New US-EU Data Transfer Announcement: Time to celebrate?

On 25th March 2022, the European Commission and the United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. The final agreement will replace the Privacy Shield Framework as a mechanism for lawfully transferring personal data from the EEA to the US in compliance with Article 44 of the GDPR. As for UK/US data transfers and compliance with the UK GDPR is concerned, it is expected that the UK Government will strike a similar deal once the EU/US one is finalised.

The need for a “Privacy Shield 2.0” arose two years ago, following the judgment of the European Court of Justice (ECJ) in “Schrems II” which stated that organisations that transfer personal data to the US can no longer rely on the Privacy Shield Framework as a legal transfer tool. They must consider using the Article 49 derogations or standard contractual clauses (SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment  about the recipient country’s data protection legislation (a Transfer Impact Assessment or TIA), and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

Despite the Schrems II judgment, many organisations have continued to transfer personal data to the US hoping that regulators will wait for a new deal before enforcing Article 44.  Whilst the UK Information Commissioner’s Office (ICO) seems to still have a “wait and see” approach, others have started to enforce. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR due to the data being transferred to the US without appropriate safeguards. This followed a similar decision by Austrian Data Protection Authority in January. 

Personal data transfers are also a live issue for most UK Data Controllers including public authorities. Whether using an online meeting app, cloud storage solution or a simple text messaging service, which one does not involve a transfer of personal data to the US? At present use of such services usually involves a complicated TRA and execution of standard contractual clauses. In the UK, a new international data transfer agreement (IDTA) came into force on 21st March 2022 but it still requires a TRA as well as supplementary measures where privacy risks are identified. 

Has the Trans-Atlantic Data Privacy Framework saved DPOs hours of work? But before you break open the bubbly, it is important to understand that this is just an agreement in principle. The parties will now need to draft legal documents to reflect the agreed principles. This will take at least a few months and will then have to be reviewed by the European Data Protection Board (EDPB) adding more time. And of course there is the strong possibility of a legal challenge especially if the ECJ’s concerns about US surveillance laws are not addressed. Max Schrems said in a statement:

We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.” 

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

What should organisations do in the meantime? Our view is, if you have any choice in the matter, stick to personal data transfers to adequate countries i.e. those which have been deemed adequate by the UK/EU under Article 45. This will save a lot of time and head scratching conducting TRAs and executing SCCs. Where a US/non-adequate country transfer is unavoidable, a suitable transfer mechanisms has to be used as per Article 45. Of course for genuine one-off transfers the provisions of Article 49 derogations are worth considering. 

Only 2 places left on our Advanced Certificate in GDPR Practice course starting in April. We have also just announced three new GDPR workshops for experienced practitioners.

The CCPA Becomes Enforceable on 1st July 2020 (and there is more to come!)

photo-1523595857-fe9ee689f76f

The California Consumer Privacy Act (CCPA) becomes fully enforceable on 1st July 2020. The Act regulates the processing of California consumers’ personal data, regardless of where a company is located. CCPA provides broader rights to consumers and stricter compliance requirements for businesses than any other state or federal privacy law.

Like the EU General Data Protection Regulation (GDPR), CCPA is about giving individuals control over how their personal data is used by organisations. It requires transparency about how such data is collected, used and shared. It gives Californian consumers various rights including the right to:

  • Know and access the personal being collected about them
  • Know whether their personal data is being sold, and to whom
  • Opt out of having their personal data sold
  • Have their personal data deleted upon request
  • Avoid discrimination for exercising their rights

CCPA also requires that a security breach involving personal data, must be notified to each individual it affects. It does not matter if the data is maintained in or outside of California.

CCPA is often called the US equivalent of the EU General Data Protection Regulation (GDPR). Both laws give individuals rights to access and delete their personal information. They require organisations to be transparent about information use and necessitate contracts between businesses and their service providers. In some respects, however, the CCPA does not go as far as GDPR. For example, it only applies to for profit entities, it does not require a legal basis for processing personal data (like Article 6 of GDPR), there are no restrictions on international transfers and no requirement to appoint a data protection officer.

Enforcement

Unlike GDPR, CCPA does not have a regulator like the Information Commissioner in the UK. It is primality enforced by the California Attorney General (AG) through the courts; although there is a private right of right action for a security breach. The courts can impose fines for breaches of CCPA depending on the nature of the breach:

  • $2,500 for an unintentional and $7,500 for an intentional breach
  • $100-$750 per incident per consumer, or actual damages, if higher – for damage caused by a security breach

A business shall only be in breach of the CCPA if it fails to cure any alleged breach within 30 days after being notified of the same.

The AG has now published the final proposed CCPA Regulations. These have to be read alongside the Act. The accompanying Final Statement of Reasons provides some interesting insights into the AG’s views and potential positions on certain issues.

While the CCPA fines and damages may appear relatively low, it is important to note that they are per breach. A privacy incident can affect thousands or tens of thousands of consumers, in which case it could cost a company hundreds of thousands or even millions of dollars.

Two big US companies, Hanna Andersson and Salesforce, are already facing a class action lawsuit alleging CCPA violations. Both suffered a data breach that compromised the names, addresses, and credit card information of over 10,000 California residents, which were then sold on the dark web. The lawsuit claims the companies failed to protect consumer data, provide adequate security measures, safeguard their systems from attackers, and delayed notification of the breach.

