Privacy & Information Security Law Blog

On April 23, 2022, the European Commission announced that the European Parliament and EU Member States had reached consensus on the Digital Services Act (“DSA”), which establishes accountability standards for online platforms regarding illegal and harmful content.

On April 5, 2022, North Carolina became the first state in the U.S. to prohibit state agencies and local government entities from paying a ransom following a ransomware attack.

North Carolina’s new law, which was passed as part of the state’s 2021-2022 budget appropriations, prohibits government entities from paying a ransom to an attacker who has encrypted their IT systems and subsequently offers to decrypt that data in exchange for payment. The law prohibits government entities from even communicating with the attacker, instead directing them to report the ransomware attack to the North Carolina Department of Information Technology in accordance with G.S. 143B‑1379.

On April 19, 2022, the California state legislature and an industry self-regulatory group each separately took steps to enhance online privacy protections for children who are not covered by the Children’s Online Privacy Protection Act (“COPPA”), which applies only to personal information collected online from children under the age of 13.

On April 11, 2022, Virginia Governor Glenn Youngkin signed into law three bills that amend the Virginia Consumer Data Protection Act (“VCDPA”) ahead of the VCDPA’s January 1, 2023 effective date. The bills, HB 381, HB 714 and SB 534, (1) add a new exemption to the VCDPA’s right to delete; (2) modify the VCDPA’s definition of “nonprofit”; and (3) abolish the Consumer Privacy Fund.

On April 11, 2022, Federal Trade Commission Chair Lina Khan spoke at the opening of the International Association of Privacy Professionals’ Global Privacy Summit. This speech marks Khan’s first major privacy address since her appointment last June.

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

On March 10, 2022, in its first formal written opinion interpreting the California Consumer Privacy Act’s (“CCPA’s”) compliance obligations, the California Attorney General (“AG”) confirmed that the CCPA grants a consumer the right to access inferences drawn from personal information collected about the consumer, even if such inferences are generated by the business (unless the business can demonstrate that a statutory exception to the CCPA applies). The opinion also makes clear that the CCPA does not require businesses to disclose trade secrets in response to access requests. The decision interprets the CCPA’s existing language, as opposed to creating new obligations with respect to access requests made pursuant to the CCPA.

On March 9, 2022, the Biden Administration released its much-anticipated “Executive Order on Ensuring Responsible Development of Digital Assets” (“Executive Order”). The White House describes the Executive Order as the “first whole-of-government strategy” on digital assets and attempts to strike a balance between encouraging innovation and U.S. leadership in the digital asset space, while signaling an appetite to protect against a variety of stated risks through additional regulation and legislation.

On March 11, 2022, the U.S. Senate passed an omnibus spending bill that includes language which would require certain critical infrastructure owners and operators to notify the federal government of cybersecurity incidents in specified circumstances. The bill  previously was passed by the House of Representatives on March 9, 2022. President Biden is expected to sign the bill and has until March 15, 2022, to do so before the current spending authorization expires.

On March 1, 2022, President Biden, in his first State of the Union address, called on Congress to strengthen privacy protections for children, including by banning online platforms from excessive data collection and targeted advertising for children and young people. President Biden called for these heightened protections as part of his unity agenda to address the nation’s mental health crisis, especially the growing concern about the harms of digital technologies, particularly social media, to the mental health and well-being of children and young people. President Biden not only urged for stronger protections for children’s data and privacy, but also for interactive digital service providers to prioritize safety-by-design standards and practices. In his address, President Biden called on online platforms to “prioritize and ensure the health, safety and well-being of children and young people above profit and revenue in the design of their products and services.” President Biden also called for a stop to “discriminatory algorithmic decision-making that limits opportunities” and impacts the mental well-being of children and young people.

On February 18, 2022, California Assembly Member Evan Low (D) introduced a pair of bills – AB 2871 and AB 2891 – that would extend the duration of the current exemptions in the California Consumer Privacy Act (“CCPA”) (as amended by the California Privacy Rights Act (“CPRA”)) for certain HR data and business-to-business (“B2B”) customer representative personnel data from most of the law’s requirements. The existing temporary “HR” and “B2B” exemptions were first introduced through amendments to the CCPA, and were extended by the CPRA, under which the exemptions will sunset on the CPRA’s compliance deadline, January 1, 2023.

On March 2, 2022, the Senate unanimously passed the Strengthening American Cybersecurity Act of 2022 (“SACA” or the “Bill”). The Bill is now with the House of Representatives for a vote and, if passed, will be sent to President Biden’s desk for signature.

