Privacy Report: United Kingdom New Standard Contractual Clauses Submitted to Parliament

Global News

United Kingdom New Standard Contractual Clauses Submitted to Parliament

The United Kingdom has finalized its new International Data Transfer Agreement and Addendum to the new EU standard contractual clauses. Subject to parliamentary approval, organizations will be able to use either the new Data Transfer Agreement or the new EU standard contractual clauses 2021/914 with the Addendum. The International Data Transfer Agreement and Addendum come into force starting March 21, 2022. For timing, the prior EU standard contractual clauses 2001/497/EC and 2010/87/EU are permitted until September 21, 2022, and the old EU standard contractual clauses entered into will remain valid until March 21, 2024. New data transfer agreements starting September 21, 2022, will need to use the new Data Transfer Agreement or the addendum.

EDPB Adopts First Opinion on Certification Criteria

The main aim of certification mechanisms is to help controllers and processors demonstrate compliance with the General Data Protection Regulation (GDPR). Controllers and processors adhering to a certification mechanism also gain greater visibility and credibility, as it allows individuals to quickly assess the level of protection of the processing operations. The European Data Protection Board (EDPB) adopted its opinion on the GDPR-CARPA certification scheme submitted to the Board by the Luxembourg Supervisory Authority (SA). This is the first time that the EDPB adopts a consistency opinion on criteria for a nationwide certification scheme. The GDPR-CARPA certification scheme is a general scheme, which does not focus on a specific sector or type of processing. It includes requirements on data protection governance in the organization surrounding the processing activities. After approval by the SA, the certification mechanism will also be added to the register of certification mechanisms and data protection seals in accordance with Art. 42 (8) GDPR.

Brazil Data Protection Authority Approves Regulation Confirming that LGPD Applies to Small Processing Agents

The Brazil Data Protection authority has released a formal regulation confirming that the national General Law for the Protection of Personal Data (LGPD) applies to small businesses, including individual entrepreneurs and startups. Although small businesses are not required to indicate a person in charge of processing personal data, they must still provide a communication channel for data subjects and must establish an information security policy, which includes requirements to protect personal data from unauthorized access or accidental destruction, loss, alteration, or any form of improper treatment. 

EDPB Adopts Guidelines on Right of Access and Letter on Cookie Consent

The EDPB adopted Guidelines on the Right of Access. The Guidelines aim to analyze the various aspects of the right of access and to provide more precise guidance on how the right of access has to be implemented in different situations. Among others, the Guidelines provide clarifications on the scope of the right of access, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests. The Guidelines will be subject to public consultation for a period of 6 weeks. In addition, the EDPB adopted a letter in reply to letters calling for a consistent interpretation of cookie consent. In the letter, the EDPB reiterates that it is committed to ensuring the harmonized application of data protection rules throughout the European Economic Area. In this respect, the EDPB has recently set up a taskforce on cookie banners to coordinate the response to complaints concerning cookie banners. Furthermore, the EDPB has updated the Guidelines on consent in order to ensure a harmonized approach on the conditionality of consent and on the unambiguous indication of wishes.

IAB Europe Held Responsible for a Mechanism that Infringes the GDPR

The Belgian Data Protection Authority has fined the Interactive Advertising Bureau (IAB) Europe 250,000 euros and ruled that IAB Europe's widely used Transparency and Consent Framework (TCF) fails to comply with several provisions of the GDPR. The TCF tool is a widespread mechanism that facilitates the management of users' preferences for online personalized advertising, and that plays a pivotal role in Real Time Bidding. The Belgian DPA found that IAB Europe failed to establish a legal basis for the processing of certain processing, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors were inadequate. Additionally, in the absence of organizational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users' choices, the conformity of the TCF with the GDPR was not adequately warranted nor demonstrated. In response, IAB Europe has released its own press statement here stating that it expects to remedy purported infringements in the next six months.

