Wednesday, July 28, 2021

The Ever-Changing Data Privacy Legal Landscape

It seems like a week does not go by without some new law or guidance that requires me to re-evaluate the advice given to businesses on how to comply with the ever-changing data privacy laws. 

Just as businesses were getting accustomed to the new compliance requirements imposed by the General Data Protection Regulation (GDPR), California surprised everyone and enacted the 2018 California Consumer Privacy Act (CCPA), which I discussed in this post. Businesses were quick to update privacy policies and implement new systems and processes to comply with both the GDPR and CCPA. Data subject access requests, known as DSAR’s, kept lawyers like myself and other compliance professionals busy.

The EU considers current USA data privacy protection safeguards as inadequate; as a result, a business cannot collect and process data of resident of the EU on a server based in the USA without finding some GDPR approved legal mechanism. When the so-called Privacy Shield was invalidated in July 2020 by the European Commission, businesses lost a popular safe harbor and were left with Standard Contractual Clauses (SCC’s) as a GDPR approved legal mechanism to permit the cross-border transfer of personal data from EU residents.

  • Then, on June 4, 2021, the European Commission adopted new SCC’s which, once again, will require businesses to re-evaluate their data processing activities.
  • In 2021 we have already seen Virginia and Colorado join California and pass their own versions of data privacy laws. 
  • On June 24 Connecticut passed a new cybersecurity law that provides incentives to businesses who implement reasonable data security.

It seems inevitable that other states will follow with their own flavor of data privacy rights for their residents. Each of these new state laws have similarities and differences that can make compliance a real challenge. While we can all hope for a comprehensive federal data privacy law that might allow businesses and their legal counsel to craft practical compliance programs, Congress is not likely to pass such a law anytime soon. 

There is however a glimmer of hope to achieving uniform data privacy laws in the form of the Uniform Personal Data Protection Act (UPDPA), which was approved July 14, 2021 by the Uniform Law Commission (ULA). According to the ULA, the UPDPA “provides a reasonable level of consumer protection without incurring the compliance and regulatory costs associated with some existing state regimes.” The UPDPA provides a template to states to enact more uniform legislation.

It will be interesting to see how the UPDPA is received by states who are already looking at the approaches taken by California, Virginia, and Colorado. So be prepared; the months ahead promise to be challenging for businesses and their lawyers who try to keep pace with this ever- changing patchwork of federal, state, and global privacy laws. 

No comments :

Post a Comment