On February 17, 2022, the California Privacy Protection Agency (“CPPA”) announced at a board meeting that it will delay the publication of final regulations under the California Privacy Rights Act (“CPRA”). As drafted, the CPRA provides for regulations to be finalized by July 1, 2022, to allow for a six-month compliance window ahead of the law’s January 1, 2023 effective date. However, the CPPA estimated that it will not publish final regulations until the third or fourth quarter of 2022. The CPPA also indicated that it may not issue draft regulations until June 2022. The CPPA cited delays in hiring staff and beginning operations as reasons for the delayed rulemaking process.

On February 23, 2022, the European Commission adopted a Proposal for a Regulation designed to harmonize rules on the fair access to and use of data generated in the EU across all economic sectors (the “Data Act”). The Data Act is intended to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all.” Importantly, the Data Act applies to all data generated in the EU, not only personal data, which is regulated by the General Data Protection Regulation (“GDPR”).

On November 14, 2021, the Cyberspace Administration of China (“CAC”) released for public comment its draft Regulations on Network Data Security Management (the “Draft Regulations”). The Draft Regulations are intended to implement portions of three existing laws – the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”) and the Personal Information Protection Law (“PIPL”) (together, the “Three Laws”) – by providing guidance on certain provisions and establishing specific requirements for implementing certain principles contemplated in the Three Laws. In addition, the Draft Regulations add new requirements related to data processing activities. Once effective, the Draft Regulations will impose even greater compliance obligations on companies than the PIPL.

Stephen Mathias from Kochhar & Co. reports that on December 16, 2021, the Indian Joint Parliamentary Committee (the “JPC”) submitted its report on India’s draft Data Protection Bill (the “Bill”). The Bill is now likely to be passed by Parliament in its next session, beginning in February 2022, and likely will enter into force in the first half of 2022. In its report, the JPC recommended a phased approach to implementing the law, beginning with the appointment of various government officers, such as the Data Protection Authority (“DPA”), with full implementation of the law to be completed within 24 months. The JPC’s report also contained a revised draft of the Bill. Certain key aspects of the revised Bill are summarized below.

On December 20, 2021, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its regulatory approach. The consultation involves three separate documents – the ICO’s Regulatory Action Policy (“RAP”), Statutory Guidance on the ICO’s Regulatory Action, and Statutory Guidance on the ICO’s PECR Powers. The RAP sets forth the ICO’s risk-based approach to regulatory action and explains the factors the ICO considers before taking regulatory action, how the ICO works with other regulators, and enforces the legislation for which it is responsible. Together, the three documents illustrate how the ICO aims to enforce information rights for data subjects in the UK.

On  November 27, 2021, the UAE Cabinet Office enacted its first federal Personal Data Protection Law (Federal Decree Law No. 45 of 2021, the “UAE Data Protection Law”). The UAE Data Protection Law will come into force on January 2, 2022.

On October 28, 2021, the European Parliament’s Committee on Industry, Research and Energy adopted a draft directive on cybersecurity (“NIS2 Directive”). The NIS2 Directive will broaden the scope of the existing NIS Directive to apply to “important sectors,” such as waste management, postal services, chemicals, food, medical device manufacturers, digital providers and producers of electronics, in addition to “essential sectors.” The NIS2 Directive imposes specific cybersecurity requirements relating to incident response, supply chain security, encryption and vulnerability disclosure obligations. The NIS2 Directive also aims to establish better cooperation and information sharing between EU Member States, and create a common European vulnerability database.

On October 29, 2021, the Cyberspace Administration of China (“CAC”) released for public comment “Draft Measures on Security Assessment of Cross-border Data Transfer” (“Draft Measures”). The CAC, in its third legislative attempt to build a cross-border data transfer mechanism in China, issued the Draft Measures three days before the November 1, 2021 effective date of the Personal Information Protection Law (“PIPL”).

During the week of October 4, 2021, California Governor Gavin Newsom signed into law bills amending the California Privacy Rights Act of 2020 (“CPRA”), California’s data breach notification law and California’s data security law. Additional bills, amending the California Confidentiality of Medical Information Act (“CMIA”) and the California Insurance Code, also were also signed into law. The Governor also signed into law a bill protecting the privacy and security of genetic data processed by direct-to-consumer genetic testing companies and a bill designed to prevent the sale, purchase and use of data obtained by illegal means.

On October 1, 2021, Florida’s Protecting DNA Privacy Act (the “Act”), took effect. The Act, signed into law by Governor Ron DeSantis on June 29, restricts certain willful collection, retention, analysis and disclosure of the DNA samples or DNA analysis results of persons in Florida without their express consent.

On September 29 and 30, 2021, the U.S. Senate Committee on Commerce, Science and Transportation convened hearings on how to better protect consumer and children’s privacy.

