At the end of May, 2022, the California Privacy Protection Agency (“Agency”) released a preliminary draft of proposed regulations for the California Privacy Rights Act (“CPRA”). The 66-page draft proposal only covers a few topics the Agency is seeking to cover. The issues covered in this draft of the regulations include data collection and processing restrictions, and some detailed requirements on the sale and sharing of personal information. Several notable topics were left out of the proposed regulations and still remain unresolved. Those unresolved items include specifics about soon-to-be required Privacy Risk and Impact Assessments, Automated Decision Making, Personal Data Retention, Cybersecurity Audits and Examinations, and the closely watched fate of the employee carve-out.

On June 8, 2022, after the draft release, the Agency conducted a board meeting where board members and authoring members of the California Attorney General’s Office discussed the proposed regulations as well as the upcoming formal rulemaking process. Deputy Attorney General Lisa Kim and Supervising Deputy Attorney General Stacey Schesser described at a high level what changes the proposed regulations brought to the CPRA. The Board also authorized the Agency’s Executive Director, Ashkan Soltani, to commence the formal rulemaking process.

As things look today, the Regulations are unlikely to be finished by the CPRA’s effective date of January 1, 2023, which will lead to other challenges. There are also a large number of question marks still in place on a lot of very important issues. Nonetheless, businesses and organizations operating in California should start to take notice that the train is beginning to leave the station to operationalize the CPRA.

Generally, the proposed Regulations act as a roadmap for businesses ahead of the 2023 enforcement date. Deputy AG Kim highlighted the main purpose behind the draft, and directed businesses to read the CCPA’s Initial Statement of Reasons, or ISOR, for an in-depth look at the “why” behind the proposed Regulations. Kim and Supervising Deputy AG Schesser pointed out the primary goals of the regulations:

  1. To update existing CPRA amendments to the CCPA, provide harmonization and clarity to minimize any confusion;
  2. To operationalize the existing CPRA amendments, so businesses will have a better idea on how to implement policies and procedures to comply with the law; and
  3. To reorganize and consolidate certain aspects of the law, making it more digestible.

While the formal rulemaking process has not yet commenced, a few comments were taken into consideration at the Board meeting regarding the draft regulations. Many of the concerns came from small businesses, and the Board was asked to extend the CPRA’s January 1, 2023, effective date anywhere between 6 and 12 months to allow businesses to prepare for the law. CPPA Board members urged the public, businesses and individual consumers alike, to participate in the formal comment period by sharing personal experiences and perceived challenges for rule makers to take into account. Below is a more detailed walkthrough of the proposed Regulations, and some of the key takeaways we flagged in our review:

Article 1: General Provisions

Under Article 1, the proposed regulations purport to rework some of the existing regulations to focus on being understandable to both consumers and businesses. For example, the concept of data minimization as restated through section 7002, requires a business’s “collection, use, retention, and sharing of a consumer’s personal information” be done so in a manner that is “reasonably necessary and proportionate” in order to achieve the businesses purpose in collecting the data in the first place. Section 7003 sets forth all of the requirements for businesses regarding consumer disclosures and communications being plain and understandable. The main idea of these sections was already present under the CCPA, but the intention of the newly released drafts is to restate the regulation’s language in order to help businesses better understand their responsibilities.

Another notable section is 7004, which addresses the idea that consent through so called “dark patterns” is not considered consent. “Dark patterns” are defined as a user “interface [that] has the effect of substantially subverting or impairing user autonomy, decision-making, or choice, regardless of a business’s intent.” Dark patterns may appear as manipulative language, consumer shaming, or even bundling consent options. The draft regulations include examples of what is not acceptable, such as pairing “Yes” to accept and “No, I like paying the full price” as options for an offer. Once again, Section 7004 follows the ongoing theme of transparency for the consumer, requiring businesses to provide easy-to-understand methods of obtaining consent. Note that this is also consistent with the FTC’s treatment of on-line disclosures and the doctrine of “deception”.

Section 7001 defines the terms used throughout the proposed regulations, and according to the ISOR, “assists businesses in implementing the law” while helping consumers to “enjoy the benefits of the rights provided [to] them by the CCPA.” Some of the noteworthy additions include definitions for concepts such as “disproportionate effort”, “frictionless manner”, and “unstructured data.” These definitions may, in theory, help businesses with the burden of compliance under the CCPA, but they lack an objective standard for what falls into these categories. For example, “frictionless manner” is defined as “a business’s processing of an opt-out preference signal that complies with the requirements set forth in section 7025, subsection (f).” 11 CCR § 7001(m). While these definitions technically explain “how” a business should be compliant under the law, the draft’s somewhat circular language could be problematic when it comes to actual business operations.

