International law around data privacy continues to evolve as jurisdictions around the world seek to develop and refine their regulatory schemes governing collection and processing of consumer data by businesses. Kevin Coy and Erin Doyle, experts from Arnall Golden Gregory, bring us up to speed on the global data privacy landscape.
In a rapidly changing and digitized world, international law is evolving quickly. While efforts to enshrine consumer data protection into federal law in the U.S. seem unclear after progress was made in 2022, many other countries and regions have sped forward with measures.
This article discusses recent privacy law developments from select jurisdictions around the world, including the EU, UK, China, Brazil, India and Canada, with an emphasis on international data transfer issues.
The European Union
EU-U.S. data privacy framework
Following the Schrems II decision from the EU Court of Justice in July 2020, which invalidated the EU-U.S. Privacy Shield adequacy decision, the EU and the United States have been working on a replacement program to facilitate transfers of personal data from the European Economic Area (EEA) to the U.S.
In March 2022, an agreement in principle for a new EU-U.S. data privacy framework was announced, and the European Commission published a draft adequacy decision in December 2022. As part of the agreement, President Joe Biden issued Executive Order 14086, which modifies the U.S. approach to certain intelligence activities and establishes a data protection review court for complaints.
In February, the European Data Protection Board (EDPB) adopted a nonbinding opinion welcoming the framework but requesting modifications, but in May, the EU Parliament adopted a nonbinding resolution opposing the framework.
Then, July 10, the framework was approved by the European Commission. Legal challenges to the new framework are expected from privacy advocates, including Max Schrems, for whom the original EU court decision was named, but the framework will presumably remain in effect while challenges work their way through the EU legal system.
Like its predecessor programs, participation in the framework is voluntary and open to U.S. organizations subject to the jurisdiction of the FTC or Department of Transportation for enforcement purposes. Participants are required to certify their compliance with the Department of Commerce, which will administer the program, and publicly commit to compliance (the FTC’s main hook for enforcement authority). Participants will need to recertify their participation each year and will be required to offer an independent dispute resolution mechanism for consumer complaints that cannot be resolved with the participant organization.
Meta data transfer decision
The framework is an important effort to provide a more stable structure for data transfers from the EU and EEA to the U.S. Its importance was underscored in May, when the Irish Data Protection Commission (DPC) adopted a decision in a long-running dispute between Meta Platforms Ireland and Max Schrems regarding Meta transfers of personal data to the U.S. as part of the Facebook and Instagram social media services.
The Irish DPC found, among other things, that Meta could not rely on EU standard contractual clauses to transfer personal data to the U.S. and that Meta’s data transfers to the U.S. should be suspended. It also assessed a €1.2 billion fine against the company. Meta quickly announced its intent to appeal the decision, including the fine, but the decision underscores the ongoing challenges facing data transfers from the EU and EEA to the U.S.
Revised breach notification guidance
On March 29, the EDPB announced revised breach notification guidance calling for organizations subject to the GDPR under its extraterritorial provisions that experience a data breach to notify the supervisory authorities in each member state where affected data subjects reside. The prior guidance had permitted organizations that had appointed data protection representatives under GDPR Art. 27 to notify only the supervisory authority in the member state where the representative was located. This change will significantly increase breach reporting requirements for non-EU organizations that experience breaches impacting data subjects in multiple member states.
It’s official. Last week, the SEC issued rules requiring public companies to report what the agency calls “material” cybersecurity incidents within four business days. Baker Donelson’s Alisa Chestler breaks down what’s in the new rules and explores what companies should do from here.Read more
UK-U.S. data transfers
The UK and U.S. have agreed to establish a UK extension to the EU-U.S. data privacy framework, which will create a “data bridge” between the two countries. The UK extension will permit U.S. organizations that choose to participate in the EU-U.S. data privacy framework to also use the program as a basis for transferring personal data from the UK to the U.S. Organizations must self-certify to the program and may not begin relying on the UK extension until the UK’s adequacy regulations implementing the extension enter into force, which is expected to happen later this year.
UK GDPR reform legislation
Additionally, the UK is considering legislation to reform the UK GDPR. On March 8, after delays due to changes of government in the UK last year, a revised “Data Protection and Digital Information Bill No. 2” was introduced in Parliament. The bill is under consideration in the House of Commons and a committee met to amend the proposal on June 9.
The intent of the 220-page bill is “common sense” reform of the UK’s data protection laws to keep privacy protections while eliminating “unnecessary” paperwork and burdens on business. The bill would put a UK gloss on the UK GDPR, making changes to tests and terminology intended to distinguish the UK GDPR from the EU version. The intent appears to be to further customize the UK GDPR for the UK without diverging from the EU GDPR to such a degree that the EU would be inclined to withdraw or decline to renew the EU’s adequacy decision for data transfers from the EU to the UK.
One change, if adopted, which could be useful for organizations outside the UK that are subject to UK GDPR because of its extraterritorial applicability provision, is the proposed elimination of the requirement to have a data protection representative in the UK.
On Feb. 24, China published standard contractual clauses (an unofficial English translation of the clauses is available here). In 2021, China enacted the Personal Information Protection Law (PIPL), a comprehensive consumer data privacy law that includes restrictions on cross-border data transfers. Under the PIPL, there are three main mechanisms to facilitate international data transfers:
- Pass a security assessment led by the Cyberspace Administration of China (CAC).
