By Sheri Rockwell and Jeewon K. Serrato
California privacy lawyers have had a busy July digesting several significant developments in privacy law, at home and abroad. Enforcement actions under the California Consumer Privacy Act (CCPA) and the July 16 decision in Europe’s highest court to invalidate the Privacy Shield data transfer framework underscore that compliance cannot not stop with the posting of a policy or the inclusion of standard terms in a contract. Rather, entities will need to continuously monitor compliance efforts to ensure they are delivering the privacy protections their policies state they will provide.
CCPA Enforcement Kicks Off – Consumer Complaints as a Focus
On July 1, the California Attorney General’s office began CCPA enforcement by issuing several notices to cure, which are required prior to the initiation of any enforcement actions. While the content and targets of those notices remain confidential, this means August may bring the first round of enforcement actions by the AG’s office.
In the second week of July, Supervising Deputy Attorney General Stacy Schesser told privacy professionals that CCPA enforcement priorities would include businesses handling sensitive data (e.g., minors’ personal information), high-impact cases, and businesses that are that are the subject of multiple consumer complaints. During a panel discussion about CCPA, Ms. Schesser revealed that her office is monitoring social media sites and other public-facing channels to identify businesses that appear to be the subject of consumers’ complaints with respect to their ability to exercise their rights under CCPA.
The deputy AG did not confirm or deny the rumors as to whether the notice letters were focused on the requirements relating to the “Do Not Sell My Personal Information” (DNS) button/link. However, she did mention that the DNS button is a unique aspect of the CCPA that explicitly requires a business that sells data to include the button on its homepage. She warned businesses that sell personal information and do not have the link to include it “as quickly as possible.”
Consistent with its consumer-rights mission, the AG has also revised its CCPA webpage to better educate consumers about their CCPA rights and provide links to report compliance complaints. Privacy lawyers are advised to review the AG’s FAQs closely, as they reveal the AG’s interpretation on the statute and final regulations that were submitted to the California Office of Administrative Law for approval. The text of the final regulations, as well as the Final Statement of Reasons and Appendices can also be found on the AG’ CCPA resource page, which includes the summaries and responses from the AG’s office to every comment received during the public rulemaking process and an explanation for modifications the AG’s office made to the draft regulations in response to those comments.
Privacy Shield Invalidated by the Court of Justice of the European Union
Consumers’ privacy rights were also in global privacy news when, on July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, one of three mechanisms that facilitates the transfer of personal data from the European Union to the United States. The European Court found the framework does not sufficiently protect EU personal data from access and use by U.S. public authorities pursuant to U.S. national security and surveillance laws because those laws do not include the safeguards required to meet EU data protection principles concerning proportionality (e.g., collection is not limited to what is necessary, no limitations with respect to non-U.S. persons) and fail to provide EU citizens with adequate avenues of redress. Among other things, the Court held that Privacy Shield’s Ombudsperson is not sufficiently independent and is unable to adopt decisions that bind U.S. intelligence services.
The Court’s decision also affects another commonly-used data transfer mechanism, the use of Standard Contractual Clauses (SCCs). While the use of SCCs was generally upheld, the Court nevertheless noted the use of SCCs requires companies to verify, prior to transfer, whether the country to which EU personal data is being transferred offers a level of data protection that is essentially equivalent to that of the EU. This assessment is an ongoing requirement. Compliance may be harder to achieve for U.S. companies based on the European Court’s concerns regarding U.S. government access to EU personal data.
The European Data Protection Board in its press release underscored this point by stating:
The assessment of whether the countries to which data are sent offer adequate protection is primarily the responsibility of the exporter and the importer, when considering whether to enter into SCCs. When performing such prior assessment, the exporter (if necessary, with the assistance of the importer) shall take into consideration the content of the SCCs, the specific circumstances of the transfer, as well as the legal regime applicable in the importer’s country. The examination of the latter shall be done in light of the non-exhaustive factors set out under Art 45(2) GDPR.
It is important to note that responses from EU regulators have not been uniform. While the Berlin Data Protection Authority has called for a stop on all data transfers to the US immediately, other EU regulators have responded with more measured public statements to “wait and see”, making references to the European Data Protection Board meetings that have been scheduled beginning on July 17 so that the data protection authorities from different countries can coordinate on their responses.
Department of Commerce responded by emphasizing the fact that any threat to data transfers between the EU and US could have dire consequences and that it “[hopes] to be able to limit the negative consequences to the $7.1 trillion transatlantic economic relationship that is so vital to our respective citizens, companies, and governments.” US Secretary of Commerce Wilbur Ross added that “Data flows are essential not just to tech companies—but to businesses of all sizes in every sector.”
We expect there will be renewed focus and attention on how personal data moves from one country to another for storage and processing purposes and what, if any, strategies companies have to respond to law enforcement and intelligence agency requests for data and to understand what data is being transferred to third parties in general. General Data Protection Regulation in the European Union and the California Consumer Privacy Act are just two new data protection laws that have gone into effect in the last three years. These new laws provide consumers the right to ask companies collecting data (1) how their personal information is collected, (2) to whom the data is shared and (3) for what purpose the data is used. Any organization that is collecting personal information or is providing a service that involves handling of personal data should closely monitor how these laws are being interpreted and whether additional controls or measures need to be undertaken to protect consumer privacy.
Sheri P. Rockwell is a Privacy and Cybersecurity Associate in Sidley’s Century City office. She is a member of Sidley’s CCPA Litigation Task Force and serves on the California Lawyers Associations’ Antitrust, UCL and Privacy Executive Committee.
Jeewon K. Serrato is a partner in Baker Hosteter’s San Francisco office. Prior to joining Baker, she served as Fannie Mae’s Chief Privacy Officer and as a member of the US DHS Data Privacy and Integrity Advisory Committee. Jeewon also serves on the Antitrust, UCL and Privacy Section Executive Committee.