Privacy Law Update: June 7, 2021
The European Commission published the long awaited final standard contractual clauses for transfers of personal information from the EU to third countries (SCCs) on Friday June 4, 2021. This final version follows the draft version that the Commission issued in December 2020. Companies that currently rely on the old versions of the SCCs are granted a period of 18 months (as of June 7, 2020) to implement the new SCCs.
The latest high-profile attack, on network monitoring firm SolarWinds, is estimated to have impacted “nine government agencies and about 100 private companies,” according to the Associated Press. While details of this breach are largely unknown, the blame shouldn’t be solely placed on SolarWinds for a lack of proper security measures or quick software patching. Rather, we need to collectively examine the larger pattern at play here, and why history keeps repeating itself.
The data privacy management software market saw soaring growth in 2020 with worldwide revenues up 46.1% year over year. International Data Corporation (IDC) expects this growth to continue over the next several years, driven by the further expansion of data privacy regulatory regimes worldwide. A new forecast from IDC estimates that data privacy management software revenues will nearly double between 2020 and 2025, reaching nearly $2.3 billion in 2025 with a five-year compound annual growth rate (CAGR) of 14.3%.
Pending Privacy Legislation
- Colorado SB 190 passed the House Finance Committee on June 2 with amendments and was referred to the House Appropriations Committee on the same day. Industry continues to oppose the bill and is working on prioritizing proposed amendments to pitch before the bill sponsors, House leadership and the attorney general’s office. SB 190, which still must pass the House, would require opt-in consent before processing sensitive data, sets broad attorney general rulemaking authority and includes problematic processor obligations that go beyond what was proposed in the Washington privacy model.
- California AB 13 passed the Assembly on June 1. The bill would require state contract awards for goods or services that include the use, licensing, or development of an automated decision system for a high-risk application to be based on the proposal that provides the most value-effective solution to the state’s requirements, as determined by the evaluation criteria contained in the solicitation document, and to be determined based on comprehensive assessment of objective criteria not limited to cost alone. AB 13 would require the Department of Technology, on or before January 1, 2023, to establish and make public guidelines for identifying automated decision systems that are subject to the bill’s requirements.
- Connecticut SB 893, which passed the Legislative Commissioner’s Office on May 18, is still pending on the Senate floor. The bill would only apply to entities in the state that annually control or process personal data of 100,000 or more consumers, or controls or process data of 25,000 or more consumers and derive 50 percent of their gross revenue from the sale of personal data. The bill would grant consumers a variety of privacy rights, including the right to access, right to correct, right to delete, right to opt out and right to non-discrimination. The bill contains an exemption for financial institutions and data subject to the GLBA, business and activities covered by the FCRA and employee information. The bill would also provide guidelines on the usage and handling of personal consumer information.
- New York SB 6701 is likely stalled on the Senate floor. This consumer privacy rights bill would require companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing and to allow consumers to obtain the names of all entities with whom their information is shared. The bill is not supported by the attorney general nor is it likely to have an Assembly companion bill. In an attempt to keep the bill from moving off the Senate floor, industry plans to submit an industry opposed letter.