- Obtain a personal information protection certification from a CAC-recognized third-party professional organization.
- Or execute the Chinese standard contractual clauses.
There is also a catch-all mechanism under the law stating that it is possible for the transfer to be performed according to other mechanisms provided for by law or administrative regulations, but no such mechanism has yet been detailed. Following their release, the Chinese SCCs became effective June 1, with a compliance grace period until Nov. 30 for data transfers in effect before June 1.
Notably, there are restrictions on the circumstances in which the Chinese SCCs can be used. They cannot be used as a valid data transfer mechanism if the data exporter:
- Is a critical information infrastructure operator (e.g., businesses in finance, energy, telecom, utilities, transportation).
- Has processed personal data of over 1 million individuals.
- Or has made transfers of the personal data of over 100,000 individuals (or of the sensitive personal information of over 10,000 individuals) cumulatively since Jan. 1 of the preceding year.
This means that SCCs cannot be used for certain industries and larger data transfers. The compulsory CAC security assessment is triggered if the data transfer involves the personal data of over 100,000 individuals. Businesses are also prohibited from dividing up the volume of personal data transferred abroad to circumvent the compulsory CAC security assessment mechanism.
It is helpful to evaluate the Chinese SCCs in comparison to the EU SCCs, which are used to facilitate data transfers out of the EU to third countries. In many respects, the Chinese and the EU SCCs are similar. A few notable differences, however, include the limitations discussed above on when the Chinese SCCs may be used and the fact that the Chinese SCCs impose stricter restrictions on onward data transfers. Specifically, before a data importer may make an onward data transfer to a third party of data it receives from a Chinese data exporter, the data importer must satisfy certain requirements, including notifying data subjects of the onward transfer, obtaining a separate consent from the data subjects (if the initial processing relies on consent as the lawful basis for processing) and entering into a written agreement with the onward transferee.
Another notable distinction of the Chinese SCCs is that they must be filed with the local provincial CAC authorities within 10 working days of the effective date of the SCC contract, by submitting a personal information protection impact assessment (PIPIA) report, the signed SCC contract and other ancillary information. Notably, the cross-border data transfer is not conditional on filing with the CAC and can begin before the filing is made, but the provincial CAC will have 15 working days to conduct a review of the filing and issue an outcome of “pass” or “fail.” If a fail notification is issued, the data exporter will have 10 working days to provide supplementary materials to the CAC.
Administrative enforcement regulations
Brazil’s General Data Protection Law (LGPD) has been in effect since 2020, but earlier this year it got its regulatory enforcement framework. On Feb. 24, the Brazilian National Data Protection Authority (ANPD) issued a regulation establishing the administrative sanctions for noncompliance with the LGPD, setting forth the methodology for choosing which sanctions apply to which violations. The regulation makes clear that sanctions shall be applied on a case-by-case basis and only after an administrative proceeding. Sanctions can range from warnings, to fines, to suspension or prohibition of processing activity in Brazil. Prior to the issuance of this regulation, the LGPD had already seen some enforcement activity in the courts due to lawsuits brought by private data subjects.
The ANPD subsequently released, on March 23, a list of the entities against which the agency had initiated administrative proceedings. Notably, of the eight proceedings listed, seven have been initiated against public entities, such as the Ministry of Health and the Education Department of the Federal District, and one against a private entity. The proceedings pertain to allegations such as failure to appoint a data protection officer (DPO), failure to report data breach incidents to data subjects and failure to enact adequate security measures.
In November 2022, the ANPD published its regulatory agenda for 2023-2024 identifying 20 agenda items. These included not only the sanctions regulations discussed above but also international data transfers, incident reporting, biometric information and artificial intelligence, among others.
Lawmakers in India are considering a data privacy bill, the Digital Personal Data Protection Bill, at least the fourth draft privacy bill India has considered in recent years. The proposed bill removes the strict data localization requirements present in prior proposals, allowing for cross-border data transfers to countries the Indian government approves “after an assessment of relevant factors” that are not specified in the bill.
The bill has an extraterritorial scope but exempts the processing of the personal data of Indian data subjects located outside India if the processing is pursuant to a contract between a person in India and a person outside India. The bill also only applies to personal data that is in a “digitized format,” whether collected online or offline. The bill is being considered by the Indian Parliament in its Monsoon Session, which is expected to conclude in just a few days.
Meanwhile, Canada continues to consider reform of its privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). The current reform proposal, Bill C-27, is under consideration in the House of Commons. The bill would repeal and replace parts of PIPEDA and, in contrast to prior reform efforts, includes the Artificial Intelligence and Data Act, which would regulate the design, development and use of AI systems.
On May 11, a written submission from Canadian Privacy Commissioner Philippe Dufresne was published by the House of Commons Standing Committee on Industry and Technology. In it, the Office of the Privacy Commission of Canada proposes 15 recommendations to improve and strengthen Bill C-27. The recommendations fall into the following categories: (1) recognizing privacy as a fundamental right; (2) using privacy in support of the public interest and Canada’s innovation and competitiveness; and (3) using privacy as an accelerator of Canadians’ trust in their institutions and their participation as digital citizens.