Article 2: Required Disclosures to Consumers

Article 2 lays out a proposal of how businesses make disclosures to consumers. When describing the proposals, Deputy AG Kim pointed out the new concept of an alternative opt-out link from Section 7015, which businesses could provide to consumers who want to opt out of the sale or sharing of their personal information or limit the businesses use of their sensitive personal information. The link would be imbedded in a business’ website, and it would direct consumers to a page where they will be further informed of these rights, as well as given the opportunity to exercise the rights. The alternative opt-out link is an example of how the proposed regulations operationalize some of the CCPA’s legal requirements. Other notable Article 2 highlights from the proposed regulations include an updated notice for consumers’ opt-out rights, allowing them to opt out of the sharing of personal data, as well as the sale of that information. Businesses could also use the alternative opt-out link to comply with this requirement. Businesses will also need to update their privacy policies. Under Section 7011 of the draft regulations, businesses have additional requirements, such as:

  • Stating whether or not the business discloses sensitive personal information for purposes other than those authorized by the CPRA. If that is the case, the business must provide notice information within their privacy policy. 11 CCR § 7011(e)(1)(K).
  • Providing an explanation of the new consumers’ rights added by the CPRA’s amendments to the CCPA, including the right to correct, right to limit, and the right to opt-out of sale and sharing of personal information. 11 CCR § 7011(e)(2). It should be noted that the practical effect of adding “share” (at least the way “share” is defined in the law) to the opt-out obligation is quite limited. The CCPA’s “sale” definition has the same practical effect as the CPRA’s “share” definition.
  • Providing information about how the business responds to and processes opt-out preference signals. 11 CCR § 7011(e)(3)(F). This is a very new concept and has some interesting side effects from a practical implementation perspective, as noted below.
Article 3: Business Practices for Handling Consumer Requests

According to Deputy AG Kim, Article 3 updates how consumers may submit requests to exercise their rights. The Article clarifies that the right to know and right to delete no longer relate to household information, and it provides businesses some timelines and ways to respond to consumer requests and it consolidates the already established exceptions to the consumer right to limit.

One of the most notable updates under Article 3 relates to opt-out preference signals (Section 7025), which is likely to be subject to heavy debate once the formal rulemaking process commences. Opt-out preference signals are defined as a “signal that is sent by a platform, technology, or mechanism, on behalf of a consumer, that clearly communicates the consumer choice to opt-out of the sale and sharing of personal information.” 11 CCR § 7001(r). This clearly includes the browser configuration options around “Do Not Track” (“DNT”) signals.

The CPRA had previously given businesses the option to recognize opt-out preference signals as a method for consumer privacy requests, but the proposed regulations, as written, would require businesses to recognize them. At this point, the proposed regulations are missing technical specifications for opt-out preference signals.

Ironically, the side effect of the DNT recognition requirement is that if a business is only engaging in cross-contextual behavioral advertising via cookies or similar technology on their website (and there isn’t any other “sharing” going on) then the recognition of DNT signals removes the need to post “Do Not Sell or Share my Information” links on the website. For businesses that only “sell” or “share” data by participating in an affiliate advertising network, this is a significant operational benefit. The draft regulations, as written, would effectively remove the requirement for “Do Not Sell” links on those businesses’ websites because the DNT signal is supposed to moot the need for such a link.

On top of the requirement to adhere to requests to delete, section 7022 of the draft regulations creates the obligation for businesses to notify third parties, service providers, and contractors of the consumer’s request to delete. If a business relies on a CCPA exception to refuse a consumer’s request to delete, they will still have to notify the applicable service providers, contractors, and third parties of the consumer’s request to delete any information not subject to a CCPA exception.

Section 1798.106 of the California Consumer Protection Act (CCPA) provides consumers with the right to correct inaccurate information. Section 7023 of the proposed regulations operationalizes the right to correct by setting forth the procedures for businesses to follow for consumer submissions and the handling of requests to correct. Other state laws also provide consumers the right to requests to correct, so the operationalized methods of the draft regulations will assist compliance efforts of businesses operating in other states. Regarding requests to opt-out of sale or sharing, section 7026 of the proposed regulations states that a notification or pop-up for cookies is not by itself an acceptable method for submitting requests to opt out of sale/sharing. According to the ISOR, this section of the regulation has been restructured to be “easier to read and understandable for businesses and consumers.”

Section 1798.121 of the CCPA provides consumers the right to request a business to limit its use and/or disclosure of their sensitive personal information. The draft regulations add a new section 7027 aimed at giving consumers with the ability to limit the use of sensitive personal to instances where that information is necessary for the business to provide goods and services and only for purposes that are reasonably expected by a consumer requesting those goods and services. According to the proposed regulations, businesses using or disclosing personal information must provide two or more designated methods for submitting requests to limit. At least one of the methods should reflect the manner in which the business primarily interacts with the consumer (Online, Brick and Mortar Store, etc.).

Article 4: Service Providers, Contractors, and Third Parties

Article 4 of the Draft Regulations highlights responsibilities for businesses regarding their relationship with third parties, service providers, and contractors. Section 7050 clarifies that a person who contracts with a business to provide cross-contextual behavioral advertising is a third party and not a service provider or contractor. 11 CCR § 7050(c). As a result, that transfer of personal information is subject to the right to opt-out of sharing.

Both sections 7051 and 7053 lay out the requirements that apply to vendor contracts. Notably, the draft proposals would create a new due diligence duty for businesses when working with contractors, service providers, and third parties. The regulation states that “[w]hether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA and these regulations.” 11 CCR § 7051. Furthermore, Section 7052 sets forth the duties of third parties such as recognizing opt-out preference signals and complying with consumer requests. The ISOR states that the listed responsibilities for a third party “benefits businesses by sharing the burden of communicating online requests to opt-out of sale/sharing”

According to Deputy AG Kim, Article 5 through Article 8 are all relatively unchanged. The differences come in where the statutory language lies, and the draft regulations work to align the language of the CCPA and the CPRA amendments.

Article 9: Investigations and Enforcement

Supervising Deputy AG Schesser discussed the additions made to Article 9, stating that the proposed provisions outline requirements for complaints made to the Agency. The proposed regulations also provide what the Agency needs to start its own investigations. Schesser briefly covered probable cause hearings, stating that the Agency may conduct probable cause hearings if there is evidence to support a reasonable belief that the CPRA was violated. (11 CCR §7303(a)). Other sections of the proposed regulations cover requirements for Sworn Complaints (Section 7300), CCPA Investigations (Section 7301), Stipulated Orders (Section 7303), and Agency Audits (Section 7304).

What’s Next?

The Agency said during its February 17, 2022 board meeting that the regulations are unlikely to be finalized on time. Many of the public comments at the June 8 board meeting echoed concern to the Agency to push the enforcement date back at least 6 months. This additional time would allow businesses, small and large, to adjust their privacy practices to be compliant ahead of the enforcement date. With that said, the Executive Director Soltani, was just recently authorized to commence the final rulemaking proceedings. The proceedings will commence when the Agency publishes a notice of proposed action in the California Regulatory Notice Register. After providing the notice, the public will be welcomed to comment on the proposed regulation for 45 days, which could even be extended should the Agency seek to make substantial changes. With penalties that can get up $7,500 per violations, and both the California Attorney General’s Office and the California Privacy Protection Agency having enforcement powers, businesses should be keeping a close eye on the Agency for further updates.

We do not recommend that organizations in California make any drastic compliance plans right now based on the current state of things. We do recommend that organizations subject to the CCPA/CPRA start looking at their vendor and service provider agreements. The draft regulations give pretty clear direction as to the kinds of things that will need to be included in these agreements, even if the actual text of the regulation isn’t final.

On compliance with the rest of the CPRA, there are simply too many unknowns at this point. However, this recent publication and initial public comment activity signals that the 2023 CPRA train is at least rumbling in the distance.

Introduction

On March 9, 2022, the U.S. Securities and Exchange Commission (“SEC”) proposed mandates for cybersecurity disclosures by public companies. If adopted, these mandates seek to provide investors a deeper look into public companies’ cybersecurity risk, governance, and incident reporting practices. SEC chair Gary Gensler noted in a statement regarding the proposed mandates that cybersecurity incidents continue to become a growing risk with “significant financial, operational, legal, and reputational impacts.”

“The interconnectedness of our networks, the use of predictive data analytics, and the insatiable desire for data are only accelerating, putting our financial accounts, investments, and private information at risk. Investors want to know more about how issuers are managing those growing risks.” – Gary Gensler, SEC Chairperson

Continue Reading SEC Proposes Mandatory Cybersecurity Disclosures by Public Companies

Introduction

On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.

According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule. Continue Reading President Biden Signs Bill Mandating Cyber Reporting for Critical Infrastructure Entities

Introduction 

The Utah legislature has passed Senate Bill 227, otherwise known as the Utah Consumer Privacy Act (UCPA). Barring a veto from Utah Governor Spencer J. Cox, who, as of March 15, 2022, officially has the bill on his desk for action, Utah will become the fourth state to pass a comprehensive privacy bill, following the likes of California, Virginia, and Colorado. If enacted, the UCPA would take effect on December 31, 2023. Continue Reading Utah To Become The Fourth State to Pass Privacy Legislation

Introduction

While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. Continue Reading U.S. Senate Unanimously Passes Cybersecurity Bill on March 2, 2022

Recently, a federal Special Master in the District of New Jersey addressed whether a requesting party waives its right to relevant and discoverable documents when it fails to timely follow up on the responding party’s objections. In In re Valeant Pharmaceuticals International, Inc. Securities Litigation,[1] the Special Master refused to entertain the plaintiffs’ waiver argument, finding that the relevant and discoverable documents should be produced regardless.

In that case, defendant served its first request for the production of documents from plaintiffs on October 22, 2018.[2]  On July 29, 2019, plaintiffs served objections and responses to those requests.[3] Certain responses included general objections.[4] The response to one request, Request No. 7, included a statement that plaintiffs were “willing to meet and confer” with defendant regarding the “appropriate scope of responsive documents.”[5] The response to another request, Request No. 11, included a statement that plaintiffs would conduct a “reasonable search for and produce responsive, non-privileged, or otherwise unprotected communications in their possession, custody, or control.”[6] Continue Reading Recent Decision Holds That Failure to Timely Follow Up On Objections to Discovery Requests Does Not Waive Discovery

On September 21, 2021 the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issue an updated memo on the potential sanctions risk associated with facilitating ransomware payments and to once again note “proactive steps” companies can take to mitigate such risks. See “The OFAC memo”, available here.  The memo comes on the heels of increased  regulatory activity and public statements regarding ransomware by the Biden Administration, and further, on the heels of the OFAC’ s designation and sanction of SUEX OTC, S.R.O for its part in facilitating financial transactions for ransomware actors involving illicit proceeds from at least eight ransomware variants.

The revised memo stresses OFAC’s concern with many different types of companies that have a role in ransomware cases and subsequent payment.  The memo notes:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations. The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.(emphasis supplied).

The OFAC memo next notes that the growth and facilitation of ransomware payments threatens the national security and foreign policy of the country:

Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims. For example, ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber ransom or extortion demands. [emphasis supplied]. Continue Reading OFAC Issues a New Advisory Memo on Potential Sanctions Risk for Facilitating Ransomware Payments

This post has been cross-posted from Seyfarth’s Consumer Class Defense Blog.

Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.¹

Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.

Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.

But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.²

This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact.. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party. Continue Reading First There Was Litigation; And Then There Was Standing

Introduction

On June 10, 2021, China officially passed China’s first Data Security Law, which will take effect on September 1, 2021. Following the introduction of the Data Security Law, together with the Cybersecurity Law, which has been implemented since June 1, 2017, and the Personal Information Protection Law, which is undergoing public comment for its second draft released on April 29, 2021, data compliance is becoming increasingly important and complicated for companies operating business in China or with data originating from China.

Background

Before the enactment of the Cybersecurity Law in 2016, China didn’t have any dedicated national legislation on data security, and the duty of protecting data was mainly left to companies that collect and/or use data to implement voluntary protection schemes. The 2016 Cybersecurity Law encompassed the issue of cyber data management and security, but other types of data remain unregulated. The Data Security Law filled up the gap by addressing all types of data (including both electronic and non-electronic data) and covering the full cycle of data activities.