On August 29, 2021, a New York City Council bill amending the New York City Administrative Code to address customer data collected by food delivery services from online orders became law after the 30-day period for the mayor to sign or veto lapsed. Effective December 27, 2021, the law will permit restaurants to request customer data from third-party food delivery services and require delivery services to provide, on at least a monthly basis, such customer data until the restaurant “requests to no longer receive such customer data.” Customer data includes name, phone number, email address, delivery address and contents of the order.

On September 14, 2021, the U.S. House Committee on Energy and Commerce (“E&C Committee”) voted in favor of a legislative recommendation that would create a new Federal Trade Commission privacy bureau as part of the proposed $3.5 trillion federal budget reconciliation package.

This week, the United Arab Emirates (“UAE”) Minister of State for Artificial Intelligence, Digital Economy and Remote Work Applications (the “Minister”) announced that the UAE would introduce a new federal data protection law (“Data Protection Law”), the first federal law of its kind in the UAE. The Data Protection Law is one of the initiatives to be implemented under the recently published “Principles of the 50,” a charter of 10 strategic principles that will guide the political, economic and social development of the UAE for the next 50 years.

On August 26, 2021, the UK Department of Culture, Media and Sport (“DCMS”) made news by publishing a document indicating its intent to begin making adequacy decisions for UK data transfers to foreign jurisdictions and by announcing its preferred candidate for the position of new UK Information Commissioner.

On July 8, 2021, Colorado Governor Jared Polis signed SB21-190, the Colorado Privacy Act (“the Act”), into law, making Colorado the third state to have a comprehensive data privacy law on the books, following California and Virginia. The Colorado House voted 57-7 in favor of the Act on June 7 after it had previously passed the Senate unanimously on May 26. The Senate voted unanimously to adopt the House’s amendments to the Act on June 8. The Act will go into effect on July 1, 2023, with some specific provisions going into effect at later dates.

On June 17, 2021, Senator Kirsten Gillibrand (D-NY) announced the reintroduction of the Data Protection Act of 2021 (the “bill”), which would create an independent federal agency, the Data Protection Agency, to “regulate high-risk data practices and the collection, processing, and sharing of personal data.” The bill was first introduced in 2020 and has since been revised to include updated provisions intended to protect against privacy harms, oversee the use of “high-risk data practices” and examine the social, ethical, and economic impacts of data collection.

On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.

After two rounds of public comments, the Data Security Law of the People’s Republic of China (the “DSL”) was formally issued on June 10, 2021, and will become effective on September 1, 2021.

Compared to previous drafts of the law, the final version of the DSL differs with respect to:

• establishing a work coordination mechanism and clarifying the duties of each governmental authority;
• establishing an administration system for state core data;
• encouraging data development and use to make public service more intelligent and requiring consideration of the needs of the elderly and people with disabilities when providing intelligent public services;
• protecting the security of government data; and
• increasing the punishment dynamics for violations of the law. 

On June 9, 2021, President Biden signed an Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries (the “EO” or “Biden EO”). The Biden EO elaborates on measures to address the national emergency regarding the information technology supply chain declared in 2019 by the Trump administration in Executive Order 13873. Simultaneously, the Biden EO also revokes three Trump administration orders (Executive Orders 13942, 13943 and 13971) that sought to prohibit transactions with TikTok, WeChat, their parent companies and certain other “Chinese connected software applications.” In their place, the Biden EO provides for (1) cabinet-level assessments and future recommendations to protect against risks from foreign adversaries’ (a) access to U.S. persons’ sensitive data and (b) involvement in software application supply and development; and (2) the continuing evaluation of transactions involving connected software applications that threaten U.S. national security.

On June 4, 2021, the European Commission published the final version of the implementing decision on standard contractual clauses for transfers of personal data to third countries under the EU General Data Protection Regulation (“GDPR”), as well as the final version of the new standard contractual clauses (the “SCCs”). The European Commission had previously published draft versions of the implementing decision and the SCCs in November 2020.

On May 10, 2021, the Ecuadorian National Assembly unanimously approved the Organic Law on Data Protection (the “Data Protection Law”), which President Moreno is expected to sign.

On April 29, 2021, the New York City Council passed the Tenant Data Privacy Act (“TDPA”), which would regulate the collection, use, safeguarding and retention of tenant data by owners of “smart access” buildings. The TDPA has been sent to the New York City Mayor’s desk for signature.

On April 29, 2021, China issued a second version of the draft Personal Information Protection Law (“Draft PIPL”). The Draft PIPL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft PIPL is the same as the prior version issued on October 21, 2020, below we summarize the material changes in the second version of the Draft PIPL.

