With the end of the Brexit transition period rapidly approaching and the United Kingdom (UK) poised to become a “third country” after it leaves the European Union (EU), the UK and the EU have yet to reach any “deal” on how the transfer of personal data should be dealt with starting January 1, 2021. With the negotiations deep into their final phase, the advice from regulators, including the UK’s Information Commissioner’s Office (ICO), is that organisations should be taking steps to prepare for the UK becoming a third country (for the EU data protection regime) after Brexit.
Brazil’s long-anticipated data protection law, Lei Geral De Proteção de Dados Pessoais (“General Law for Data Protection” or “LGPD”), now appears positioned to take effect in a matter of days. Ever since the law was originally passed in August 2018, implementation and enforcement timelines have been in flux. In a rather sudden turn of events last week, however, dramatic back-to-back votes by each house of Brazil’s National Congress now put the substantive provisions of the LGPD on track to take effect in a few days’ time, upon approval by Brazil’s president. The LGPD’s administrative fines and sanctions provisions remain scheduled to take effect next year in August 2021. READ MORE
Happy New Year! At long last, the California Consumer Privacy Act of 2018 (“CCPA”) went into effect yesterday, January 1, 2020. For those who have not yet heard, the CCPA establishes a comprehensive legal framework to govern the collection and use of personal information, both online and offline, and provides unprecedented privacy rights to California consumers, in effect becoming the de facto national standard for U.S. privacy law. The law introduces new legal risks and considerations for companies that collect information from California consumers, due to the law’s expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, potential for statutory fines and, in the event of a security incident, the potential for consumer class action litigation. READ MORE
Under Russian Data Protection Law, when collecting personal data, data operators (controllers) must ensure that recording, systematization, accumulation, storage, updating and extraction of personal data relating to Russian citizens are performed utilizing databases located in Russia (data localization requirement).
The new law, adopted by the Russian parliament and signed into law on December 2, 2019, introduces substantial fines for violations of that requirement. READ MORE
On October 10, 2019, the California Attorney General added to the complexity of the California Consumer Privacy Act of 2018 (“CCPA”) by releasing long-awaited proposed regulations that provide guidance on various elements of the CCPA. The text of the proposed regulations is available here and the California Attorney General has made other documents and information relating to the proposed regulations available here. The comment period for the proposed regulations will close on December 6, 2019. Interested parties may review and provide written comments addressing the proposed regulations prior to that date or attend one of four scheduled public hearings on the proposed regulations to be held on December 2-5, 2019. READ MORE
While the California Consumer Privacy Act (“CCPA”) has inspired many states to consider their own consumer privacy bills, including Nevada which recently enacted a new law, not to be lost in the CCPA-focused frenzy is the fact that states continue to revise their data breach notification statutes. In recent weeks, the new Massachusetts breach notification amendment has gone into effect, New Jersey, Maryland, Oregon, Texas, and Washington have enacted their own breach notification amendments, and Illinois has proposed a bill that is poised to become law in the near term. READ MORE
At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation. READ MORE
In 2018, the California legislature made headlines with its game-changing data protection law: the California Consumer Privacy Act of 2018. Other state legislators across the country appear to be hot on its heels as a flurry of CCPA-like bills have been introduced across the United States. While it is too early to predict which of these bills, if any, will be enacted, this increased focus on privacy in the state legislatures is clearly a sign that the privacy landscape—and consequent compliance challenges for companies—is going to get more complicated. READ MORE