Privacy Law Update: July 6, 2021
The European Data Protection Board (EDPB) Finalises Guidance on International Transfers of Personal Data Following Europe’s Top Court’s Schrems II Decision
The guidance outlines how organisations should approach international transfers and confirms examples of supplemental measures that can be adopted to ensure ongoing compliance and seeking to de-mystify earlier uncertainty.
The California Privacy Protection Agency is the new agency established by the California Privacy Rights Act to implement and enforce the law. On June 14, the five-member CPPA Board held its first public meeting over Zoom. The 15 agenda items focused primarily on informational and logistical tasks as the board considered what is needed to create the agency. Not surprisingly, the July 1, 2022, deadline for adopting final CPRA regulations overshadowed much of the discussion.
The European Commission announced it officially adopted a pair of adequacy decisions for the U.K., one for the EU General Data Protection Regulation and another for the Law Enforcement Directive. The announcement comes just days before the “bridging mechanism” for data transfers between the EU and U.K. was set to expire.
U.S. President Joe Biden and European Commission President Ursula von der Leyen have put pen to paper on the establishment of a new EU-U.S. Trade and Technology Council, pledging to foster greater synergies in areas including artificial intelligence, green tech, and security. But on the key issue of establishing a new trans-Atlantic data transfer accord, talks this week did not break the deadlock.
Ahead of the EU-U.S. summit in Brussels Tuesday, rumors had surfaced suggesting the U.S. administration would pitch a deal designed the bridge the impasse on the thorny issue of trans-Atlantic data flows. The two parties have been mired in tough negotiations ever since the Court of Justice of the European Union annulled the EU-U.S. Privacy Shield agreement last year.
Earlier this month, U.S. Senator Kirsten Gillibrand submitted a bill called the Data Protection Act of 2021 that would seek to protect citizen’s data, safeguard their privacy, and ensure data practices are fair and transparent. Among the bill’s various provision is the creation of a new federal off
Pending Privacy Legislation
- Colorado: SB 190, which passed the legislature on June 7, has yet to be signed by the governor, who has until July 8 to take action or the becomes law automatically. A broad group of industry, including the IC, are already working lawmakers to get a fix to this before it goes into effect on July 1, 2023. The bill would create a set of data privacy rights, applies to legal entities that conduct business or produce products or services that are intentionally targeted to state residents and that either control or process data of more than 100,000 consumers per calendar year or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. Consumers would have the right to opt out of the processing of their personal data, access, correct, or delete the data, or obtain a portable copy of the data. The provisions are only enforceable by the attorney general or district attorneys.
- Connecticut – Failed: On June 18 during Connecticut’s special legislative session, the assembly passed Senate Bill 1202, a bill for implementing the state budget, after the Connecticut House passed an amendment to oust provisions from a comprehensive privacy bill, SB 893, which Connecticut lawmakers were considering during the regular legislative session that ended June 9. The Connecticut Senate previously passed the version of SB 1202 that included the privacy bill on a 23-7 vote before the House stripped its provisions.
- IAPP Privacy Law Tracker