The European Commission Released a Draft Adequacy Decision for the United Kingdom

 

In case you’ve been busy dodging novel viruses and winter storms, here’s a recap of why that’s important (be forewarned, we’re oversimplifying and condensing quite a bit for brevity).

Among other momentous things that occurred in 2016, the UK voted to leave the European Union in what has been dubbed “Brexit.” Brexit became effective on January 31, 2020 and thereafter EU law and the EU Court of Justice or “ECJ” no longer had precedence over British law and courts. To help ease the impact of that abrupt change, the UK Parliament passed the European Union (Withdrawal) Act 2018 which retains relevant EU law as domestic UK law.

For privacy and data security law purposes, the Withdrawal Act and related regulations did two key things:

  • First, they “froze” the GDPR, in its then-current EU form as of January 31, 2020. That frozen or “EU GDPR” version was then applied to all data received/transferred from the period before Brexit went into effect up to December 31, 2020.
  • Second, from December 31, 2020 and after, they make the GDPR part of domestic UK law and rename it the “UK GDPR.”

The UK GDPR isn’t quite an exact replica of the “frozen” EU GDPR. For instance, it changes the governing and binding interpretive bodies from the European Commission and ECJ, respectively, to the UK Secretary of State and UK courts. The replacement of the ECJ with the UK courts means the UK GDPR will inevitably continue to diverge from EU GDPR over time—though we suspect, that on big issues (like Schrems II which we explain here) the UK courts will follow the Swiss model of hewing closely to the ECJ.

So what does any of this have to do with an adequacy decision by the EU, you ask? Good question.

Recall that under the GDPR personal data can only be transferred out of the European Economic Area in one of two ways, either:

  • through an approved mechanism under GDPR Articles 46 or 49; or
  • if the European Commission has deemed the privacy laws of the destination country to be “adequate”

Since Article 46 mechanisms have been relentlessly (and successfully) attacked by Schrems and his aligned groups for over four years now, and Article 49 is largely untested, adequacy is far and away the preferred basis for transfer. Adequacy decisions are, however, very hard to come by. Up until now, only about a dozen have been granted.

To be sure, for companies governed by the GDPR who regularly move personal data to the UK, the failure of the UK to receive its own adequacy decision would be pretty burdensome. It would mean that long-standing personal data transfer practices would need to be entirely revisited, contracts amended and all manner of other compliance and operational impacts dealt with.

If, on the other hand, the UK receives an adequacy decision, things pretty much remain status quo ante for the foreseeable future. So while there are a few hurdles left before it becomes official, the fact that the EU has issued a draft decision this soon after the magic date of December 31, 2020, is a very good sign.

Watch this space. We’ll keep you updated.

New York Introduces Its Own Version of Illinois’ BIPA

In 2010, Illinois passed the Biometric Information Privacy Act, leading to over one thousand class action complaints between the years 2015 and 2020, alone. On January 6, 2021, the New York state legislature introduced Assembly Bill 27, titled the New York Biometric Privacy Act (“BPA”), which is a carbon copy version of the Illinois law.

New York’s BPA proposes to prohibit private entities from capturing, collecting, or storing a person’s biometrics without first implementing a policy and obtaining the person’s written consent. The New York BPA would provide for the identical remedies as the Illinois version, specifically, a private right of action with the ability to recover $1,000 for each negligent violation, $5,000 for each intentional or reckless violation, along with reasonable attorneys’ fees and costs.

While New York’s BPA is only proposed, if the language of the bill remains unchanged, New York companies can expect a similarly heavy flow of litigation. Companies operating in New York that utilize data that at all resembles biometric data should consider immediate steps towards prospective compliance. Companies should be auditing their practices and begin to develop written procedures so that, in the event New York’s BPA passes as written, exposure is limited from the outset. The language of the bill provides that the BPA shall take effect ninety (90) days after becoming law. We will continue to monitor the progress of the proposed legislation as it moves through the Assembly and the Senate.

California Legislative Update: Prop 24

Apparently there’s some stuff going on with a couple of guys named Joe and Don that’s got everyone distracted for some reason. The cool kids know, however, that the most important thing to happen last night was the passage of Prop 24 in California which means the CCPA is old news and the CPRA is the new game in town.

You read that right. Having just (mostly) figured out what the implementing regulations should be for CCPA, a massive new privacy law that’s only been in effect since January, California voters said, “Eh, know what? Let’s do it all over again.”

We’ll let you get back to clicking around about this Joe and Don thing, but here’s a quick run-down of what the new CPRA adds to the CCPA:

  • specific third-party oversight responsibilities, similar to GDPR;
  • requirements for annual audits and regular risk assessments for certain businesses;
  • requirements when doing “profiling” that are in-line with the GDPR:
  • an entirely new enforcement authority the California Privacy Protection Agency;
  • an expanded private right of action to cover beaches of account access credentials;
  • increased penalties for mishandling of children’s data;
  • a consumer right to correct data; and
  • more specific data retention disclosures

We’ll have more in-depth analysis and thoughts on readiness programs to come in the near future.

California Legislative Update

Just a quick legislative update from everyone’s favorite US privacy jurisdiction, California. Governor Newsom:

Signed AB 1281 – That Act extends the B2B and HR data exemptions under CCPA for another year. This is very good news.

Vetoed AB 1138 – That Act would have given CA a state analog to COPPA and required, among other things, parental consent prior to kids under 13 using social media. In his veto message found here, Newsom said he based his decision on the same reasons many of us lawyers and privacy professionals had been criticizing AB 1138, which is that COPPA already robustly occupies the field and the FTC has an excellent track record of enforcement. A state law analog would have added nothing more than regulatory burden and cost amidst the already challenging pandemic economy.