Hong Kong Office of the Privacy Commissioner Releases Recommendations to Safeguard Personal Data for Work-From-Home Arrangements

The Privacy Commissioner for Personal Data, Ms. Ada CHUNG Lai-ling, said, "Since the pandemic, a number of organizations and schools have experience in implementing WFH arrangements or online learning. Nevertheless, the transfer of electronic or physical data in such arrangements inevitably leads to a higher risk of data breaches. In addition, cybersecurity threats, such as hacking and malware, remain an issue. I therefore appeal to organizations and schools to be vigilant and pay special attention to and ensure data security when implementing WFH arrangements or online learning. They should provide adequate guidance and support to their employees, teachers or students, in order to reduce the risks of breaches of personal data privacy." In particular, the Privacy Commissioner offers particular recommendations to organizations and employees using video conferencing software, noting that personal data or sensitive data should not be shared during video conferencing or in chatboxes.

US News

NIST Releases Final Security and Privacy Controls Assessment Guidance

The National Institute of Standards and Technology (NIST) released a publication titled, "Assessing Security and Privacy Controls in Information Systems and Organizations," with a set of procedures for conducting assessments of security and privacy controls within systems and organizations. Information on building effective security and privacy assessment plans is also provided along with guidance on analyzing assessment results. The guidance covers a comprehensive review of safeguards, including assessment procedures for contingency planning, configuration management, media protection, system and services acquisition, supply chain risk management, and access control.

Loyalty Programs Receive California Attorney General Notice Letters

The California Attorney General has sent a sweep of notices to businesses with loyalty programs alleging noncompliance with the California Consumer Privacy Act (CCPA). The CCPA has requirements for "financial incentives," which are defined as a "program, benefit, or other offerings, including payments to consumers, related to the collection, retention, or sale of personal information." Financial incentives often arise in loyalty programs where a consumer is asked to provide, for example, an email address to get a 10% off discount. Letters were sent out to major corporations in the retail, home improvement, travel, and food and service industries.

Colorado Attorney General's Statements and Guidance on Data Security Best Practices

The Colorado Attorney General's office released statements and a guidance on data security best practices. Notably, the announcement states that a proposed set of model rules will be released by this fall, and includes statements on best practices that will be considered by the office when deciding whether a company acted "reasonably" to safeguard sensitive information. As an overview for the guidance, it lists nine key steps: (1) inventory the types of data collected and establish a system for how to store and manage that data, (2) develop a written information security policy, (3) adopt a written data incident response plan, (4) manage the security of vendors, (5) train your employees to prevent and respond to cybersecurity incidents, (6) follow the Department of Law's ransomware guidance to improve your cybersecurity and resilience against ransomware and other attacks, (7) timely notify victims and the Department of Law/Attorney General (when required) in the event of a security breach, (8) protect individuals affected by a data breach from identity theft and other harms, and (9) regularly review and update your security policies. 

BBB National Programs' Privacy Watchdog Issues Compliance Warning for "Fingerprinting" Cross-App Data Collection Practices

BBB National Programs' data privacy watchdog, the Digital Advertising Accountability Program (DAAP), has issued a new compliance warning targeting "fingerprinting" of users or devices in connection with the collection or use of cross-app data. In this compliance warning, DAAP reminds companies that the DAA Principles are applicable and will continue to be enforced irrespective of the technology employed to collect and use consumer activity data to serve interest-based ads. Companies engaged in IBA must adhere to the DAA Principles, which include providing the appropriate level of transparency and choice to consumers.

Reps. Castor, Schakowsky Request Answers from COPPA's Safe Harbor Programs

US Representatives Kathy Castor and Jan Schakowsky wrote to all of the Children's Online Privacy Protection Act (COPPA) Safe Harbor programs, requesting information to ensure that they are fulfilling their legal obligations to provide "substantially the same or greater protections for children" as those detailed in the COPPA Rule as well as soliciting feedback on how best to improve the Safe Harbor program.