Privacy Law Update: May 25, 2021
At the I/O developer conference on Tuesday, Google announced a range of new privacy measures, including a new partition within Android to manage machine learning data more securely. “With Android’s private compute core, we’re able to introduce new features,” said Google executive Suzanne Frey in an onstage presentation, “while still keeping your data safe, private, and local to your phone.” Android’s new Private Compute Core will be a privileged space within the operating system, similar to the partitions used for passwords or sensitive biometric data. But instead of holding credentials, the computing core will hold data for use in machine learning, like the data used for the Smart Reply text message feature or the Now Playing feature for identifying songs. Like the rest of the Android standard, the new system will be open-source and subject to security auditing by third parties.
The “Schrems II” hibernation is finally over. This was the key learning from our recent virtual DACH regional KnowledgeNet. If there ever was any hibernation mode over the last winter dominated by COVID-19, it will end abruptly next week or the week after. According to EU Commission Deputy Head of Unit for International Data Flows Ralf Sauer, this is when the EU Commission will publish its long-awaited new set of standard data protection clauses. Additionally from Sauer, the EU Commission has carefully weighed all feedback it received on the draft SCCs during the public consultation phase. As a result, we will likely see some significant changes in the soon-to-be published SCCs compared to the draft version — one of them being an extended period allowing companies more time to transition from the old to the new set of clauses. There will also be a rather short period during which contracts based on the existing SCCs can still be concluded.
Pending Privacy Legislation
Sen. Amy Klobuchar is back with a bill to protect consumer data privacy when collected by large tech platforms like Facebook and Google. Klobuchar (D-MN) has teamed up with a bipartisan group of senators, including Sens. John Kennedy (R-LA), Joe Manchin (D-WV), and Richard Burr (R-NC), to reintroduce the Social Media Privacy Protection and Consumer Rights Act. The privacy legislation would force websites to grant users greater control over their data and allow them to opt out of data tracking and collection.
On May 18, 2021, the New York Privacy Act (“NYPA”) passed out of the New York Senate Consumer Protection Committee. Senator Kevin Thomas previously introduced a version of this bill in the 2019-2020 legislative session, but this is the first time that the bill—or any comprehensive privacy bill in New York—has made it out of committee. In addition to needing the approval of the majority of the full senate, the bill must progress in the New York Assembly before it is enacted. If the NYPA is enacted, it would be the third comprehensive state privacy law in the United States following the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA”) and the Virginia Consumer Data Protection Act (“VCDPA”), the latter of which was signed into law earlier this year and goes into effect in January 2023. While the New York Privacy Act shares similarities with its counterparts in California and Virginia, such as prohibiting discrimination against consumers that exercise their rights under the laws, the NYPA is substantially broader. If the NYPA is signed into law, many companies doing business in New York will need to assess their compliance and may need to modify their compliance efforts and collection and use of consumer personal information.