The Privacy Law Plot Continues to Thicken: Compliance Considerations for 2021

Patchwork and continually changing regulation continues to be the trend in data privacy law, with 2020 adding new legislation to the fray and striking down some existing privacy structures. 2021 will likely be a time of reflection for businesses trying to adjust to impending new requirements in the face of an increasingly remote workforce and customer base.

Boards and management will need to ensure that their businesses not only adjust to the legislation that entered into force in 2020, but are also preparing for the implementation of additional legislation on the horizon. As always, boards and management will need to continue to monitor the evolving privacy compliance landscape to ensure that they are mindful of privacy obligations and attendant risks when implementing their business objectives and oversight going into 2021.

California Privacy Rights Act (CPRA)

Californians passed the CPRA via ballot initiative in the November 2020 election. Superseding and augmenting the existing California Consumer Privacy Act (CCPA) that itself only came into effect in the beginning of 2020, the CPRA clarifies certain ambiguities in the CCPA and introduces new complexities and uncertainties for businesses to get a handle on before it goes into effect on January 1, 2023. While the CPRA both narrowed and expanded the applicability of the law on businesses, generally the law will apply to those businesses to which the CCPA is applicable. New regulations will still need to be issued to implement the act, resulting in more uncertainty and a pressing need for businesses to stay abreast of the evolution of this law as it moves toward its effective date.

Many obligations under the CCPA will remain. Notable differences between the CCPA and the CPRA include:

• Additional Obligations Regarding Sharing of Personal Information. The CPRA includes new rights and obligations regarding the practice of a business “sharing” (not only selling) personal information, with a broad definition of “sharing” including providing a third party with consumer personal information for the purpose of cross-context behavioral advertising.[1] The CPRA provides consumers with a new right to opt out of the sharing of their data for this purpose, and as a result businesses will have to modify their websites and business practices to allow consumers to exercise this right.
• New Rights Relating to Sensitive Personal Information. The CPRA creates a new concept of “sensitive personal information” (SPI).[2] Consumers may direct businesses collecting SPI to limit use of their SPI to those uses “necessary to perform the services or provide the goods reasonably expected by an average consumer” of such goods or services.
• New GDPR-Inspired Rights. The CPRA gives consumers additional rights that are akin to rights under the EU General Data Protection Regulations (GDPR) – specifically, the right to correct personal information and the right to “data minimization,” meaning covered businesses may only collect, use, retain and share a consumer’s personal information to the extent that it is “reasonably necessary and proportionate” to either (i) the purpose for which it was collected or processed or (ii) another disclosed purpose that is compatible with the context in which it was collected.

Other key aspects of the CPRA include:

• Continued Review of Service Provider Agreements. The CCPA requires a covered business to impose certain contractual restrictions on service providers that process consumers’ personal information on behalf of the business. The CPRA has expanded the required restrictions, including by requiring a business to prohibit its service providers from combining personal information collected from the business with personal information collected through other means, either independently by the service provider or from other businesses.
• Enforcement. The CPRA establishes a “California Privacy Protection Agency,” the first agency of its kind in the United States, that will be able to enforce the CCPA and the CPRA beginning July 1, 2023.
• Forthcoming Regulations. The CPRA requires adoption of several specific regulations, including rules requiring businesses to perform a GDPR-inspired annual audit to determine if their processing of consumers’ personal information presents significant risk to consumers’ privacy or security and to submit regular risk assessments with respect to processing of personal information to the California Privacy Protection Agency.
• Moratoria on Employee and B2B Data. Currently, the CCPA does not apply to employee data or personal data collected in a business-to-business relationship. These moratoria have been extended to January 1, 2023.

EU – U.S. Privacy Shield Invalidated and Stricter Conditions to Continued Use of Standard Contractual Clauses Anticipated

In a highly anticipated landmark judgment handed down on July 16, 2020, the Court of Justice of the European Union (the CJEU) in Data Protection Commissioner v. Facebook Ireland and Maximillian Shrems (Schrems II)[3] invalidated the EU-U.S. Data Protection Shield (Privacy Shield) as a means for legal transfer of personal data from the EU to the United States.  Businesses that transfer personal data from the EU to the United States can no longer rely on the Privacy Shield framework to transfer such data in compliance with the GDPR. 

While the CJEU’s judgment confirmed that the European Commission’s “Standard Contractual Clauses” (SCCs) remain a valid mechanism for the transfer of personal data to “third countries” (including, but not limited to, the United States), the Schrems II judgment confirmed that primary responsibility for determining their efficacy on a case-by-case basis, by reference to the laws applicable in the recipient country, remains with the data exporter.

Whether or not your business was relying on the Privacy Shield framework, the Schrems II judgment gives rise to new legal concerns with respect to the primary methods that remain available to businesses for the transfer of personal data from the EU in compliance with the GDPR.[4]

• Continued Reliance on Standard Contractual Clauses. As noted above, the CJEU made clear that SCCs remain valid; however, whether they amount to an appropriate safeguard in the circumstances of a particular transfer must be determined by the data exporter in collaboration with the data importer. The data controller must ascertain, in collaboration with the data importer, that the laws of the recipient country would not cause the parties to be incapable of complying with the SCCs or take efficient supplementary measures to protect the transferred data. In particular, the existence of laws permitting surveillance of, or access to, personal data by public authorities (where such access goes beyond what is “necessary in a democratic society”) will preclude the ability to rely solely on the SCCs as a means to transfer the data in compliance with the GDPR unless technical, contractual or organizational measures (such as encryption or pseudonymisation) are taken to remedy the risk of unauthorized access.
• Reliance on Derogations. The GDPR provides for a number of “derogations” to the general restriction on ex-EU data transfers, as set out in Article 49. These derogations include, for example, (i) obtaining consent of the data subjects; (ii) the transfer being necessary for the exercise, establishment or defense of a legal claim; or (iii) the transfer being necessary for important reasons of public interest. Derogations are generally not intended for use in connection with massive or repetitive transfers and should be examined on a case-by-case basis.
• Reliance on Binding Corporate Rules (BCRs).  For transfers of personal data between entities in the same corporate group, businesses can rely on BCRs.  However, BCRs take time and a significant investment to put in place, and BCRs must be pre-approved by the competent supervisory authorities.

