To print this article, simply register or connect to Mondaq.com.
It’s a simple fact: people value their privacy. At its core, privacy means being safe from outside intrusions and keeping our personal information to ourselves. In recent years, in part because of pressure from privacy advocates, comprehensive laws designed to protect the personal information of individuals have been enacted in the United States and abroad. One of the most comprehensive and extensive is the General Data Protection Regulation (GDPR) in the European Union (EU) and extended to the European Economic Area (EEA). Our neighbor, Canada, has among other laws, the Personal Information Protection and Electronic Documents Act (PIPEDA).
The United States does not have a comprehensive general privacy law. Therefore, many states have taken the initiative to introduce such legislation, California being the first with its California Consumer Privacy Act (CCPA). Virginia recently followed suit, enacting the Virginia Consumer Data Protection Act (VCDPA) this year. Perhaps the most important operational impact of these privacy laws for businesses, if any, is that they require certain notices from individuals about the practices of collecting, using and sharing information. personal information of an organization / business, as well as informing individuals of their rights, which may include the right to know / access, correct, delete and refuse the sale or sharing of personal information. In addition, failure to comply with the requirements of privacy law can result in substantial financial and other penalties.
Over the past year, there have been three particularly notable developments in the area of privacy law. First, with regard to transfers of personal information concerning persons located in the EEA, the Court of Justice of the European Union (CJEU) (C-311/18, Data Protection Commission v Facebook Ireland Ltd. and Maximilian Schrems) (Schrems II) invalidated the EU-US Privacy Shield and questioned the continued viability of other personal information transfer mechanisms, such as standard contractual clauses. Second, through a ballot, California enacted a number of important amendments to the CCPA through the California Privacy Rights Act (“CPRA”), almost all of which come into effect on January 1, 2023. Third, the Virginia became the second state in the United States to enact comprehensive privacy legislation. This article briefly discusses each of these developments in privacy law – the intention is to raise awareness rather than provide detailed analysis.
Under the GDPR, the transfer of personal information from a person located in the EEA (a “data subject”) to locations / organizations outside the EEA by anyone other than the data subject is prohibited unless that at least one of the legal bases for such a transfer under the GDPR is satisfied. One of these bases is what is known as an ‘adequacy decision’, which means that the competent authorities of the EEA have determined that a country or an organization in that country provides an adequate level of protection. . Prior to being struck down by the court in the Schrems II case, the US had an adequacy ruling under the EU-US Privacy Shield. Under this regime, organizations located in the United States could self-certify that they complied with the standards and practices required by the Privacy Shield. In the absence of an adequacy decision, most companies rely on what are called standard contractual clauses promulgated by the European Commission, to effect these transfers. These clauses set out standard contractual clauses, compliance with which satisfies the requirement for an adequate level of protection. The court in Schrems II said, however, that while these clauses are not inherently invalid, they might not be available in certain situations, including transfers to the United States.
The CJEU based its conclusions on two key findings. First, it concluded that the Privacy Shield did not adequately prevent federal government authorities from accessing the personal information of data subjects. Second, the CJEU concluded that the Privacy Shield, even with its mediation framework, did not provide data subjects with adequate remedies to assert their rights. Although the court did not outright annul the standard contractual clauses, it indicated that, by their inherently contractual nature, these clauses cannot bind public authorities in third countries (such as US government agencies), in which case it may be necessary to supplement the guarantees contained in these standard contractual clauses. Unfortunately, the court did not specify what those add-ins would be, but the European Data Protection Board recently released substantial guidance, including recommendations regarding encryption. The US government also issued a white paper, criticizing the CJEU for focusing on US law and procedures in effect in 2016 when the Privacy Shield was enacted, and for failing to recognize new laws and markets. Americans designed to provide more protections and remedies for those under surveillance. laws. The White Paper also offers guidelines for complying with the Schrems II decision. Needless to say, Schrems II has a significant impact on the ability of companies to conduct business activities involving transfers of personal information of data subjects from companies based in the EEA to companies located in the United States. Amendments from the ACPL to the CCPA The CCPA applies to an “enterprise”, essentially defined as (a) an entity or individual that operates in the State of California, (b) that collects the personal information of residents of California (“consumers”), and (c) which meets at least one of the following criteria:
- Has annual gross revenues greater than twenty-five million dollars ($ 25,000,000), adjusted under applicable law
- Alone or in combination, annually buys, receives for commercial purposes from the company, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices
- Derives 50 percent or more of its annual income from the sale of consumers’ personal information
A “business” also includes any entity that controls or is controlled by a business as defined above and that shares a common brand image with the business. Unfortunately, the law does not define what it means to do business in California. California authorities will likely interpret this provision broadly, so that even limited contact with California could be enough to bring a business within the scope of the law. The ACPL has modified the CCAC in several ways. Some of the most important changes are:
- Modifies the definition of who is a CCAC covered business by (i) increasing the threshold in paragraph (b) above from 50,000 to 100,000 consumers or households or more, and removing devices, and (ii) by expanding the criteria in paragraph (c) above to include sharing, in addition to selling, consumers’ personal information
- Creates a new category of personal information (“sensitive personal information”) and provides specific rights regarding the collection and use of it
- Creates a new category of recipients of personal information, “contractors”, in addition to “service providers” and “third parties”
- Provides consumers with the right to correct their personal information and extends other consumer rights
- Gives consumers the right to know how long the company retains each category of personal information (including sensitive personal information)
- Demands that the California Attorney General pass regulations requiring companies whose processing of consumer personal information poses a significant risk to consumer privacy or security: (a) to conduct a cybersecurity audit on an annual basis, including defining the scope of the audit and establishing a process to ensure that the audits are thorough and independent, and (b) regularly submit to the California Privacy Protection Agency a risk assessment regarding their handling of personal information
- Imposes data minimization requirements and storage limitations
- Eliminate the 30-day processing period before administrative application
- Expands the criteria for private right of action
- Creates the first national privacy organization, the California Privacy Protection Agency
Virginia became the second state in the United States to pass comprehensive privacy legislation. This law, which came into force on January 1, 2023, applies to “persons” (presumably individuals and corporations) who do business in the Commonwealth of Virginia or manufacture products or services for residents of the Commonwealth and who ( i) during a calendar year, control or process the personal data of at least 100,000 consumers [as defined below] or (ii) monitor or process the personal data of at least 25,000 consumers and derive more than 50 percent of gross revenues from the sale of personal data.
While the law has similarities to the CCPA, it is not the same and, in fact, adopts some of the concepts of the GDPR. In many ways, the VCDPA is simpler and more straightforward than the CCPA. A notable distinction is that, unlike the GDPR and CCPA, the VCDPA does not apply to the collection of personal information between companies or on staff (although the CCPA as amended by the CPRA has limited B2B exemptions and staff in force which become inoperative on January 1, 2023). More specifically, it defines a “consumer” to whom the law applies, as “a natural person who is a resident of the Commonwealth acting only in an individual or domestic context. It does not include a natural person acting in a commercial or professional context. “In addition, unlike the CCPA, there is no provision for a private right of action.
This article was originally published in the Bar News and can be found here.
Originally posted Jun 21, 2021
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.