The number of internet users in China has rapidly increased to over 900 million individuals as of March 2020.  As internet availability continues to rise in China and the country’s digital community grows in virtually all industries and populations, the People’s Republic of China is keying into the fact that foreign and domestic businesses seeking to capitalize on China’s market must adhere to rules regarding processing and transferring personal information across China’s borders.

On October 21, 2020, the National People’s Congress Standing Committee unveiled its draft Personal Information Protection Law (PIPL) to the public for view and comment.  If enacted, PIPL will be China’s comprehensive law on the protection of personal data.  The necessity of PIPL was cited in part by the National People’s Congress Standing Committee due to China’s explosive growth of information integration and the amount of personal data collected.  The Committee asserted that protection of its citizen’s personal information was of utmost importance for economic development and that there needed to be clear requirements in order to strengthen personal information protection.  Interestingly, PIPL provides numerous data protection principles similar to those we have seen enacted under the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.  Specifically, the draft PIPL appears to take on general principles of transparency, fairness, limitations of purpose for data processing, retention limitations, and accountability.  Some of the more notable items within the draft PIPL include: Continue Reading China’s Personal Information Protection Law (PIPL) – Data Privacy in the Land of Big Data

Each month, new developments in European privacy law demonstrate both how the times are changing, and how the 2010 Standard Contractual Clauses are increasingly antiquated.  Last month, the Commission of the European Union (the “Commission”) published two preliminary implementing decisions:

(1) a draft new set of standard contractual clauses for transfers of personal data from the EU to third countries (the “Cross-Border SCCs”); and

(2) a draft of new standard contractual clauses for certain clauses in controller-processor data processing agreements (“DPAs”) pursuant to Article 28(7) of the General Data Protection Regulations (“GDPR”).

Both drafts, available here, were widely anticipated following the Court of Justice of the European Union (“CJEU”) Schrems II decision, which invalidated the EU-US Privacy Shield framework for cross-border data transfer. Once approved, these new clauses will replace the previous standard contractual clauses used by organizations as an appropriate safeguard for making international transfers of personal data under GDPR.

Continue Reading Oh the Times (and the Clauses), They are a ‘Changing

As we all prepare for what will undoubtedly be an unconventional holiday season, many of us are turning to our computers to check off items on our shopping list instead of bundling up to head to the mall. Online shoppers around the nation have already made the strongest showing in history with $10.8 billion in sales on Cyber Monday alone, which amounts to a 15.1% increase from last year, while foot traffic in brick and mortar stores was down 42.3% for Black Friday weekend. With the recent spikes in COVID-19 cases around the country, staying home and having those packages delivered right to your door step might seem like the safest way to go, but cyber criminals are pouncing at the online shopping frenzy to steal consumers’ personal and financial information.

This increased threat has been a common thread throughout 2020, as we saw cyber criminals amp up their tactics during the early days of the coronavirus crisis and when Americans received their CARES Act stimulus checks. Indeed, the bad guys are not taking a break because of COVID-19.  The FBI reports that cybercrimes are up an astonishing 400% this year. Now it is more important than ever to understand how these criminals operate and how you can avoid falling victim to these crimes so that you can keep your celebrations holly and jolly. Continue Reading ‘Tis the Season…for Scams and Cybersecurity Threats

Last month we discussed California’s Proposition 24, called the California Privacy Rights Act (“CPRA”), and that California voters approved the CPRA on November 3, 2020.  The CPRA amends the California Consumer Privacy Act (“CCPA”), which the final regulations of the CCPA were only recently approved by Attorney General Xavier Becerra in August, 2020. The CPRA makes a few substantial changes to the CCPA, such as additional rights to consumers, additional obligations on businesses that apply to the CPRA, an increased focus on “sharing” information for behavioral advertising, and the creation of a new governing entity to enforce the CPRA. The CPRA is set to become effective on January 1, 2023.  Until then, the CCPA will remain in full force and effect. Continue Reading Meet the California Privacy Rights Act (CPRA): California Voters Approve Additional Consumer Rights and Business Obligations

In the midst of an unprecedented presidential campaign, you might have missed that California’s Proposition 24, also called the California Privacy Act (CPRA), was poised to amend the California Consumer Privacy Act (CCPA) a mere three months after Attorney General Xavier Becerra approved the final regulations for the CCPA.

On November 3, California voters approved the CPRA by a count of 56% (YES) to 44% (No). In July, we discussed the CPRA’s proposed changes to the CCPA, such as creating sensitive personal information as a second category of information. The CPRA also creates additional rights to consumers, additional obligations of businesses that apply to the CPRA, an increased focus on “sharing” information for behavioral advertising and the creation of a new governing entity to enforce the CPRA.

The CPRA is set to become effective on January 1, 2023, when the CCPA’s compliance requirements for the personal information of employees and business contact requirements will also finally go into effect. We expect other states to follow California’s example and enact stricter privacy laws due to consumer pressure and other privacy advocacy groups. Stay tuned for more on this topic and others as privacy and security continues to be at the forefront of emerging law and business.

