Develop a Process to Create Privacy Impact Assessments Under the Attorney-Client Privilege
We’re waiting for California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) regulations on risk assessments in California, but the text of the law permits the California Privacy Protection Agency (CPPA) to issue rules requiring businesses to create risk assessments for any processing of personal information and to submit them “on a regular basis” to the CPPA.
These assessments identify privacy risks and risk remediators that can be applied in organizations’ data processing operations, and must balance the risks of the processing activities against the benefits of the processing. In the United States, businesses are preparing them to comply with new state laws. The pace of these efforts will only increase as new laws are passed and take effect later this year, in 2024, and beyond.
The process of creating these assessments involves generating correspondence, memos, and draft assessments that are highly sensitive. These materials are inherently legal in nature, can be damaging evidence in a regulatory investigation or in litigation, and should be created under, and protected by, the attorney-client privilege.
Rule 8.02 of the Colorado Privacy Act (CPA) Rules provides that, “a data protection assessment shall be a genuine, thoughtful analysis of each Personal Data Processing activity that presents a heightened risk of harm to a Consumer… that:
- identifies and describes the risks to the rights of consumers associated with the processing;
- documents measures considered and taken to address and offset those risks, including those duties…;
- contemplates the benefits of the Processing; and
- demonstrates that the benefits of the Processing outweigh the risks offset by safeguards in place.”
These assessments are available to the Colorado Attorney General upon request, not only in the course of an investigation but apparently at will. The rules go on to require that such assessments include 13 different elements (and 21 sub-elements) and be kept as long as the processing continues and for three years thereafter.
The CPA itself provides that when produced, these assessments are confidential and made exempt from public inspection and copying under the Colorado Open Records Act. Connecticut’s Act Concerning Personal Information and Online Monitoring requires disclosure of data protection assessments in an investigation and offers similar protections to the assessments.
In these states, and in Virginia, under the Virginia Consumer Data Protection Act, the disclosure of a data protection assessment “does not constitute a waiver of the attorney-client privilege or work-product protection that might exist with respect to the assessment or any information contained in” it.
But what if, in addition to requiring the production of a data protection assessment itself, an Attorney General calls for the production of the correspondence, internal memos, and drafts compiled in the course of creating a data protection assessment? Unless this material was created under the scope of the attorney-client privilege, you may have to produce it, and because only the final assessment is protected from disclosure, none of it is protected from public disclosure, or from disclosure to plaintiff’s lawyers. And in an enforcement or litigation context, it’s hard to imagine any document or set of documents that would be more likely to be second-guessed, attacked, and used to prosecute well-intentioned businesses.
Things are even more precarious in California.
The CCPA, as amended by the CPRA, directs the CPPA to establish rules that require businesses “whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security” to “submit to the California Privacy Protection Agency on a regular basis a risk assessment with respect to their processing of personal information, including whether the processing involves sensitive personal information, and identifying and weighing the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public.”
The CCPA goes on to say that “nothing in this section shall require a business to divulge trade secrets.” There is no mention of any other protection against the production of these assessments or the materials that accompany their creation. Additionally, the CCPA’s Invitation for Preliminary Comments on Proposed Rulemaking Cybersecurity Audits, Risk Assessments, and Automated Decision-making does not specify any limitation for the disclosure of these assessments themselves, or the working papers generated during their creation, based on the attorney-client privilege to anyone.
No privacy program, or any compliance program in connection with any regulatory standard for that matter, is perfect and protects against all risks. Some tradeoffs are always necessary. Not all risks can be addressed, so businesses must decide which to remediate and which to accept. Even then, decisions on what appear to be appropriate balances of risks and benefits of processing activities may look entirely different in hindsight. That is why those decisions, and the work papers associated with them, must be created under the privilege. Doing so will not only foster a free and open flow of information necessary for good decisions, but also will, to the extent possible under current law, shield the decision making process of turning into a roadmap in investigations and litigation against your company.
- Related Practices