Privacy Law Update: November 1, 2021
During a 22 Oct. meeting, the G-7 Trade Ministers agreed on digital trade principles, including the free flow of data across borders. “We should address unjustified obstacles to cross-border data flows, while continuing to address privacy, data protection, the protection of intellectual property rights, and security,” a press release said. “We recognize the importance of enhancing cooperation on data governance and data protection and identifying opportunities to overcome differences.” The Trade Ministers said they will work together to “explore commonalities in our regulatory approaches and promote interoperability.”
On October 13, 2021, the European Data Protection Board (“EDPB”) adopted Guidelines 10/2020 on restrictions under Article 23 of the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”) following public consultation. Article 23 of the GDPR permits EU Member States to impose restrictions on data subject rights as long as the restrictions respect the essence of the fundamental rights and freedoms of individuals, and are necessary and proportionate measures in a democratic society to safeguard, for example, national security, defense or public security. The data subject rights to which the restrictions may apply are those set out in Articles 12-22 (e.g., rights of access, erasure), Article 34 (communication of a data breach to individuals) and Article 5 (the data processing principles) to the extent that its provisions correspond to data subject rights.
Coincidence is best defined as events or circumstances that casually occur in correspondence with one another. But what looks like coincidence can sometimes turn out to be more coordinated action than anything else. This potential blurred line is something being raised following a flurry of activity involving the U.S. Federal Trade Commission’s privacy work. The FTC has been in the spotlight over recent months with news regarding a potential funding boost, a call to begin privacy rulemaking, personnel moves, and a number of activities pertaining to enforcement. Having all these developments crop up all at once could certainly stir arguments over coincidence versus coordination, but there’s no questioning these moves indicate the commission is in for an overhaul.
The Australian government released a Privacy Act review discussion paper, along with a draft Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021. The bill would impose higher penalties for privacy violations, create a new Online Privacy Code and require social media companies to obtain parental consent for users under 16. Under the proposal, the maximum $2.1 million penalty for privacy breaches will increase to up to $10 million, or three times the value obtained through misuse of information, or 10% of an entity’s annual Australian turnover. The code would be developed by industry to regulate social media services, data brokers and large online platforms, including requirements for transparency on how they handle personal information. The government is accepting submissions on the draft through Dec. 6.