The UK government has recently published proposals to amend UK data protection legislation with moves towards divergence from EU rules and regulation following the UK’s decision to leave the EU (“Brexit”). The Data Protection and Digital Information Bill (“DPDI Bill”) proposes to make significant changes to existing UK data protection legislation, including the UK General Data protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”). The proposals include some measures that will result in a significant divergence, particularly for companies operating on a pan-European basis. While some compliance obligations will be relaxed, most of the changes can best be described as “similar but different” in approach. It remains to be seen what the final text will look like when the bill is passed into law, with some of the more radical proposals already having been dropped from consideration. A crucial point of consideration for UK legislators when the DPDI Bill is making its way through the various stages of the legislative process in the Houses of Parliament will be whether this legislation remains sufficiently similar to the EU’s General Data Protection Regulation (“EU GDPR”) that the UK is able to retain its adequacy status for the purposes of exports of personal data from the EU to the UK by companies operating internationally.
With Colorado Governor Jared Polis expected to sign the Colorado Privacy Act, SB-190 into law in the coming days, Colorado will join California and Virginia as the third state with a comprehensive data privacy law.1 The Colorado Privacy Act (“CPA”)—which passed with bipartisan support in both the Colorado House and Senate—is similar, but not identical, to the California and Virginia data privacy laws. Although its provisions will not take effect until July 1, 2023, the passage of the CPA grows the patchwork of state privacy regimes and may spur further calls for a uniform federal standard, as compliance for businesses becomes increasingly complicated.
The European Commission recently adopted a new set of Standard Contractual Clauses (SCCs) for organizations to use in compliance with the EU General Data Protection Regulation requirements for transfers of personal data from the European Economic Area. The previous SCCs were outdated and did not cover many common data processing scenarios. Organizations will have an 18-month transition period to adopt the new SCCs, but many parties will need this time to re-examine their dataflows and review their internal compliance procedures to meet the exacting new standards.
California’s Attorney General recently released revised draft regulations for the California Consumer Privacy Act (CCPA). Comments to the revisions are currently accepted through February 25, 2020.
Read the update to see the changes, with key additions and deletions highlighted.
The Federal Trade Commission’s Opinion finding that Cambridge Analytica engaged in deceptive practices to harvest personal information closes another chapter in the Commission’s actions against Cambridge Analytica and its former chief executive and app developer. The opinion is noteworthy for two reasons. First, the procedural posture of this matter is unique because Cambridge Analytica failed to appear or to answer the complaint. This allowed the Commission under its Rules of Practice to find the facts to be as alleged in the complaint and to enter a final decision. Second, the Commission’s opinion holds that a false express privacy claim is material and thus violates Section 5 of the FTC Act.
Businesses in Texas that own or license computerized data will expect a shortened data breach notification deadline for any breach of sensitive personal information after January 1, 2020. Meanwhile, reporting to state attorney general (“AG”) will become mandatory if more than 250 Texans are involved in a single data breach.