Privacy Law Update: November 22, 2021
One of the major topics at the IAPP Data Protection Congress 2021 in Brussels, Belgium, involves questions around transfers of personal data from the European Union. Though many questions remain beyond this event, some clarifications are on the way. European Commission Head of International Data Flows and Protection Bruno Gencarelli offered a start during a conversation with Goodwin Partner Lore Leitner.
After years of preparing for and implementing the EU General Data Protection Regulation, policymakers in the region are far from finished with the broader regulation of the digital realm. Earlier this year, the European Commission announced its ambitious digital strategy and, over the course of 2021, it released a host of draft legislation to undergird what it calls the coming “digital decade.” The intent of the strategy is to cultivate a healthy digital marketplace in the EU for personal and non-personal data alike.
No. Modern state privacy statutes in the United States (set to go into effect in 2023) and European privacy regulations adopt a similar definition of “profiling,” which occurs when three elements are met:
- An activity must involve “an automated form of processing
- An activity must be “carried out on personal data;
- The objective of the activity must be “to evaluate personal aspects about a natural person.
U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., proposed the Online Privacy Act, a bill previously raised by the two lawmakers in 2019. The bill includes prior provisions for data subject rights and the creation of the Digital Privacy Agency to handle privacy rights violations enforcement. Additionally, the bill adds provisions for an Office of Civil Rights within the new enforcement agency while allowing state privacy regulators to share enforcement powers alongside the agency and state attorneys general.