On April 29, 2021, China issued a second draft version of the Data Security Law (“Draft DSL”). The Draft DSL will be open for public comments until May 28, 2021.

While the framework of this version of the Draft DSL is the same as the prior version issued on July 3, 2020, below we summarize the material changes in the second version of the Draft DSL.

On March 25, 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth organized an expert roundtable on the EU Approach to Regulating AI–How Can Experimentation Help Bridge Innovation and Regulation? (the “Roundtable”). The Roundtable was hosted by Dragoș Tudorache, Member of Parliament and Chair of the Artificial Intelligence in the Digital Age (“AIDA”) Committee of the European Parliament.  The Roundtable gathered industry representatives and data protection authorities (“DPAs”) as well Axel Voss, Rapporteur of the AIDA Committee.

On March 30, 2021, Hunton Andrews Kurth will host a webinar examining Virginia’s new Consumer Data Protection Act.

On March 15, 2021, the California Attorney General (“AG”) approved additional CCPA Regulations that impact certain sections of the initial CCPA Regulations that went into effect on August 14, 2020. These amendments, which were the subject of the third and fourth sets of proposed modifications, went into effect on March 15, 2021.

On March 2, 2021, Virginia’s Governor, Ralph Northam, signed the Consumer Data Protection Act into law without any further amendments. In addition to California, Virginia is now the second state to enact major privacy legislation of general applicability in the U.S.

On February 23, 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth hosted a webinar on China’s Data Privacy Landscape and Upcoming Legislation.

In the February 2021 issue of the Data Protection Leader, Hunton partner Dora Luo discusses China’s draft Personal Information Protection Law (“Draft PIPL”) (in Chinese) in the context of other comprehensive data protection frameworks, such as the EU General Data Protection Regulation (“GDPR”).

As we previously reported, significant data privacy bills, titled the Consumer Data Protection Act, are working their way through the Virginia legislature. If enacted, Virginia would be the second state to enact major data privacy legislation of general applicability.

On February 10, 2021, the European Data Protection Supervisor (“EDPS”) published two opinions on the European Commission’s proposals for a Digital Services Act (“DSA”) and a Digital Markets Act (“DMA”). The proposed DSA and DMA are part of a set of measures announced in the 2020 European Strategy for Data and have two main goals: (1) creating a safer digital space in which the fundamental rights of all users of digital services are protected, and (2) establishing a level playing field to foster innovation, growth and competitiveness in the European Single Market and globally.

On February 5, 2021, the state Senate of Virginia voted unanimously to approve Senate Bill 1392, titled the Consumer Data Protection Act, after the House of Delegates approved an identical House bill by an 89-9 vote. Each bill likely will be heard in committee next week by the opposite chamber, which provides additional opportunities to make amendments. Minor, clarifying amendments will likely be added in committee, but they are not expected to alter the main components of the bill. Virginia’s General Assembly will adjourn Sine Die on March 1, and legislators have until then to finalize the details of the legislation. Virginia’s Governor Ralph Northam would be in a position to sign the bill later in March. Notably, the Governor has line item veto authority, so the bill could also possibly be amended after it passes the General Assembly.

On February 4, 2021, the French Data Protection Authority (the “CNIL”) announced (in French) that it sent letters and emails to approximately 300 organizations, both private and public, to remind them of the new cookie law rules and the need to audit sites and apps to comply with those rules by March 31, 2021.

The global privacy and cybersecurity team at Hunton Andrews Kurth has authored multiple chapters of the 2021 Data Protection & Privacy guide by Lexology’s Getting the Deal Through. Partner Aaron P. Simpson and practice chair Lisa J. Sotto served as contributing editors of the ninth edition of the annual guide, which provides summary and analysis in key areas of law, practice and regulation for 150 jurisdictions across the globe.

On December 22, 2020, New York Governor Andrew Cuomo signed into law legislation that temporarily bans the use or purchase of facial recognition and other biometric identifying technology in public and private schools until at least July 1, 2022. The legislation also directs the New York Commissioner of Education (the “Commissioner”) to conduct a study on whether this technology is appropriate for use in schools.

Hunton attorneys Dora Luo and Yanchen Wang recently published a new Guidance Note for OneTrust DataGuidance on China’s data protection laws.

On December 10, 2020, the California Attorney General (“AG”) issued a fourth set of proposed modifications to the regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). This set of modifications builds upon the third draft set previously issued on October 12, 2020, which had not been finalized. Specifically, the modifications would revise portions of the regulations relating to the notice of right to opt-out.

According to the AG’s website, the fourth set of modified draft regulations are subject to another public comment period. The ...