During the coronavirus pandemic there has been an increased use of video chat and conferencing apps to stay connected. Both Zoom and Houseparty have class actions claiming that they failed to obtain consent from customers for the disclosure of their personal information to third parties like Facebook.

CCPA 2.0

There is more to come! The California State Assembly held a hearing on 12th June 2020 on the California Privacy Rights Act (CPRA) ballot initiative. Californians for Consumer Privacy, an advocacy group and the proponent of the 2018 ballot initiative that led to the enactment of the CCPA, has gathered more than 900,000 signatures to place the CPRA on the ballot in November of 2020. This is now looking very likely after Friday’s California Superior Court ruling although a deal could be struck to amend the CCPA in exchange for withdrawing the ballot initiative.

The CPRA (or an amendment to the CCPA) will further expand privacy rights of California consumers as well as compliance obligations of businesses, their service providers and contractors. It will, among other things, permit consumers to (1) prevent businesses from sharing (in addition to selling) their personal data; (2) correct inaccurate personal data about them; and (3) limit businesses’ use of “sensitive personal information,” known as Special Category Data under GDPR. This includes information about their race, ethnicity, religion, union membership and biometric data. The proposed law will prohibit businesses from collecting and using personal information for purposes incompatible with the disclosed purposes, and from retaining personal information longer than reasonably necessary. Readers with knowledge of GDPR will agree that this new law is even more like GDPR than the CCPA.

The CPRA will also establish a new California Privacy Protection Agency which will be tasked with enforcing and implementing consumer privacy laws and imposing administrative fines. If enacted CPRA will become operative on 1st January 2023 although its obligations would only apply to personal data collected after 1st January 2022.

A Federal Privacy Law?

CCPA represents the first real, comprehensive privacy legislation in the U.S. It will, no doubt, form the foundation for other state privacy regulations in the future, and quite possibly a U.S federal privacy regulation. Nevada residents also now have more control over how their personal information is used. Senate Bill 220 went into law recently, giving consumers more ability to keep websites from selling their information to third-party firms. Proactive businesses are already considering CCPA as a de facto US privacy law. Recently Microsoft announced that it will apply the main CCPA rights to all its customers in the U.S.

CCPA’s impact will not just be felt by California based businesses. Any business which processes personal data about Californian consumers needs to revaluate its privacy practices. With 40 million Californian residents, making up 12 percent of the US population, it is likely that most big business wherever they are based will have to comply with the CCPA. With substantial fines and penalties for breaches and a 6 month ‘look back’ period, now is the time to implement CCPA compliance measures.

Act Now has launched a US privacy programme covering every thing US and international business need to know about CCPA and GDPR.

 

.

online-gdpr-banner

Viva Las Vegas

Welcome to fabulous Las Vegas sign

Act Now is pleased to announce that Ibrahim Hasan has accepted an invitation to address the 21st Annual NAPCP Commercial Card and Payment Conference in Las Vegas, April 6-9 2020.

high_rez_NAPCP all black with url

The NAPCP is a membership-based professional association committed to advancing Commercial Card and Payment professionals and industry practices globally, with timely research and resources, peer networking and events serving a community of almost 20,000 individuals worldwide. The NAPCP is a respected voice in the industry and an impartial resource for members at all experience levels in the public and private sectors.

In a session entitled “Complying with the GDPR and United States Privacy Legislation” Ibrahim will examine the impact of GDPR and the California Consumer Privacy Act (CCPA) on the Payment Card industry. He will also be presenting webinars pre and post conference on these subjects to the NAPCP community.

The NAPCP Annual Conference is the can’t-miss event for the industry, bringing together 600 professionals from around the world to share perspectives on all Commercial Card and Payment vehicles, including Purchasing Card, Travel Card, Fleet Card, Ghost Card, Declining Balance Card, ePayables and other electronic payment options. Experts and practitioners share case studies, successes and thought-provoking ideas in almost 80 breakout sessions, all with an eye for trends and innovation across sectors.

Diane McGuire, CPCP, MBA, Managing Director of the NACP, said:

“I am really pleased that Ibrahim has accepted our invitation to join us in Las Vegas. As legislators and governments globally are starting to wake up to the implications of the digital revolution on individuals’ rights, our conference delegates will benefit from his GDPR and privacy expertise in what is sure to be a thought-provoking session.”

This is one of a number of international projects that Act Now has worked on in recent years. In June 2018 we delivered a GDPR workshop in Dubai for Middle East businesses and their advisers. In 2015 Ibrahim went to Brunei to conduct data protection audit training for government staff.

Ibrahim Hasan said:

“I am really pleased to address the NACP conference in Las Vegas. Our GDPR expertise is now being recognised abroad. The United States is the latest addition to our increasing international portfolio. We hope to use the conference as a platform to showcase our expertise to the US Data Controllers.”

Regular registration is now open for the event. Head over to this link to confirm registration.

NAPCPConferenceLogo_2020-high rez

Act Now’s forthcoming live and interactive CCPA webinar will cover the main obligations and rights in CCPA and practical steps to compliance. This webinar is ideal for data protection officers and advisers in UK and US businesses.

%d bloggers like this: