Keypoint: The EDPB’s FAQs resolve some open questions, such as whether there will be a grace period for companies relying on Privacy Shield, but raise other questions, such as what “supplementary measures” companies need to put in place to use Standard Contractual Clauses and Binding Corporate Rules.

In the wake of the Court of Justice of the European Union’s Schrems II judgment, on July 23, 2020, the European Data Protection Board (EDPB) adopted a Frequently Asked Questions document to “provide initial clarification and give preliminary guidance to stakeholders on the use of legal instruments for the transfer of personal data to third countries, including the U.S.” The EDPB stated that the document will be updated, and further guidance provided, as it continues to examine and consider the judgment.

In a ground-breaking opinion issued today, the Court of Justice of the European Union invalidated the EU-US Privacy Shield Decision as a method for transferring personal data from the EU to the US. In short, the Decision was invalidated over Privacy Shield’s failure to adequately address US government surveillance activities.

Conversely, the Court upheld the use of standard contractual clauses for transfers of personal data to third countries but emphasized that the parties are under an obligation to ensure that the laws in the recipient country are sufficient.  Specifically, the Court held that GDPR Article 46(1) and 46(2)(6) “must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed” in European law.

During a webinar last week hosted by the International Association of Privacy Professionals, a representative from the California Attorney General’s office confirmed that on July 1, the first date of the AG’s statutory enforcement authority, the office sent its first set of CCPA enforcement letters. Per the statute, businesses have 30 days to cure the violations before the AG’s office may commence a confidential investigation or initiate a lawsuit.

On June 24, 2020, the California Secretary of State announced that county election officials had validated enough signatures through the random signature validation process to make the California Privacy Rights Act of 2020 (a/k/a CCPA 2.0) eligible for the November 3, 2020 ballot. The final projected valid signatures based on the random sample validation process

In early June, the California Attorney General filed final CCPA regulations with the California Office of Administrative Law. The final regulations were accompanied by a 59-page Final Statement of Reasons along with six appendices containing over 500 pages of comments on the regulations and the Attorney General’s responses to those comments. One of the many topics that the Attorney General’s office discussed was the final regulation’s requirements for drafting privacy policies. Given that the drafting of a privacy policy is a necessary part of CCPA compliance, it is worth analyzing those comments.

Keypoint: If passed, the bill would create a regulatory structure around the use of contact-tracing apps, including requiring operators of such services to obtain affirmative express consent, provide privacy disclosures, not transfer the data unless under certain circumstances, and delete the data on demand or within thirty days.

According to multiple sources, a bipartisan group of Senators plan to introduce a bill to regulate the use of contact-tracing and exposure notification apps. The bill, entitled the “Exposure Notification Privacy Act” is the latest in a series of bills that seek to regulate these new apps. Previous competing bills were submitted by Republican and Democrat Senators. The new bipartisan bill raises hopes that federal privacy legislation (albeit on a limited issue) may finally pass.

Below is a discussion of the Act’s relevant provisions.

Resulting in Zoom Promising to Implement an Information Security Program, Resembling the SHIELD Act

Key point: The Letter of Agreement between the New York Attorney General and Zoom Video Communications, Inc. provides insight into what the Attorney General may consider satisfying the Reasonable Safeguards requirement under the SHIELD Act.

On May 7, 2020 Zoom Video Communications, Inc. (Zoom) became the first company to experience one of the new enforcement tools available to the New York Attorney General’s Office (NYAG) under the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).

The SHIELD Act took effect on March 21, 2020, and requires any person or business owning or licensing computerized data containing the private information of a New York resident “to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of that private information.” GBL § 899-BB(2).

Keypoint: If the California Privacy Rights Act is approved by voters in November, it would trigger a series of deadlines ultimately culminating in a January 1, 2023 effective date and July 1, 2023 enforcement date.

On May 4, 2020, privacy advocates reported that they were submitting over 900,000 signatures to qualify the California Privacy Rights Act (CPRA or CCPA.20) for the November election. Assuming the initiative passes the signature verification process, it would be on the November 3, 2020 ballot and become law if approved by a simple majority of California voters.

If the CPRA does pass in November, it will trigger a complicated timeline of staggered effective and enforcement dates and regulatory rulemaking deadlines.

Keypoint: Advocates seem certain that they have done enough to qualify CCPA 2.0 for the November ballot.

On May 4, 2020, the Californians for Consumer Privacy advocacy group announced that they were submitting over 900,000 signatures to qualify the California Privacy Rights Act (CPRA, commonly referred to as “CCPA 2.0”) for the November 2020 ballot.