Scope of governance

Under the 2016 Cybersecurity Law, all the network owners, managers, and service providers (the “Network Operators”) are required to implement measures to safeguard network security and integrity, and ensure contents published on the network are legal and appropriate. Although technically speaking every enterprise providing services or operating business through a computer network would fall within the definition of Network Operator, based on the reported enforcement cases since 2017, website and mobile application operators were the primary targets of the crackdowns.

By contrast, the Data Security Law has a much wider jurisdiction. Firstly, unlike the 2016 Cybersecurity Law, which only governs cyber data, the scope of Data Security Law also covers non-electronic data. Secondly, although both laws imposed long-arm jurisdiction over illegal overseas activities, the sanctions under the 2016 Cybersecurity Law are limited to exportation of personal and core data originated from China, importation of illegal data from overseas, and activities severely undermining China’s core information infrastructure facilities, whereas any overseas data processing activity that jeopardizes China’s national security, public interest, or lawful rights of any person or entities are considered illegal under the Data Security Law. Obviously, the Data Security Law is taking a catch-all approach to provide a very broad grounds for future legal enforcement.

Points to note

Data classification system

From the fact that the term “national security” is mentioned 14 times in a law comprised of only 55 provisions, it is quite clear that enhancement of national security is a very big driver behind the promulgation of the Data Security Law, if not the most important one. Pursuant to the Data Security Law, the Chinese government will for the first time establish a centralized classification system by the level of importance of the data. Data that are pertinent to national security, national economy, social welfare, and important public interests will be regarded as core data, and will be subject to stricter scrutiny. In the near future, the Chinese government will publish national, regional, and departmental catalogues with classification guidance for the ease of reinforcing supervision on core data processing activities.

Data security monitoring system

As required by the Data Security Law, all data processors will be required to establish a data security policy and risk monitoring system. Processors of core data are required to report their data protection practice to the government on periodic basis, and processors of non-core data are required to report to the government in event of security failure. Companies who fail to protect their data and cause large scale data leakage may face a fine of up to RMB2 million and risk suspension or closure of business. If the violation concerns core data in jeopardy of China’s national interests, the fine may be up to RMB10 million.

Data exportation

The exportation of core cyber data will continue to be governed by the 2016 Cybersecurity Law, whereas China will introduce the new regime regarding exportation of other data. One of the most notable implications on such data exportation restriction is its counteracting effect against the Clarifying Lawful Overseas Use of Data Act (the “CLOUD Act”) promulgated by former US President Donald Trump in 2018. The CLOUD Act enables US law enforcement agencies to demand access to electronic data no matter which country the data is stored in. However, under the 2016 Cybersecurity Law, exportation of personal data and important data stored in core information infrastructure facilities in China are subject to safety review. This measure has been endorsed by the Data Security Law, which further provides that companies who failed to comply with this requirement may be fined up to RMB10 million and risk suspension or closure of business. The Data Security Law also allows countermeasures to be taken in response to any discriminatory measures against China’s data or data development related investment or trade adopted by foreign countries or regions.

Observation

So far, the Data Security Law has only set out a skeleton for the governance of data. The meaning of some important concepts remain unclear. For instance, the concept of “public interests” in the Data Security Law is widely used across various Chinese legislations, but there is neither specific definition for it within the Data Security Law itself, nor has the legislator published any guidance providing clarification. Further, it is unclear which governmental authority should be responsible for enforcement. Based on the latest enforcement case report, a large-scale violation of citizens’ information privacy by certain Chinese local companies operating mobile phone apps was sanctioned by a joint group consisting of The Public Security Bureau,  Cyberspace Administration  Office, and Communication Administration Bureau for “jeopardizing public interests.”  However, it is worth noting that the concept of “public interest” is going to be a bit different in the US than in China. Generally speaking, public interest in the US is limited to activities like public health (think pandemic response) or rule of law (think law enforcement). This is a much narrower concept than in other places in the world. As such, it will be prudent to see what the Chinese officials do with their approach to defining “public interest.”

While waiting for further implementation rules, enterprises with data originated from China should start assessing their exposure to risk of data leaks, unauthorized data exportation, and other violations in this new compliance environment, and seek professional advice.

This post was originally posted on The Global Privacy Watch blog.

