Keypoint: The report provides five recommendations for proposed privacy legislation in Texas but does not propose specific statutory language or make recommendations on many key issues.
In a reminder that winter is likely to bring another round of proposed CCPA-like state privacy legislation, earlier this month, the Texas Privacy Protection Advisory Council issued an interim report with findings and recommendations for privacy legislation in Texas.
The fallout from the Schrems II judgment continued on Tuesday with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”
Keypoint: Representatives of the European Commission and EDPB advised that further guidance on cross-borders data transfers are forthcoming.
Last week, Didier Reynders, European Commissioner for Justice, and Dr. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), appeared at a hearing conducted by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and updated committee members on their work since the Schrems II decision.
On August 30, 2020, the California legislature passed Assembly Bill 1281, which extends the CCPA’s business-to-business and employee exemptions by one year until January 1, 2022. The bill now moves to the California Governor’s office.
Keypoint: Some additional changes to the CCPA regulations were made before they were filed with the Secretary of State and became effective.
As discussed in our prior post, on Friday, August 14, 2020, the California Office of Administrative Law (OAL) approved the California Office of the Attorney General’s (OAG) final CCPA regulations and filed them with the California Secretary of State (SOS). The regulations were immediately effective.
Notably, the final text of the regulations submitted to the SOS was modified from the one filed with the OAL. The OAG published an Addendum to the Final Statement of Reasons setting forth the changes. Many of the changes are stylistic and grammatical. However, some of the changes are substantive and will impact compliance efforts. The most notable changes are discussed below:
On August 14, 2020, Attorney General Becerra announced that the California Office of Administrative Law (OAL) approved the final regulations related to the California Consumer Privacy Act (CCPA) an filed them with the Secretary of State. The regulations go into effect immediately.
The Attorney General’s office submitted the final proposed regulations to the OAL on June 1, 2020. As part of the final regulations package, the Attorney General requested an expedited review of 30 business days and that the regulations become effective upon filing with the Secretary of State. Although not satisfying the 30-day request, the OAL did complete its review in short order, particularly in light of two executive orders by California’s governor extending the OAL’s review period by an additional 120 days.
Keypoint: The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.
In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment.
In a ground-breaking opinion issued today, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Decision as a method for transferring personal data from the EU to the US. In short, the Decision was invalidated over Privacy Shield’s failure to adequately address US government surveillance activities.
Conversely, the Court upheld the use of standard contractual clauses for transfers of personal data to third countries but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient. Specifically, the Court held that GDPR Article 46(1) and 46(2)(6) “must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” in European law.
During a webinar last week hosted by the International Association of Privacy Professionals, a representative from the California Attorney General’s office confirmed that on July 1, the first date of the AG’s statutory enforcement authority, the office sent its first set of CCPA enforcement letters. Per the statute, businesses have 30 days to cure the violations before the AG’s office may commence a confidential investigation or initiate a lawsuit.
On June 24, 2020, the California Secretary of State announced that county election officials had validated enough signatures through the random signature validation process to make the California Privacy Rights Act of 2020 (a/k/a CCPA 2.0) eligible for the November 3, 2020 ballot. The final projected valid signatures based on the random sample validation process