the consent of a data subject to the use of his or her personal geolocation data, the operator should do everything possible to only use the data in an anonymous format (e.g., aggregating location data to get a general sense of how many people are in a given location, with no possibility of reverse tracing that data). If anonymous collection is not possible, a government can invoke Article 15 of the ePrivacy Directive and introduce legislation pursuing national or public security (a pandemic could qualify as either) if it constitutes “a necessary, appropriate and proportionate measure within a democratic society.” If a member state does this, it must provide adequate safeguards, such as allowing a judicial remedy to aggrieved data subjects.

On March 11, 2020, the California Attorney General’s office published a second set of modified proposed CCPA regulations. Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Tuesday, March 17, from 12:00-1:00 p.m. CT, to analyze the second set of modified proposed regulations. Click here to register.

Keypoint: For the second year in a row, the Washington Privacy Act has failed to become law.

Yesterday afternoon, on the final day of the Washington legislative session, Senator Reuven Carlyle issued a statement announcing the failure of the Senate and House to reach a compromise on the Washington Privacy Act (WPA) (SB 6281). Senator Carlyle’s statement identified one insurmountable obstacle – enforcement.

Continue Reading Washington Privacy Act Fails

Keypoint: This modified draft of proposed regulations retracts some of the modifications as published on February 10 and adds new revisions. There is an additional comment period, which delays publication of final regulations and further shortens the time businesses will have to drive compliance before the July 1, 2020 enforcement date.

On Wednesday, March 11, 2020, the California Attorney General’s office published a notice of second set of modifications to the text of the proposed regulations regarding the California Consumer Privacy Act (CCPA). The Attorney General’s office also published redline and clean versions of the second set of modified regulations.

In the below post, we first provide a brief background of the regulatory process. We then discuss the most significant changes made in this latest round of revisions.

Continue Reading CCPA Update: Second Set of Modified Proposed Regulations Published

Keypoint: With just two days to go before the close of the Washington legislature, a conference committee will try to resolve conflicts between the House and Senate versions of the WPA.

As we previously reported, on Friday, March 6, the Washington House passed an amended version of the Washington Privacy Act (WPA) that included a private right of action. The bill then moved back to the Senate where, on Monday, March 9, the Senate refused to concur in the amendments and asked the House to recede from them. Predictably, the House refused.

However, the House requested that the Senate agree to a conference committee, which request the Senate quickly granted. The House and Senate thereafter appointed three members each to participate in the conference committee.

Continue Reading Washington Privacy Act Update: WPA Moves to Conference Committee

data privacyKeypoint: The Washington House of Representatives passed an amended version of the WPA containing a private right of action.

On Friday, March 6, the Washington House of Representatives passed an amended version of the Washington Privacy Act (WPA) (SB 6281). Among other changes, the House WPA contains a private right of action that would allow state residents to sue data controllers for technical violations of the bill’s provisions. The House WPA now moves back to the Senate for further consideration. Lawmakers have until Thursday, March 12, to resolve the differences between the House and Senate WPA versions.

Continue Reading Washington Privacy Act Update: Amended Bill Passes House

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: The WPA version that passed out of the House committee contains a private right of action along with other changes strengthening the WPA’s privacy provisions.

On Friday, February 28, the Washington House Innovation, Technology & Economic Development Committee (ITED) voted to pass a strengthened version of the Washington Privacy Act (WPA) out of committee. As discussed in our prior post, on February 14, the Washington Senate voted overwhelmingly to pass the WPA. Yet, after moving to the House, the WPA encountered substantial resistance from privacy advocates. At a public hearing on February 21, privacy advocates argued against the WPA’s lack of a private right of action, facial recognition provisions, and preemption of local laws, among other things. Continue Reading Washington Privacy Act Update: Private Right of Action Added in House

Keypoint: The Wisconsin Data Privacy Act would create CCPA and GDPR-like rights for Wisconsin residents and would strengthen Wisconsin’s data security and breach notification requirements.

Lawmakers in Wisconsin have proposed three bills that, if enacted, would create privacy rights for Wisconsin residents and compliance burdens for entities that process or control consumer data. All three bills were introduced on February 10, 2020 and an initial public hearing was held on February 12, 2020.

Continue Reading Analyzing the 2020 Wisconsin Data Privacy Act

As it did last year, the Washington state senate has overwhelmingly passed comprehensive consumer privacy legislation. The legislation, entitled the Washington Privacy Act (WPA), passed the state senate on February 14, 2020, by a vote of 46-1. The legislation will now move to the state house of representatives where it failed last year. A copy of the WPA, as it passed the senate, is available here.

On Friday, February 7, 2020, the California Attorney General’s office published modified proposed CCPA regulations. Members of Husch Blackwell’s privacy and data security practice group will host a webinar on Wednesday, February 12, from 12:00-1:00 p.m. CT, to analyze the modified proposed regulations. Click here to register.