Privacy & Information Security Law Blog

On August 24, 2020, the Data Protection Authority (“DPA”) of the German federal state of Baden-Württemberg issued guidance on international data transfers following the judgment of the Court of Justice of the European Union (“CJEU”) in the Schrems II case (decision C-311/18 of July 16, 2020). As we previously reported, the judgment of the CJEU invalidated the EU-U.S. Privacy Shield framework and confirmed the ongoing validity of the controller-to-processor EU Standard Contractual Clauses (“SCCs”), subject to an adequacy assessment and, if necessary, additional safeguards to protect the personal data transferred pursuant to the SCCs. The guidance is notable because it is the first substantive guidance from a DPA following the Schrems II judgment (although the guidance is only applicable to companies established in the federal state of Baden-Württemberg).

UPDATE: On September 25, 2020, California Governor Gavin Newsom vetoed SB-980.

On August 31, 2020, the California Senate joined the Assembly in passing SB-980, as amended, a bill to establish the Genetic Information Privacy Act (the “Act”), which would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice; obtaining consumers’ express consent regarding the collection, use and disclosure of genetic data; and enabling consumers to access and delete their genetic data. The bill is pending California Governor Gavin Newsom’s signature.

On August 30, 2020, the California legislature passed AB-1281. As background, the California Consumer Privacy Act of 2018 (“CCPA”) currently exempts from most of its requirements certain information collected in the HR context and certain information collected about B2B personnel. Each exemption is scheduled to sunset on January 1, 2021. As we previously reported, the California Privacy Rights Act (“CPRA”) ballot initiative, if passed during the state’s November 3, 2020 general election, would extend the CCPA’s HR and B2B exemptions to January 1, 2023 ...

On August 27, 2020, the Brazilian Presidency published Decree 10.474/2020 (the “Decree”) in the Official Journal, approving the regulatory structure of the new Brazilian data protection authority (the “ANPD”) and establishing its roles. The Decree will apply after the President-Director of the ANPD is officially appointed through publication in the Official Journal.

On August 26, 2020, as reported by Brazilian firm Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados, the Brazilian Senate unexpectedly rejected the President’s Provisional Measure that was previously passed by the House of Representatives and aimed to postpone the applicability of the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”). The LGPD now will come into effect when the President signs the bill within 15 days of receiving the bill from Congress. The LGPD’s sanctions provisions, however, will continue to apply from August 1, 2021. The President also has issued a decree creating the new Brazilian data protection authority.

On August 27, 2020, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, the “Dutch DPA”) announced it approved the “Data Pro Code,” a code of conduct drafted by industry association NLdigital (the “Code”). This Code is the first code of conduct approved by the Dutch DPA under the EU General Data Protection Regulation (the “GDPR”). Adhering to the Code will help organizations active in the Information and Communications Technology sector comply with their obligations under the GDPR. The Code includes, among other things, a series of practical GDPR compliance tools, such as the “Data Pro Statement” that companies may use to inform potential customers of the data protection safeguards they have in place.

On August 25, 2020, Hunton’s Centre for Information Policy Leadership (“CIPL”) released a new paper entitled “Data Protection in the New Decade: Lessons from COVID-19 for a US Privacy Framework.” The paper examines how the COVID-19 pandemic has emphasized the need for a U.S. federal privacy law.

Apple’s iOS 14, which was announced by Apple in June 2020 and is scheduled for official release later this year, will require that all apps receive affirmative (i.e., opt-in) user consent to (1) access an iPhone’s unique advertising identifier (Identifier for Advertisers, or “IDFA”) or (2) to "track" users.

On August 20, 2020, Secretary-General of the Presidency of the Republic, Jorge Antônio de Oliveira Francisco, announced that the administrative decree to create the new Brazilian data protection authority (the Autoridade Nacional de Proteção de Dados, or “ANPD”) is ready and may be published at any time, after final technical adjustments are made. The Secretary-General made this statement during his remarks at the webinar “The ANPD: from the letter of law to the practice,” jointly organized by the Centre for Information Policy Leadership (“CIPL”) and the Centro de Estudos de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”) and hosted by the news channel JOTA.

On August 18, 2020, the U.S. National Institute of Standards and Technology (“NIST”) published a draft report, Four Principles of Explainable Artificial Intelligence (Draft NISTIR 8312 or the “Draft Report”), which sets forth four proposed principles regarding the “explainability” of decisions made by Artificial Intelligence (“AI”) systems.