On November 27, 2020, New Mexico Attorney General Hector Balderas filed a notice of appeal to the U.S. Court of Appeals for the Tenth Circuit in the lawsuit it brought against Google on February 20, 2020, regarding alleged violations of the federal Children’s Online Privacy Protection Act (“COPPA”) in connection with G-Suite for Education (“GSFE”). As we previously reported, the U.S. District Court of New Mexico had granted Google’s motion to dismiss, in which it asserted that its terms governed the collection of data through GSFE and that it had complied with COPPA by using schools both as “intermediaries” and as the parent’s agent for parental notice and consent, in line with Federal Trade Commission Guidance.

On November 17, 2020, the Senate passed by unanimous consent H.R. 1668, the Internet of Things (“IoT”) Cybersecurity Improvement Act (the “IoT Bill”). The House previously passed the IoT Bill in September after negotiations with the Senate to resolve differences in their respective bills. The IoT Bill now heads to the President’s desk for signature.

On November 12, 2020, somewhat in the shadow of the new standard contractual clauses for data transfers to recipients outside the European Economic Area (“EEA”), the European Commission also adopted draft standard contractual clauses to be used between controllers and processors in the EEA (“EEA Controller-Processor SCCs”).

On November 12, 2020, the European Commission published a draft implementing decision on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU General Data Protection Regulation (“GDPR”), along with its draft set of new standard contractual clauses (the “SCCs”).

On November 11, 2020, the European Data Protection Board (the “EDPB”) published its long-awaited recommendations following the Schrems II judgement regarding supplementary measures in the context of international transfer safeguards such as Standard Contractual Clauses (“SCCs”) (the “Recommendations”). In addition, the EDPB published recommendations on the European Essential Guarantees for surveillance measures (the “EEG Recommendations”), which complement the Recommendations. The Recommendations are subject to a public consultation, which closes on December 21, 2020.

On November 19, 2020, Hunton Andrews Kurth will host a webinar examining the recently approved California Privacy Rights Act (“CPRA”) and how it revises the California Consumer Privacy Act of 2018 (“CCPA”).

On November 3, 2020, California voters approved California Proposition 24, the California Privacy Rights Act (“CPRA”). As we previously reported, the CPRA significantly amends and expands upon the California Consumer Privacy Act of 2018, which became enforceable earlier this year. The new and modified obligations under the CPRA will become operative on January 1, 2023, and, with the exception of access requests, will apply to personal information collected by businesses on or after January 1, 2022. Notably, the CPRA establishes the California Privacy Protection Agency ...

On October 21, 2020, China issued a draft of Personal Information Protection Law (“Draft PIPL”) for public comments. The Draft PIPL marks the introduction of a comprehensive system for the protection of personal information in China.

On October 12, 2020, the California Attorney General (“AG”) issued a third set of proposed modifications to the regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). As we previously reported, the long-awaited CCPA regulations were approved by the California Office of Administrative law and became effective on August 14, 2020. This new set of proposed modifications would revise portions of the regulations relating to the notice of right to opt-out, methods for submitting opt-out of sale requests, and verification of authorized agents ...

On October 6, 2020, the Court of Justice of the European Union (“CJEU”) handed down Grand Chamber judgments determining that the ePrivacy Directive (the “Directive”) does not allow for EU Member States to adopt legislation intended to restrict the scope of its confidentiality obligations unless they comply with the general principles of EU law, particularly the principle of proportionality, as well as fundamental rights under the Charter of Fundamental Rights of the European Union (the “Charter”).

On October 1, 2020, the UK Information Commissioner’s Office (“ICO”) launched a public consultation on its draft Statutory Guidance (the “Guidance”). The Guidance provides an overview of the ICO’s powers and how it intends to regulate and enforce data protection legislation in the UK, including its approach to calculating fines.

On September 25, 2020, the District Court of New Mexico granted Google’s motion to dismiss a lawsuit filed on February 20, 2020, by New Mexico Attorney General Hector Balderas alleging, among other claims, that the company violated the federal Children’s Online Privacy Protection Act (“COPPA” or the “Act”) by using G Suite for Education to “spy on New Mexico students’ online activities for its own commercial purposes, without notice to parents and without attempting to obtain parental consent.”

On September 17, 2020, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, along with Senators John Thune (SD), Deb Fischer (NE) and Marsha Blackburn (TN) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act (“the Bill”). The Bill marks an official introduction of an update of Senator Wicker’s draft United States Consumer Data Privacy Act of 2019, which was circulated last November.

