Keypoint: Entities that use Article 28 data processing agreements should closely review the EDBP’s draft guidelines and modify their data processing agreement as necessary.

In September, the European Data Protection Board (EDPB) adopted Guidelines 7/2020 on the concepts of controller and processor in the GDPR (Guidelines). The Guidelines, which are open for public consultation until October 19, 2020, address three topics – the distinctions between controllers and processors, the relationship between controllers and processors, and the consequences of joint controllership.

Although the other topics bear close consideration, the Guidelines’ analysis of the relationship between controller and processors – in particular, its discussion of Article 28 data processing agreements (DPAs) – should be closely examined by entities using DPAs. This is particularly true given the intense focus on DPAs in the context of international data transfers post Schrems II.

In the below analysis, we first provide a brief background on Article 28 and then discuss its requirements in further detail in the context of the EDPB’s guidance. In summary, the EDBP’s Guidelines require entities to conduct a thorough and considered analysis of these relationships and not simply use boilerplate DPAs.

Key Point: The New York Attorney General’s Office (NYAG) reached a Consent and Stipulation Agreement with Dunkin’ Brands, Inc. (Dunkin), which obligates the company to implement and maintain a comprehensive information security program to protect customers’ private information. The terms of the consent agreement are similar to the terms New York reached with Zoom earlier this year regarding inadequate data security practices, and strongly resemble the reasonable security measures described in the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

Neither agreement mentions the SHIELD Act, but both agreements include promises to comply with key elements contained in it. These agreements, as well as California’s legislative efforts, are creating a baseline for future enforcement cases on the adequacy of information security programs and the promises companies make to protect consumer data.

Keypoint: LGPD is a complicated regulatory regime that will required U.S. entities subject to its requirements to undertake substantial compliance efforts.

As documented in Dirceu Santa Rosa’s article for the IAPP’s Privacy Tracker, efforts to delay the effective date of Brazil’s General Data Protection Law – Lei Geral de Proteção de Dados or LGPD – recently failed, and the law is expected to go into force in the coming days. Brazil’s federal government also published a decree approving the regulatory structure of the Autoridade Nacional de Proteção de Dados, i.e., Brazil’s national data protection authority.

LGPD becoming effective this year was a surprise to many as its effective date was expected to be postponed because of COVID-19. However, in a year that started with the CCPA going into effect, descended into chaos with COVID-19 (and its numerous privacy issues), took a “what just happened?” turn with the invalidation of Privacy Shield, and will close with a vote on CCPA 2.0, the unexpected start of LGPD feels like par for the course for privacy professionals.

For U.S. companies trying to comply with these laws, LGPD may seem like another insurmountable task. To facilitate that process, below is a general discussion of LGPD and some of its more notable provisions. For reference, LGPD has been translated into English by Ronaldo Lemos and his team at Pereira Neta Macedo and is available here.

Keypoint: The report provides five recommendations for proposed privacy legislation in Texas but does not propose specific statutory language or make recommendations on many key issues.

In a reminder that winter is likely to bring another round of proposed CCPA-like state privacy legislation, earlier this month, the Texas Privacy Protection Advisory Council issued an interim report with findings and recommendations for privacy legislation in Texas.

The fallout from the Schrems II judgment continued on Tuesday with an announcement from Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) that the Swiss-US Privacy Shield regime “does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to [Switzerland’s] Federal Act on Data Protection (FADP).”

Keypoint: Representatives of the European Commission and EDPB advised that further guidance on cross-borders data transfers are forthcoming.

Last week, Didier Reynders, European Commissioner for Justice, and Dr. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), appeared at a hearing conducted by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and updated committee members on their work since the Schrems II decision.

Keypoint: Some additional changes to the CCPA regulations were made before they were filed with the Secretary of State and became effective.

As discussed in our prior post, on Friday, August 14, 2020, the California Office of Administrative Law (OAL) approved the California Office of the Attorney General’s (OAG) final CCPA regulations and filed them with the California Secretary of State (SOS). The regulations were immediately effective.

Notably, the final text of the regulations submitted to the SOS was modified from the one filed with the OAL. The OAG published an Addendum to the Final Statement of Reasons setting forth the changes. Many of the changes are stylistic and grammatical. However, some of the changes are substantive and will impact compliance efforts. The most notable changes are discussed below:

On August 14, 2020, Attorney General Becerra announced that the California Office of Administrative Law (OAL) approved the final regulations related to the California Consumer Privacy Act (CCPA) an filed them with the Secretary of State. The regulations go into effect immediately.

The Attorney General’s office submitted the final proposed regulations to the OAL on June 1, 2020. As part of the final regulations package, the Attorney General requested an expedited review of 30 business days and that the regulations become effective upon filing with the Secretary of State. Although not satisfying the 30-day request, the OAL did complete its review in short order, particularly in light of two executive orders by California’s governor extending the OAL’s review period by an additional 120 days.