Taft partner Scot Ganow will be one of the presenters for “What we wish clients would do about business email compromise,” on Oct. 29, 2020. The one-hour seminar brings together cybersecurity and risk management professionals to examine business email compromise including a real-world case study, the ramifications of an attack, and how to arm your business against would-be opportunists.

Register to attend here.

In a surprising turn of events, the Brazilian Senate has revised executive order MP 959/2020 to remove the delayed effective date of Brazil’s General Personal Data Protection Law (“Lei Geral de Proteção de Dados” or “LGPD”). As we previously discussed in Taft’s Privacy & Data Security Insights blog, Brazil had originally delayed the implementation of LGPD to have an effective date of January 2021. However, during a remote session on August 26, 2020, the Brazilian Senate rejected the proposed delay by the Brazilian Chamber of Deputies (the lower house of Brazil’s National Congress) and set an enactment date of August 27, 2020. Upon the Brazilian president’s signature of MP 959/2020, LGPD will become effective immediately.

It should be noted that administrative sanctions and penalties for LGPD violations will continue to be delayed until August 2021. As a reminder, under LGPD, the newly created Brazilian National Data Protection Authority (“ANPD”) would oversee personal data protection measures, allowing data subjects to submit claims or complaints directly to the ANPD. Although the ANPD would not be able to bring enforcement actions until August 2021, LGPD—once sanctioned by the President—allows citizens and data subjects to immediately claim violations of their privacy rights through legal action in Brazil’s court system.

The immediate enactment of LGPD is unusual given the fact that it was delayed from its original August 16, 2020 effective date by the Brazilian Congress and President due to the global impact of the COVID-19 pandemic. Despite the ongoing pandemic, Brazil’s leadership appears ready to now move forward with LGPD’s data protection measures. Unfortunately, this means that entities processing relevant personal data will need to ensure they comply with LGPD and follow the ANPD’s guidelines in the ensuing months—while they deal with the impact COVID-19 is having on their businesses. Taft’s Privacy and Data Security Practice and COVID-19 Task Force will continue to update you and our clients on the appropriate measures to take while navigating the challenges of 2020.

Since we originally posted this content to Taft Privacy & Data Security Insights, the governor of California has since signed AB1281, extending the exemptions for employee personal information and that of business contacts until January 2022.  This deadline may be extended again, should voters choose the CPRA, as discussed below.

*  *  *

An important development on the California Consumer Privacy Act (CCPA) front occurred as many of us enjoyed the last days of summer and readied for the Labor Day weekend.  The California state legislature passed a bill to extend two compliance deadlines for businesses processing applicable employee information and that of business contacts.  Currently businesses are expected to be in compliance with the CCPA for personal information for employee and business contacts on January 1, 2021.  Under Assembly Bill 1281, businesses would have until January 1, 2022 to meet the CCPA obligations.

All of this is subject to the pending vote in November on the California Privacy Rights Act, or CPRA.  If the CPRA passes, Assembly Bill 1281 will be rendered inactive and the exemptions will still be extended until January 1, 2023.

While we all expect the governor to sign AB 1281, nothing is guaranteed—especially in 2020!  If the bill is not passed into law and the CPRA fails at the ballot box, businesses will have to be CCPA “compliant” for employee information and business contact information effective January 1, 2021.  We will keep you posted here on Taft’s Privacy & Data Security Insights.

Taft partners Scot Ganow and Phil Schenkenberg will be featured speakers for the “Cybersecurity for In-house Legal Counsel” Seminar on Oct. 26. The virtual seminar will help in-house counsel understand the legal constructs and terminology widely used within the cybersecurity space, and to provide practical ways they can be more responsive and efficient when cyber issues arise. Taft is a sponsor of the event.

Ganow will present “Legal Overview and Key Cyber Risks for Businesses,” which covers the laws, regulations, standards, and best practices affecting not only an organization’s obligations but its opportunities with its most powerful asset:  Its Data.

Schenkenberg will moderate the panel discussion “Governance and Working Relationship Considerations in Privacy and Data Security.” The panel will explore how governance structures and relationship building within the C-suite can drive success in meeting privacy and security goals.

Register to attend here.

After months of public comment and sporadic guidance issued by the California Attorney General’s Office, at long last we have the final regulations under the California Consumer Privacy Act, which have been approved by the Office of Administrative Law and filed with the Secretary of State’s Office. The regulations go into effect immediately, and include changes and withdrawn proposals that range from typographical to impactful.

The California Attorney General’s office has characterized the changes to the CCPA text as “non-substantive,” and has withdrawn certain proposed provisions “for additional consideration.” The non-substantive changes are designed to improve consistency in language, and are described in detail in the Addendum to the Final Statement of Reasons. Some withdrawn provisions, however, could impact companies expected to comply with CCPA. We discuss some notable sections below.  Continue Reading Things Just Got Real: California Approves Final CCPA Regulations