This is the third installment in Hogan Lovells’ series on the California Consumer Privacy Act.
What personal information do you have about California consumers and households?
The California Consumer Privacy Act of 2018 (“CCPA”) provides a series of new compliance obligations and operational challenges for companies doing business in California. A vital first step for any company subject to the CCPA and looking to forge a practical path forward is to inventory the personal information (“PI”) that the company collects, stores, and shares with others. As part of our ongoing series on the CCPA and its implications, this post sets out key issues and questions to consider when contemplating a data mapping exercise.
Mapping data accurately and efficiently can be challenging. It requires an understanding of the law and the practical consequences. But when done correctly, data mapping can deliver significant value. For example, beyond the immediate benefit of assessing risks and identifying legal obligations, a data mapping exercise can promote organizational hygiene, identify problematic practices and security risks, and uncover operational inefficiencies. Continue Reading
Unless there is a political earthquake (some would say a miracle) Brexit will happen on 29 March 2019. Many fear a hard Brexit. Some are hoping for a hard Brexit. A majority appear to want a soft Brexit. And many others would strongly prefer that Brexit wasn’t happening at all. But whatever its flavour, upon Brexit the UK will cease to be an EU Member State and become a so-called ‘third country’. As a result, UK-based organisations, which in the context of transfers of personal data to countries outside the EU have always been exporters, will become importers of data originating from the EU. This is a serious concern because transfers of personal data from the EU to third countries are severely restricted. So a key UK Government objective from day one has been to ensure that the UK is regarded as an adequate jurisdiction, which would allow unconstrained transfers of personal data from the EU. But will it be?
This is the second installment in Hogan Lovells’ series on the California Consumer Privacy Act.
Words matter. Nowhere is this truer than in legislation, where word choices—often the product of long debate and imperfect compromise—determine the scope and impact of a law. Legislative history can speak volumes about those word choices, and the unique legislative history of the California Consumer Privacy Act of 2018 (CCPA) only highlights the importance of understanding the terms used in the act.
As we detailed in earlier blog posts and our webinar, CCPA’s enactment stems out of the Californians for Consumer Privacy ballot initiative. The initiative proposed burdensome obligations that would be difficult to revise if it passed the popular vote. It was on track to appear on the California ballot in November 2018. But then the chief sponsor agreed to withdraw the Initiative from the ballot if the California legislature could quickly pass substantially similar legislation. Accordingly, the California legislature moved to enact a bill that became the CCPA. This law shares much in common with the initiative, but some of the language was modified as part of the compromised legislation. On August 31, the California legislature adopted technical amendments, which further refined a number of terms and concepts in the CCPA. Continue Reading
On 4 September, the Legislative Decree no. 101 of 10 August 2018 (the “Decree”) for the national implementation of General Data Protection Regulation (EU) 2016/679 (the “GDPR”) has been published in the Official Journal. The approach of the legislator was to maintain the structure of former Legislative Decree 196/2003 (the “Privacy Code”) which, however, has been extensively amended and integrated, and now contains only some residual provisions in addition to those of the GDPR which are directly applicable. The Decree will enter into force on 19 September 2018.
As part of its preparations for a “no deal” scenario when the Article 50 negotiating period comes to an end on 29 March 2019, the Department for Digital, Culture, Media and Sport (“DDCMS”) has today released guidance on “Data protection if there’s no Brexit deal”. The UK will become a “third country” on its exit from the European Union, which means that unhindered cross-border transfers of data will no longer automatically be able to take place between the UK and the EU.
In a “no deal” situation, the Data Protection Act 2018, which implements the General Data Protection (“GDPR”) in domestic law, would continue to apply, while the GDPR itself would be incorporated into UK law through the operation of the EU Withdrawal Act 2018. National data protection standards would therefore remain the same. The guidance confirms that, given the “unprecedented alignment” between the UK and EU data protection regimes, the UK would continue to allow transfers of data from the UK to the EU at the point of exit.
Groundbreaking. Watershed. Unprecedented.
We have heard the California Consumer Privacy Act of 2018 (CCPA) called all these things and more since its enactment on June 28, 2018. Our experience to date has confirmed the compliance challenge ahead for organizations that engage with the residents of the world’s fifth-largest economy.
We will explore the ramifications for businesses of this seminal legislation in this multi-part series, The Challenge Ahead, authored by members of Hogan Lovells’ CCPA team. Each post will provide analysis of key legal issues implicated by the CCPA along with practical takeaways. The series builds on the CCPA overview we recently presented via webinar.
In this first installment, we describe recent activity to enact so-called “technical” amendments to the CCPA.
Please join us for our September 2018 Privacy and Cybersecurity Events.
|Mark Brennan will lead a session at the CTIA Mobile World Congress Americas where he will discuss text messaging privacy and other regulatory issues.
|Location: Los Angeles
India’s Committee of Experts, under the chairmanship of Justice B.N. Srikrishna (the Srikrishna Committee), has submitted a draft Data Protection Bill (the Bill) for review by the Ministry of Electronics and Information Technology. The Srikrishna Committee tabled the Bill alongside a report entitled “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians” (the committee report).
India Charts its “Fourth Way”
The Bill represents an important milestone for India, which has yet to enact comprehensive, principles-based data protection regulation, lagging a trend set in recent years by Singapore, the Philippines and others in the region playing catch up to Hong Kong and Japan, which have both had such regulation in place for years now.
In July, Eduardo Ustaran spoke at Privacy Laws & Business’ International Conference in Cambridge about the sort of activities likely to prompt regulators into exercising their increased fining powers under the EU GDPR. A link to the video of his presentation can be found here and a detailed report of the presentation is available here.
On June 28, 2018, the European Court of Human Rights decided that Germany had correctly denied two individuals their “right to be forgotten” requests in connection with press archives relating to a 1991 murder. The two individuals were convicted of the murder of a well-known German actor. They were released from prison in 2008 and brought actions against a German radio station and a weekly magazine asking that articles and radio interviews relating to the 1991 murder be removed from their website archives. The matter reached the German Supreme Court, which held that the interests of the public in having access to the information outweighed the interference with the plaintiffs’ privacy rights.
The two individuals then sued Germany before the European Court of Human Rights (ECtHR) arguing that Germany had violated their privacy rights under Article 8 of the European Convention on Human Rights. Continue Reading