Other Privacy Legislation

• Other U.S. State Laws. The trend toward increased state privacy laws continued into 2020 with data privacy bills introduced in at least 30 states and Puerto Rico during 2020. However, the COVID-19 pandemic shifted legislative attention and, aside from California, no other prominent legislation was enacted.
• S. Federal Law. There was no substantial progress toward federal data privacy legislation, although in September, Republican senators introduced new data privacy legislation – the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. Whether such legislation becomes a priority of the Biden administration is yet to be seen. However, in light of the COVID-19 pandemic, there is a possibility of renewed attention to federal data privacy law related to health information.
• International Laws. In 2020, data privacy laws in Brazil and Thailand went into effect, and India and South Korea introduced legislative changes in respect of data privacy. This trend will continue into 2021, making clear that boards and management will need to continue to monitor the evolving landscape of these laws on a global basis.

Increased Litigation and Enforcement Risks

Class action activity regarding data protection or privacy violations is increasing across jurisdictions.  Data rights groups in the European Union and United Kingdom are seeing a rise in representative or class action-type suits – with class actions filed in the Netherlands against Oracle and Salesforce for alleged GDPR violations, as well in the UK against British Airways and Marriott in connection with personal data breaches for which both parties have incurred fines from the UK Information Commissioner’s Office. Also in the UK, in 2021 the Supreme Court is set to hear the final appeal in the Lloyd v Google representative action which, if the class is successful, will open the door to representative actions in the UK for damages associated with the “loss of control” of personal data.  Currently class actions under the GDPR are limited by member-state laws governing class actions, but this could change in light of a new directive agreed in June 2020 that, if adopted, would create a right of collective class action across the entire EU for data privacy violations.

In the U.S., standing has historically been an issue for plaintiffs bringing privacy-based class actions.  However, courts have been increasingly allowing claims brought by plaintiffs that have not suffered actual damages or identity theft by, instead, finding that an increased risk of identity theft establishes standing.  In April, the Ninth Circuit in the matter of In re Facebook, Inc. Internet Tracking Litigation permitted plaintiffs’ claims to continue, finding that violation of privacy constituted a concrete injury for standing purposes.  Additionally, plaintiffs’ ability to bring class actions that survive removal to federal courts and establish Article III standing under the Illinois Biometric Information Privacy Act (BIPA) was bolstered by the Seventh Circuit in Bryant et al. v. Compass Group U.S.A. Inc.  Here, the Seventh Circuit found that defendant’s failure to provide plaintiff with informed consent to the collection of her biometric data caused plaintiff to suffer a concrete injury and allowed certain of her BIPA claims to proceed in federal court.

Finally, high-profile tech companies are facing these claims at an increasing rate (e.g., Shutterfly and Facebook have defended BIPA class actions), and claims and settlement amounts are making headlines (e.g., in 2020, Facebook agreed to pay $650 million to settle its long-fought BIPA dispute; and in September 2020, a class-action style claim against Google subsidiary YouTube was filed in the UK, seeking damages of approximately £2.5 million, alleging YouTube’s violation of UK and EU data protection law).  The increased publicity brought by these defendants and these amounts might create the perfect storm for “big ticket” litigation.

Coupled with those cybersecurity enforcement actions and litigation highlighted in Cybersecurity: Another Year of Intrusions and Regulation Punctuated By a Pandemic in this memo, this trend in litigation indicates that failure to comply with privacy and cybersecurity laws will increasingly result in significant financial liability and should continue to be a focus of boards and management as we move into 2021.

Key Takeaways:

• While the CPRA expands the privacy rights afforded by the CCPA, it does not go into effect until 2023. Until then, businesses must continue to comply with the CCPA and its related regulations while also monitoring the developments under the implementing regulations of the CPRA and preparing for CPRA compliance in two years.
• Legislative and enforcement trends indicate that failure to closely monitor data collection, processing and sharing activities and compliance obligations will pose increasing financial risk as this landscape evolves in 2021.

[1] Defined as “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

[2] Personal Information that reveals a consumer’s (1) government identification number; (2) account log-in, financial account, debit card, or credit card number in connection with any required security or access code; (3) precise geolocation (to be defined further in regulation); (4) race, ethnicity, religious or philosophical beliefs, or union membership; (5) contents of mail, email, or texts (unless the business is the intended recipient); or (7) genetic data. It also includes the processing of biometric information to uniquely identify a consumer or personal information collected and analyzed concerning the consumer’s health (to the extent not covered by the existing HIPPA exemption), sex life, or sexual orientation.

[3] For additional information, see our July blog post here.

[4] Among other developments since the judgment (blog post available here), on November 11, 2020, the European Data Protection Board published Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, which attempt to provide a step-by-step roadmap to help data exporters transfer personal data outside the EU in a manner consistent with the Schrems II judgment. The following day, the European Commission published a new set of standard contractual clauses with a view to incorporate certain contractual measures in light of the judgment. Both the EDPB’s recommendations and the European Commission’s new set of standard contractual clauses are still subject to comments via public consultation.