Proposed Bill to Establish Security Standards for IoT Devices Used by Government Officials Passes House

 

For many, being able to securely connect, access, and move data across multiple devices is an integral aspect of everyday life. Some of our nation’s lawmakers are wanting to ensure that the internet connected devices that they use have the same established cybersecurity standards that the public has come to expect in the private sector. Lawmakers got one step closer to making that a reality this week.

The U.S. House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act, known as House Bill 1668, earlier this week, which seeks to establish security standards for the federal purchases of internet-connected devices and the private sector groups providing such devices.

Currently, there is no national standard to ensure the security of internet-connected devices purchased by the federal government. Under the proposed law, these internet-connected devices, which would include computers, mobile devices and other devices that have the ability to connect to the internet, would now have to comply with minimum security recommendations issued by the National Institute of Standards and Technology (NIST). The bill does not lay out what those standards should be; rather, it tasks the Office of Management and Budget to oversee that adopted IoT cybersecurity standards are in line with minimum information security requirements.

Devices covered under the bill

The bill would not only cover computers and smart phones used by federal government officials. The legislation defines a covered device to include a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data. It would not include personal cell phones or personal computers. It also exempts devices that are necessary for “national security” or “research purposes”.

Obligations on the private sector under bill

The bill would require contractors and their subcontractors that provide covered devices to the federal government to notify government agencies of any security vulnerabilities. While security standards are being considered, private sector providers, contractors and subcontractors can look to Standards 29147 and 30111 in the International Standards Organization for guidance since bill drafters explicitly cited to them in the Act. There’s a process for companies to challenge whether their devices are covered under the bill as well.

Cyberthreat on IoT

The Mirai botnet attack in 2016 served as the drive for the Bill’s sponsors. Recall that the Mirai botnet attack left millions in the East Coast, among other locations, without access to many popular websites for a few hours in late October of 2016. The attack blocked unsecured internet connected devices from accessing popular websites such as Twitter, Netflix and the New York Times in order to carry out a cyber attack.

While Mirai primarily impacted internet connected computers, for many, including the IoT Cybersecurity Improvement Act sponsors, the Mirai attack showed just how debilitating a cyber attack can have on a heavily connected internet life, and the havoc attackers can create on unsecured internet connectable devices and the lives that depend on their functionality. Internet connected devices, or IoT devices, are devices which can be controlled or accessed using the internet, including everything from webcams to baby monitors to gaming consoles. It includes any exercise tracker or a programmable lock to your home. According to some estimates, there will be close to 75 billion IoT connected devices by 2025. The IoT Cybersecurity Improvement Act would work toward ensuring the government’s IoT connected devices containing the nation’s top data information are secure.

Up next for the bill

The IoT Cybersecurity Improvement Act heads next to the Senate floor, after passing unanimously by the House.

Up next for you

Gordon & Rees will keep an eye on cutting-edge developments in this space. We can expect similar regulations in the private sector with various guiding authorities, such as NIST, providing similar recommendations.

SCHREMS II – IT’S DÉJÀ VU ALL OVER AGAIN

The more things change, the more they stay the same. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the so called “Schrems II” case. If you need some background on the case, you can find our original blog post on the case here.  

The two main takeaways of the Schrems II decision are:

  1. 1. The CJEU invalidated the EU-US Privacy Shield framework.
  1. 2. The CJEU reaffirmed the validity of standard contractual clauses (“SCCs”).

While the validity of SCCs were upheld, and remain a viable transfer mechanism, the CJEU holding requires businesses utilizing SCCs to analyze whether the destination country provides an adequate level of data protection.  Where the country doesn’t, the business must provide additional safeguards or suspend the transfer. Similarly, EU data protection authorities must suspend or prohibit a transfer of personal data to a third country if the data protection authority has determined that SCCs cannot be complied with in the third country and data protection cannot be ensured. 

Recall that the Privacy Shield worked together in a closely integrated manner with the GDPR. It was not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield had served as what is known as a “partial adequacy decision” falling under GDPR Article 45. In short then, what the CJEU has done in the Schrems II case is take the Privacy Shield, a proven, centralized system for regulatory oversight and enforcement on both sides of EEA-US data transfer equation, and replace it with a system of self-policing by transferors and ad hoc decision making by local EEA authorities.  

That’s all likely to work out about as well as it did in 2015 when the EU-US Safe Harbor was invalidated in the Schrems I case. Back then, data transfers continued (and even increased), through a two year period of ambiguity, confusion and almost complete non-enforcement until the Privacy Shield went into effect to fill the void left by the CJEU’s invalidation of the Safe Harbor.  

So what does all this mean for US businesses who had relied on the Privacy Shield?  Not much over at least the next week or two, and likely longer.  Contracting counter-parties in the EEA, rather than regulators, will be the most likely source of pressure to adopt the SCCs.  The U.S. Department of Commerce, for instance, issued a statement in response to the Schrems II decision informing US businesses that it intends to continue to operate for the time being as if the Privacy Shield remains in effect and, as such, the CJEU decision does not relieve participating businesses of their Privacy Shield obligations. 

If US and EU negotiators can’t work together to fix this soon, companies will need to start looking at alternative to the Privacy Shield such as SCCs, binding corporate rules or the derogations under GDPR Article 49.  Regardless of what happens as a result of Schrems II, US businesses that remember and practice our recurring mantra about applying the Pareto Principle to their data security and privacy compliance obligations will get through this fine. So if you haven’t already:

  • adopt a risk-based technical and administrative data protection program,
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another)
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to, and autonomy over, that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

Learn more and contact the Gordon & Rees Privacy, Data & Cybersecurity practice group here.