Privacy Law Update: August 9, 2021
As sanctions for non-compliance with data protection regulations come into force, Brazil’s National Data Protection Authority (ANPD) has pledged to adopt a responsive approach towards organizations failing to comply with the new rules. From August 1, Brazilian organizations processing sensitive data are subject to fines and other administrative sanctions in cases of violation of the General Data Protection Law (LGPD) rules. Brazil’s data protection regulations were introduced in September 2020. At the time, it was determined that organizations would have until August 2021 to adapt to the new rules, despite attempts to push the sanctions to 2022. The board members of the body responsible for enforcing the regulations, the National Data Protection Authority (ANPD), were appointed in October 2020.
On July 16, 2021, the Luxembourg personal data protection authority finally ruled on our collective complaint filed by 10,000 people against Amazon in May 2018. This decision comes after three years of silence that made us fear the worst ( re-read our fears which, in the case of Amazon, are therefore now obsolete). The decision, revealed by Bloomberg (but which had not yet been communicated to us), seems unambiguous: the advertising targeting system imposed by Amazon is carried out without our free consent, in violation of the GDPR. The company is fined 746 million euros. This is the new European record for fines pronounced against a violation of the GDPR (the previous record was the fine of 50 million issued against Google by the CNIL, still in the context of our collective complaints – reread our reaction ).
With the third anniversary of GDPR and the California Consumer Privacy Act (CCPA) having recently arrived, it’s a good time to consider the progress made around data protection and how technology modernization is allowing organizations to reassert control over the integrity and safety of this critical asset. Arguably, GDPR is the highest-profile emerging data protection rule around the world. In recent years, GDPR has led the global regulatory movement that has seen governments give their laws greater relevance and sharper teeth. Its impact has certainly been significant and, for a growing number of organizations, extremely costly.
In recent years, we’ve seen an increase in the public debate and consumer awareness around data privacy. Following the appearance of strict privacy regulations (with the pioneer being the GDPR), daily headlines on data breaches and mainstream attention like Netflix’s movie The Social Dilemma, privacy has become a mainstream concern. As a result, data privacy has become a fundamental right, with 87% of Americans viewing it as a human right. For many years, protecting consumers’ privacy was about putting fences around online experiences and consumers’ data to keep them “safe.” In today’s reality, this old notion of privacy has died, as consumers are getting too much value online to be limiting themselves for the sake of their “privacy.” This is why the time has come to rethink privacy and instead focus on data ownership.
- Virginia VCDPA: The Virginia Consumer Data Protection Work Group, which is a subcommittee of the Joint Technology and Science Commission, is set to meet August 17 to continue reviewing the Virginia Consumer Data Protection Act (VCDPA). They are charged with coming up with recommendations to align this privacy law with other state laws. The group must file their report by November 1, 2021, as the VCDPA goes into effect on January 1, 2023.
- The Attorney General’s Office proposed a number of recommended law changes for the working group to consider during the last meeting, including creation of and funding for two attorneys and two new staff enforcement positions. While that office already uses funds from civil penalties incurred under the existing privacy law, the attorney general additionally wants authority to pursue actual damages from violators on behalf of consumers. Currently, the law only allows imposing civil penalties and does not create a private right of action. In contrast, CPRA only allows the California Privacy Protection Agency to seek statutory damages from violators. Two more meetings are set for September 13 and October 13.