On September 18, 2020, as confirmed by Brazilian firm Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados, Brazil’s President signed a bill from Brazil’s Congress bringing the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) into effect with a retroactive applicability date of August 16, 2020. The LGPD’s sanctions provisions will apply beginning August 1, 2021, based on a previous delay passed by Brazil’s legislature. As we previously reported, on August 26, 2020, Brazil’s Senate had unexpectedly rejected the ...

UPDATE: On September 29, 2020, California Governor Gavin Newsom vetoed AB 1138.

On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.

The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Data Security Council of India (“DSCI”) have published a report on Enabling Accountable Data Transfers from India to the United States under India’s Proposed Personal Data Protection Bill (the “Report”).

On September 1, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”) released a new paper (“Paper”) on the Top Priorities for Public and Private Organizations to Effectively Implement the New Brazilian General Data Protection Law (“LGPD”). This paper is part of their joint-project on effective implementation and regulation under the LGPD.

On September 3, 2020, the Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) of the European Parliament held a meeting to discuss the future of EU-U.S. data flows following the Schrems II judgment of the Court of Justice of the European Union (the “CJEU”). In addition to Members of the European Parliament (“MEPs”), the meeting’s participants included Justice Commissioner Didier Reynders, European Data Protection Board (“EDPB”) Chair Andrea Jelinek and Maximilian Schrems. Importantly, Commissioner Reynders stated during the meeting that the new Standard Contractual Clauses (“SCCs”) might be adopted by the end of 2020, at the earliest.

UPDATE: On September 25, 2020, California Governor Gavin Newsom vetoed SB-980.

On August 31, 2020, the California Senate joined the Assembly in passing SB-980, as amended, a bill to establish the Genetic Information Privacy Act (the “Act”), which would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice; obtaining consumers’ express consent regarding the collection, use and disclosure of genetic data; and enabling consumers to access and delete their genetic data. The bill is pending California Governor Gavin Newsom’s signature.

On August 30, 2020, the California legislature passed AB-1281. As background, the California Consumer Privacy Act of 2018 (“CCPA”) currently exempts from most of its requirements certain information collected in the HR context and certain information collected about B2B personnel. Each exemption is scheduled to sunset on January 1, 2021. As we previously reported, the California Privacy Rights Act (“CPRA”) ballot initiative, if passed during the state’s November 3, 2020 general election, would extend the CCPA’s HR and B2B exemptions to January 1, 2023 ...

On August 26, 2020, as reported by Brazilian firm Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados, the Brazilian Senate unexpectedly rejected the President’s Provisional Measure that was previously passed by the House of Representatives and aimed to postpone the applicability of the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, or “LGPD”). The LGPD now will come into effect when the President signs the bill within 15 days of receiving the bill from Congress. The LGPD’s sanctions provisions, however, will continue to apply from August 1, 2021. The President also has issued a decree creating the new Brazilian data protection authority.

On August 14, 2020, the California Attorney General announced that the California Office of Administrative Law (“OAL”) approved the final regulations issued under the California Consumer Privacy Act of 2018 (“CCPA”) and filed them with the California Secretary of State. As we previously reported, the California Attorney General submitted the draft regulations to the OAL on June 1, 2020, and requested that the regulations become effective on the same day they are filed with the Secretary of State. The OAL has complied with that request, and the regulations go into effect ...

On August 4, 2020, Senators Jeff Merkley (OR) and Bernie Sanders (VT) introduced the National Biometric Information Privacy Act of 2020 (the “bill”). The bill would require companies to obtain individuals’ consent before collecting biometric data. Specifically, the bill would prohibit private companies from collecting biometric data—including eye scans, voiceprints, faceprints and fingerprints—without individuals’ written consent, and from profiting off of biometric data. The bill provides individuals and state attorneys general the ability to institute legal proceedings against entities for alleged violations of the act.

The U.S. Department of Commerce has issued two new sets of FAQs in light of the Court of Justice of the European Union’s (“CJEU’s”) recent decision to invalidate the EU-U.S. Privacy Shield in Schrems II. We previously reported on the Schrems II ruling and its implication for businesses that transfer personal data to the U.S. The new FAQs from the Department of Commerce address the impact of the decision on the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework.

On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued its landmark judgment in the Schrems II case (case C-311/18). In its judgment, the CJEU concluded that the Standard Contractual Clauses (the “SCCs”) issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. Unexpectedly, the Court invalidated the EU-U.S. Privacy Shield framework.

In one of the most important cases on global data transfers, the Court of Justice of the European Union (“CJEU”) will rule on the validity of the Standard Contractual Clauses (“SCCs”) in the Schrems II case (case C-311/18) on July 16, 2020. Invalidation of the SCCs would leave businesses scrambling to find an alternative data transfer mechanism. But there may be significant practical challenges for businesses even if the SCCs survive.

