Privacy Law Update: June 21, 2022
The United Kingdom’s post-Brexit reform of its data protection laws took another step forward Friday with the government’s final response to its data consultation. Initially launched September 2021 under “Data: a new direction,” and opened to public comment for ten weeks, the final response features several incremental reforms, such as altering some accountability provisions including the removal of a data protection officer requirement, adding an opt-out model for a wide swath of online tracking, and updates to the U.K. Information Commissioner’s Office.
EDPB Adopts Guidelines On Certification As A Tool For Transfers And An Art. 65 Dispute Resolution Binding Decision Regarding Accor
The EDPB adopted guidelines on certification as a tool for transfers. Art. 46(2)(f) GDPR introduces approved certification mechanisms as a new tool to transfer personal data to third countries in the absence of an adequacy agreement. The main purpose of these guidelines is to provide further clarification on the practical use of this transfer tool.
EDPB Deputy Chair Ventsislav Karadjov said: “These guidelines are ground-breaking, as they provide the very first practical guidance on certification as a tool for transfers – a new transfer tool introduced by the GDPR. The guidelines provide guidance on how this tool can be used in practice and how it can help maintain a high level of data protection when transferring personal data from the European Economic Area to third countries.”
Canada took a step toward updating its privacy regime June 16, as Minister of Innovation, Science and Industry François-Philippe Champagne and Minister of Justice and Attorney General of Canada David Lametti introduced Bill C-27. The Digital Charter Implementation Act, 2022 features three pieces of legislation: the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act.
The three-pronged legislation aims to strengthen Canada’s data privacy framework, primarily the Personal Information Protection and Electronic Documents Act, and create new regulations for the responsible development of AI, while continuing to implement Canada’s Digital Charter. The proposal would also introduce changes to how privacy is enforced in the nation.
The Interactive Advertising Bureau (IAB)’s Lartease Tiffith, Executive Vice President for Public Policy, released the following statement today in response to draft legislation in Congress creating a national data privacy framework, the American Data Privacy and Protection Act:
“We’re glad that Congress has finally produced a discussion draft for national privacy legislation that is bipartisan and bicameral, after years of hard work in the House and Senate to find a compromise. IAB and our members across the digital advertising industry support many of its provisions, and we’re eager to help improve the bill, not only to protect Americans’ consumer privacy, but also to create jobs and help strengthen the economy. We’re concerned about the impact on small businesses and internet users, who enjoy many free products and services thanks to data-driven digital advertising. Data is crucial to almost every business in today’s global economy. Rather than repeat mistakes that have harmed innovation and growth overseas, national privacy legislation here in the U.S. must maintain our country’s technological leadership and competitive advantage. IAB is working hard with our partners to produce the best result.”
California: We continue to await the launch of formal rulemaking on the proposed CPRA regulations which will likely trigger a 45-day public comment period. We encourage anyone interested in timely updates on the CPRA rulemaking process to sign up for the Agency’s email list here.
Separately, AB 2273 the ‘Age Appropriate Design Code Act’ and AB 2408 the ‘Social Media Platform Duty to Children Act’ are on the agenda for a June 28 Senate Judiciary Committee hearing.
District of Columbia: B 24-0588 the ‘Stop Discrimination by Algorithms Act’ has been scheduled for a public hearing on September 22, 2022. This legislation was originally introduced in December 2021 at the request of Attorney General Karl Racine. The bill seeks to: (1) prohibit organizations from using discriminatory algorithms to make decisions about key areas of life opportunity, (2) require algorithmic audits for discriminatory patterns, and (3) require companies to publish easy-to-understand disclosures about their algorithms and permit individual correction if an adverse action is based on an algorithmic eligibility determination.