Regulatory Update Part 2: ‘Schrems II’ Update, CPRA on the November Ballot
This summer, regulations are heating up on both sides of the Atlantic. As we shared in our last regulatory update, additional breach notification regulations took effect in four U.S. states. In other privacy news, the Court of Justice of the European Union’s July 16th ruling in the “Schrems II” case invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework. And on June 25th, the California Privacy Rights Act—“CCPA 2.0”—was officially certified to be on the November ballot.
Here’s the scoop on both Schrems II and the CPRA:
Schrems II Takes Down Privacy Shield…
At its core, the Schrems II case is about one issue: Is the personal data of EU data subjects sufficiently protected when companies transfer it to the United States? Thousands of U.S. companies have used the Privacy Shield Framework to protect this data in compliance with EU data protection rules while conducting trans-Atlantic commerce.
However, the EU Court of Justice found the Privacy Shield “inadequate” because the U.S. government, which can access and use transferred personal data for security purposes, does not provide the level of data protection due to EU data subjects under GDPR. The ruling also contends that the Privacy Shield does not grant EU data subjects legal remedy against the U.S. government in the case of a privacy violation.
In a recent FAQ, the European Data Protection Board said there was no grace period under the ruling, clearly stating that: “Transfers on the basis of this legal framework are illegal.” Companies that used to rely on the Privacy Shield now need an alternative method for transferring personal data.
…And What About Standard Contractual Clauses
In the same ruling, the EU Court of Justice addressed the validity of another legal basis for enabling transfers known as standard contractual clauses (SCCs). For SCCs to remain valid, the EU Court of Justice advised that companies using them must provide EUdata subjects the “essentially equivalent” level of protection guaranteed by GDPR, and requested an additional review of the validity of SCCs from the Irish High Court.
According to the European Data Protection Board, “Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. These assessments must be made on a case-by-case basis.”
So, what can U.S. businesses do?
Laura Clark Fey, a certified Privacy Law Specialist (IAPP) and former Privacy Shield Arbitrator who advises companies on global data privacy and cybersecurity issues, provided companies with the following guidance:
1. Have a good understanding of how all of personal data flows out of the EU
“As a starting point, companies should ensure they have a good understanding of all of their personal data flows out of the EU, including what types of personal data are being transferred, to what location, to whom and by whom, and under what EU lawful basis. To the extent that companies are relying on Privacy Shield certification as their lawful basis for any EU-U.S. data transfers, they should either retain EU personal data in the EU, if that is an option, or choose another lawful basis for transfer.
“After the CJEU’s opinion, Standard Contractual Clauses (SCCs) are still valid, as are Binding Corporate Rules and derogations. Because of the expense, effort, and the time required to obtain approval for Binding Corporate Rules and in light of the limited utility of derogations, for many companies, SCCs will be the best option for transferring personal data out of the EU.
2. Analyze whether the law in each country ensures adequate protection of the EU personal data
“However, they should be aware that the CJEU’s decision raises questions about whether SCCs are truly appropriate for transfers of personal data to the U.S. and to other countries where governmental access to personal data is legally permitted. Companies should analyze, on a case-by-case basis, whether the law in each country to which EU personal data is being transferred ensures adequate protection of the EU personal data that is being transferred.
“As part of this assessment, organizations should consider whether the types of EU personal data they are transferring have been or are likely to be subject to any governmental access requests. If the law in the country to which EU personal data is being transferred does not ensure adequate protection of EU personal data, companies must either implement additional protections that will ensure adequate protection or, if adequate protection still cannot be provided, suspend their data transfers.
3. Document and retain analyses
“It is important that they understand their commitments under the SCCs, and they should monitor their continuing compliance with SCC provisions. Regardless of the transfer mechanism chosen, they should document and retain their analyses.
“Companies that are Privacy Shield-certified should consider withdrawing from the Privacy Shield (unless they have contractually committed to maintain Privacy Shield Certification) in furtherance of seeking to limit potential liability based on Privacy Shield promises. They should nevertheless seek to continue to abide by their prior Privacy Shield promises, which aid in demonstrating adequate protection of EU personal data.
4. Continue following legal developments in Schrems II
“Moving forward, companies should follow legal developments in Schrems II, which is headed back to the Irish High Court, and stay on top of guidance from EU data protection authorities with oversight responsibilities for their data flows out of the EU. SCCs may be the best option for many companies today, but that could change tomorrow.”
Californians to Vote on CPRA in November Election
Earlier this year, Californians for Consumer Privacy—the organization responsible for the CCPA—submitted more than 900,000 signatures to qualify the California Privacy Rights Act (CPRA) for the November ballot. California Secretary of State Alex Padilla certified the measure on June 25th.
If passed, the CPRA would expand Californians’ privacy rights while adding to the list of obligations for companies subject to the law. These provisions would include:
- A new category of personal information called sensitive personal information, which includes health, financial, and geolocation data as well as account credentials, government-issued identifiers like Social Security numbers, and contents of email, texts, and mail. Consumers would have the right to keep businesses from using this information.
- The California Privacy Protection Agency (CPPA), a new regulatory agency with the authority to implement and enforce the CCPA, instead of the California Attorney General.
- Greater privacy for children’s data, including triple the fines for businesses that collect and sell the information of minors younger than 16.
- Rights for consumers to correct inaccurate personal information and to know how long businesses retain their data.
- Greater breach liability, specifically for the breach of email addresses and password or security question that would give unauthorized access to a consumer’s account.
Even if it passes—and nearly nine in 10 Californians would vote for a law expanding consumer privacy rights—almost all provisions of the CPRA would not take effect until January 2023. According to IAPP, the two-year gap between adopting and implementing the law would give federal lawmakers the incentive and time to adopt U.S. privacy legislation. “[The passage of the CPRA] and the growing number of states proposing new privacy legislation will likely increase industry demands for a new federal law,” wrote Caitlin Fennessy, IAPP’s research director.