In a case that has garnered widespread interest, the Court of Justice of the European Union (“CJEU”) will deliver its judgment in the Schrems II case (case C-311/18) on July 16, 2020, determining the validity of the controller–to-processor Standard Contractual Clauses (“SCCs”) as a cross-border data transfer mechanism under the EU General Data Protection Regulation (“GDPR”). If the SCCs are invalidated, the judgment would deliver a significant blow to the numerous businesses that rely on them, leaving many scrambling to find a suitable alternative transfer mechanism. Even if the SCCs survive, they may become more cumbersome to use.

On June 26, 2020, New Zealand Justice Minister Andrew Little announced that the bill to repeal and replace New Zealand’s existing Privacy Act 1993 (the “Privacy Bill”) had passed its third reading in Parliament. The Privacy Bill received royal assent on June 30, 2020.

When compared to the EU or the U.S., China has lacked a comprehensive data protection and data security law that regulates in detail requirements and procedures relating to the collection, processing, control and storage of personal data. In recent years, China has seen developments on data protection both in legislation and in practice. Recently, another significant draft law on data security was issued by the Chinese legislative authority. On June 28 to June 30, 2020, the 20th Session of the 13th Standing Committee of the National People’s Congress of China (the “NPC”) deliberated on the draft of the Data Security Law (the “Draft”), and on July 3, published the Draft on the NPC’s official website for public comment. The public comment period for the Draft will end on August 16, 2020. It is expected that the Draft will be finalized within the year and that the regulatory requirements relating to data security eventually will be reflected in law in China.

On July 1, 2020, the California Consumer Privacy Act of 2018 (“CCPA”) became enforceable by the California Attorney General. Under the statute, businesses are granted 30 days to cure any alleged violations of the law after being notified of alleged noncompliance. If a business fails to cure the alleged violation, it may be subject to an injunction and liable for a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.

Zeyn Bhyat of ENSafrica reports that on June 22, 2020, it was announced that South Africa’s comprehensive privacy law known as the Protection of Personal Information Act, 2013 (the “POPIA”) will become effective on July 1, 2020. POPIA acts as the more detailed framework legislation supporting South Africa’s constitutional right to privacy.

According to a memorandum issued by the California Secretary of State on June 24, 2020, the California Privacy Rights Act (“CPRA”) has garnered enough signatures to be placed on the State’s General Election ballot this November 3, 2020. As we previously reported, the CPRA would amend the California Consumer Privacy Act of 2018 (“CCPA”) to create new and additional privacy rights and obligations in California. According to early polling by Californians for Consumer Privacy (the group behind the CPRA), nine in 10 Californians would vote to support a ballot measure ...

On May 13, 2020, Senator Alessandro Vieira presented Bill n. 2630/2020 (“Bill”) to the Brazilian Senate, which the Senate is calling the “Fake News Law.” Officially, this Bill establishes the Brazilian law of “freedom, responsibility and transparency on the internet.” It was introduced in the context of the alleged use of fake news by political parties and other public sector stakeholders in Brazil.

On June 12, 2020, the Brazilian President Jair Bolsonaro approved Law #14,010/2020 (the “Law”). This Law was created to establish an urgent legal framework for the private sector in the context of the COVID-19 crisis. Among other topics, it delays until August 1, 2021 the applicability of the provisions relating to sanctions for non-compliance with the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”).

On June 11, 2020, the California Senate amended AB-713 to the California Consumer Privacy Act of 2018 (“CCPA”). The Senate’s recent amendments impose new contractual obligations on the use or sale of de-identified information and modify the exemption from the CCPA for information used for public health purposes. The California Assembly had originally passed AB-713 in 2019 to (1) explicitly carve out from coverage by the CCPA information de-identified pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule, and (2) expand the CCPA exemption for information used for research purposes. AB-713 is intended to “preserv[e] access to information needed to conduct important health-related research that will benefit Californians.” The revised version of AB-713 containing the Senate’s recent amendments has not yet passed either house of the California legislature.

On June 1, 2020, the Office of the California Attorney General submitted the final California Consumer Privacy Act (“CCPA”) proposed regulations to the California Office of Administrative Law (“OAL”). Notably, the final proposed regulations are the same as the draft issued in March. The OAL must review the rulemaking package for procedural compliance with California’s Administrative Procedure Act. The OAL’s typical 30-day review period has been extended by 60 calendar days under an executive order related to the COVID-19 pandemic. Assuming OAL approves the regulations, the final text will be filed with the Secretary of State.

