Privacy & Cybersecurity

Organizations that use the European Union’s Standard Contractual Clauses (SCCs) to govern their transfers of personal data from the European Economic Area (EEA) to other countries should have September 27, 2021 circled in red in their calendars (or the virtual equivalent).

Long holiday weekends make for ransomware attacks and data breaches. It is well-known that malicious actors take advantage of understaffed IT resources on holidays. In fact, it’s become such a common occurrence, that the FBI and the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security have issued a joint advisory warning organizations to be on high alert as Labor Day weekend approaches.

The United Kingdom has been busy in the past couple of weeks starting to chart its independent course on data protection and privacy matters. Here’s a quick round-up of the some interesting and important developments.

There is a glut of information out there regarding privacy and cybersecurity these days. Our new feature “What We’re Reading” provides a curated list of articles, blogs, newsletters, and books that you may find interesting and helpful.

There is a glut of information out there regarding privacy and cybersecurity these days.  Our new feature “What We’re Reading” provides a curated list of articles, blogs, newsletters, and books that you may find interesting and helpful.

Another district court just ordered the defendant in a data breach class action to turn over the forensic report it believed was entirely protected from disclosure by the attorney-client privilege and work product doctrine. See In re Rutter’s Inc. Data Security Breach Litigation, Case No. 1:20-CV-382 (N.D. Penn. July 22, 2021). The court granted the motion to compel Rutter’s to produce its investigative report (the “Kroll Report”), which was created after the defendant was notified of a potential breach.

There is a glut of information out there regarding privacy and cybersecurity these days.  Our new feature “What We’re Reading” provides a curated list of articles, blogs, newsletters, and books that you may find interesting and helpful.

To note the one year anniversary of the California Consumer Privacy Act (CCPA) enforcement date, California Attorney General Rob Banta held a press conference on July 19, 2021 to share key information about enforcement efforts and announce a new consumer privacy tool. He also praised businesses for their prompt compliance efforts and urged consumers to be proactive about their privacy rights.

Colorado has now joined California and Virginia to become the third US state to pass a comprehensive data privacy legislation when Governor Jared Polis signed the Colorado Privacy Act (the “CPA”) into law on July 8, 2021. The new law is set to take effect on July 1, 2023. The CPA borrows in part from the European Union’s General Data Protection Regulation (“GDPR”), but more significantly from both the California Consumer Privacy Act (“CCPA”, including as amended by the California Privacy Rights Act (“CPRA”)), and the Virginia Consumer Data Protection Act (“VCDPA”). Below, we highlight some of the CPA’s key elements and explore how the law compares to the CCPA and VCDPA.

As we’ve written, New York City’s Biometric Identifier Information Law (the “NYC Law”) is now in force, effective Friday, July 9th.  The NYC Law requires that places of entertainment, retail stores and food and drink establishments that collect biometric identifying information, including from customers and employees, post a “clear and conspicuous” notice to that effect near customer entrances.

As previewed in Mintz’s earlier post, New York City’s Biometric Identifier Information Law the “NYC Law”) is now in force, effective Friday, July 9th.  The NYC Law requires that places of entertainment, retail stores and food and drink establishments that collect biometric identifying information, including from customers and employees, post a “clear and conspicuous” notice to that effect near customer entrances. 

There is a glut of information out there regarding privacy and cybersecurity these days.  Our new feature “What We’re Reading” provides a curated list of articles, blogs, newsletters, and books that you may find interesting and helpful.

If your business is subject to the California Consumer Privacy Act (CCPA), and your business handles (in any manner set forth in the CCPA) the personal information of 10,000,000 or more California residents in a calendar year, you are required to report on consumer request metrics annually.  The first reporting period under the CCPA begins on Thursday, July 1, 2021.

On Friday, a sharply divided U.S. Supreme Court issued a ruling, which significantly impacts the plaintiffs’ ability to pursue privacy and data breach class actions in federal courts. In TransUnion LLC v. Ramirez, Case No. 20-297, the Court opined that most of the plaintiffs failed to show a “concrete” injury and thus had no standing to pursue their claims because they did not suffer real, personal harm.

At the close of Connecticut’s 2021 legislative session, a pair of data protection/cybersecurity related bills made their way to Governor Ned Lamont’s desk, while a CCPA-like omnibus privacy law falling one floor vote short. Oddly, the last-minute proposal (after other proposals in the House and Senate) were found in a 122-page budget bill and ended up being stripped away.

Many organizations around the world – and particularly companies in the United States – are directly affected by the EU Court of Justice’s July 2020 Schrems II decision casting doubt on the lawfulness of transferring personal data from the EU to countries where national security laws might permit authorities to gain access to the personal data.  (The Schrems II decision is discussed below; click here for a longer discussion of the case.)  The European Data Protection Board (EDPB) has just published the final form of its guidance as to what it expects organizations to do to assess risks and bolster protections for transfers of personal data.

2021 could be another record year for new and pending privacy legislation, including laws either banning outright or placing limits on the use of technology involving biometric information.  Just this year, Portland, Oregon implemented a ban on facial recognition technology beginning January 1.  Although the New York State Legislature failed to pass a broad biometric privacy law for the third session in a row, New York City recently adopted its own biometrics privacy legislation that is set to take effect on July 9, 2021.

The Mintz Privacy & Cybersecurity Blog will be providing regular updates of notable pending US state privacy laws.  Following our similar previous updates, this update checks in on the progression of those laws.   The most notable update is that Colorado is set to become the third US state to pass a comprehensive privacy law as the Colorado Privacy Act is on the governor’s desk and is expected to be signed. 

The new standard agreement for service providers (which we’ll refer to as the Controller-Processor SCCs) adopted by the European Commission on June 4th was understandably a bit overshadowed by the release on the same date of the Standard Contractual Clauses for data transfers.  But the new Controller-Processor SCCs, which organizations can use with their service providers to meet their GDPR Article 28 obligations, is another welcome addition to the EU’s small but growing library of standard documents. 

The European Commission has adopted (at long last) an updated version of the Standard Contractual Clauses (SCCs), bringing this popular data transfer mechanism in line with the GDPR – and, we hope, the Schrems II decision.  The SCCs are the most commonly used legal mechanism for transferring personal data from the EEA to non-EEA countries (known as “third countries”), so the new SCCs are very big news for organizations that transfer or receive personal data from the EEA (that is, the European Union plus Norway, Iceland and Liechtenstein).