In a long awaited decision, the European Commission (“Commission’) adopted two new sets of standard contractual clauses (“SCCs”) to reflect the EU’s General Data Protection Regulation (“EU GDPR”) and ‘the realities faced by modern business’ (see the Commission’s press release). These replace the current SCCs that were adopted over 10 years ago under the, now repealed, Data Protection Directive. The EU’s Commissioner for Justice, Didier Reynders, cited the SCCs as providing companies with ‘more safety and legal certainty’ and as being ‘user friendly tools’.

It is important to note that the new set of SCCs is significantly different than the previous set. For example, instead of focusing on the status of the parties as “controller” or “processor,” the new SCCs focus on the location of the parties, regardless of status. This is a significant departure from the prior form.

The two sets of SCCs are (i) for use between controllers and processers inside the EU/EEA, and (ii) for cross border transfers between controllers and processers. Both can be used as of 27 June 2021. Note that the effect of Brexit has added

What are the key takeaways?

  • There are now approved SCCs for intra-EU agreements under Article 28. As a consequence, there is now a “safe harbor” to ensure all of an entity’s processor (Article 28) agreements are compliant. This did not exist previously.
  • The SCCs have a ‘modular approach’, enabling multiple parties to join and use them. Additionally, now there will now only be a need for one agreement addressing both Article 28 and Article 46 requirements. Until the new SCCs came out, there was a need for a different agreement for each of the two Articles.
  • The SCCs account for the Schrems II decision, which in 2020 considered the validity of the previous SCCs in relation to international transfers. The SCCs outline the steps that data controllers/processors must follow to comply with the decision and provide possible supplementary measures that can be taken, if necessary (e.g. encryption, pseudonyms).
  • As part of the Schrems II consideration, both data exporters and importers must warrant that they have carried out a local law assessment (i.e. relating to the jurisdiction that will receive the data) and that they have no reason to believe that local laws/practices would prevent the importer from complying with its obligations under the SCCs.
  • There is an 18 month transition period for controllers and processors to update the current SCCs in their contracts, intra-group transfer agreements etc. This is a welcome improvement on the 12 month period suggested in the November drafts. The previous SCCs can still be included in new contracts until 27 September 2021, but these contracts will then need to be updated within the transition period.

Practical Implications

The new SCCs have made some significant changes in how to implement, and how hard it is to implement, the clauses. The previous SCCs were fairly simple to implement – you just filled out the blanks in the appropriate form (i.e. controller-to-controller, or controller-to-processor) and you were done. The new SCCs are not as easy an exercise. While the original data flows under the original SCCs are still present, the new SCCs recognize that services businesses in the EU shouldn’t be left out of the thinking of the SCCs. And considering the processor in the EU working with foreign (e.g. US) data shouldn’t impose the GDPR on exclusively non-EU data, we now have “processor to sub-processor” and “processor to controller” modules.

In addition to the various modules, there are embedded “options” in the various modules as well (e.g. Clause 13). This is a significantly new format, and one which will require legal counsel to determine which module to use.

Along with the counsel needed to figure out just which modules and options to use in the SCCs, the Schrems II considerations also now demand a much higher level of legal work as part of the execution of the SCCs. Now, parties have to undertake a legal evaluation of whether or not there are local law issues which might make the enforcement of the SCCs provisions (including enforcement by 3d party beneficiaries) problematic. This evaluation has to be documented, and this documentation has to be in a form that is available to a supervisory authority should they request it. This means the documentation can’t be hidden away under attorney-client confidentiality rules. It will need to be available to a public authority.

There are a number of other tactical changes, some of which are welcome (e.g. how to deal with general authorizations of sub-processors) and some of which are less so (e.g. having to identify a specific supervisory authority where the importer doesn’t have an EU Representative). However, these will have significantly less of a “cost to implement” than the new structural and analytical requirements.

How does this affect transfers with the UK?

The SCCs are not applicable to the UK GDPR. However, the UK’s Information Commissioner’s Office (“ICO”) has said it will consider recognizing the SCCs as a valid transfer mechanism under the UK GDPR. In any event, the ICO is planning to propose, and consult on, bespoke UK SCCs for international transfers later this year. That being said, it is possible that the recognition of EU SCCs will be a contingency on the UK retaining its adequacy decision, which is currently under scrutiny. Also, the ICO has already adopted the use of the prior SCCs as part of the Brexit package. It would follow that the UK would have some sort of recognition of the EU SCCs, even in light of the UK’s promulgating their own. This is similar to the way the Swiss and the EU have managed interoperability between each of their own SCCs.