On May 14, 2020 Democrats in both the House and Senate introduced the Public Health Emergency Privacy Act (“the Act”). In the House, the Act was sponsored by Representatives Jan Schakowsky (IL), Anna Eshoo (CA) and Suzan DelBene (WA), and in the Senate was sponsored by Senators Richard Blumenthal (CT) and Mark Warner (VA). Similar to the recently-introduced COVID-19 Consumer Data Protection Act of 2020, the Act would put temporary rules in place regarding the collection, use and disclosure of emergency health data used to combat the spread of the coronavirus. The rules imposed by the Act would only apply during the course of the Public Health Emergency as declared by the Secretary of Health and Human Services (“HHS”) and would only apply to specific uses of certain personal data.

Pakistan’s Ministry of Information Technology and Telecommunication recently introduced a new draft of Pakistan’s Personal Data Protection Bill, 2020 (the “Bill”) and launched a public consultation regarding the same. The public consultation period will end on May 15, 2020. The Bill, which applies to “any person who processes” or “has control over or authorizes the processing of” any personal data, if the data subject, the controller or processor are located in Pakistan, would establish certain requirements and restrictions related to the processing of personal data, as well as penalties for violating the law. In addition, under the Bill, the federal government would, within six months of coming into force, establish a Personal Data Protection Authority of Pakistan with rulemaking authority to enforce the act.

In a “Ten Years Hence” speaker series hosted by the University of Notre Dame, Lisa Sotto, Chair of Hunton Andrews Kurth’s global Privacy and Cybersecurity practice, highlights why privacy and cybersecurity will remain relevant issues now and for decades to come in a lecture on Privacy and Cybersecurity: The New Frontier.

On April 28, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP submitted formal comments to the European Commission’s consultation on its roadmap for the two-year evaluation of the EU General Data Protection Regulation (“GDPR”) (the “Response”).

On May 4, 2020, Californians for Consumer Privacy (the group behind the ballot initiative that inspired the California Consumer Privacy Act of 2018 (“CCPA”)) announced that it had collected over 900,000 signatures to qualify the California Privacy Rights Act (“CPRA”) for the November 2020 ballot. The group announced that it was taking steps to submit the CPRA for inclusion on the November ballot in counties across California. The CPRA would amend the CCPA to create new and additional privacy rights and obligations in California, including the following:

On April 29, 2020, the Brazilian President issued Provisional Measure #959/2020, which provisionally delays the applicability date of the Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais – “LGPD”) to May 3, 2021.

California Attorney General (“AG”) Xavier Becerra recently issued an alert emphasizing the rights of California consumers under the California Consumer Privacy Act (“CCPA”) during the COVID-19 pandemic. The alert follows media reports that the AG’s office is “committed to enforcing the law upon finalizing the rules or [by] July 1, whichever comes first,” even with the “new reality created by COVID-19.”

On April 3, 2020, the Brazilian Senate approved Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic. Importantly, one provision delays the effective date of the Brazilian Data Protection Law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021.

On March 18, 2020, Washington Governor Jay Inslee signed into law a bill amending Washington State’s Agency Breach Notification Law (“Agency Breach Law”). The Agency Breach Law applies to all state and local agencies, including state and municipal offices, departments, bureaus and commissions.

On March 19, 2020, the European Data Protection Board (“EDPB”) published a new statement regarding processing personal data in the context of the COVID-19 outbreak. The EDPB said that emergency is a legal condition which may legitimize restrictions of individual freedoms, provided that these restrictions are proportionate and limited to the emergency period. Several considerations come into play in weighing the lawful processing of personal data in these circumstances.

As reported by Bloomberg Law, on March 12, 2020, the Washington House and Senate were unable to reach consensus on the Washington Privacy Act.  As we reported this January, lawmakers in Washington state introduced a new version of the Washington Privacy Act, a comprehensive data privacy bill.  In the past two months, the much-discussed bill flew through the Washington Senate and House, but ultimately failed to pass.

The bill’s House version would have provided for a private right of action while the bill’s Senate version would have given sole enforcement authority to the state ...

On March 11, 2020, the California Attorney General (“AG”) issued a second set of modified draft regulations implementing the California Consumer Privacy Act of 2018 (“CCPA”). The AG has provided a redline to the initial modified draft regulations about which we previously reported. According to the AG’s website, the second set of modified draft regulations are subject to another public comment period. The deadline to submit written comments is March 27, 2020, at 5:00 p.m. (PST).

On February 10, 2020, the California Attorney General issued a slightly revised version of the modified draft regulations implementing the California Consumer Privacy Act of 2018, having omitted a revision in Section 999.317(g) from the version published on February 7, 2020. The deadline to submit written comments has been extended to February 25, 2020, at 5:00 p.m. (PST).