CCPA set to move forward

CCPA set to Move Forward as Scheduled Despite COVID-19 Challenges.

California Consumer Privacy Act (CCPA) is set to move forward, as scheduled on July 1, 2020, despite the challenges presented by the COVID-19 pandemic.

 

As various states and countries implement lock downs and stay at home orders in effort to deal with the coronavirus pandemic, many events, initiatives and processes are being cancelled, or at best delayed. Many businesses and other organizations have resorted to shutting down, or digitising their operations to cope with the uncertain times. However, for California Attorney General Xavier Becerra, there is no intention to delay the implementation of California Consumer Privacy Act, which is expected to be enforced on or before July 1, 2020. Despite pushback from a coalition, who is asking for this initiative to be postponed, as businesses and organisations focus on dealing with challenges presented by COVID-19, Becerra seems, so far, unmoved. 

 

The California Attorney General plans to proceed with implementation of the law despite pushback.

 

An advisor for the California Attorney General affirmed that they are committed to enforcing the law upon finalizing the rules or July 1, whichever comes first, and stated “”We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.” The coalition, which is now comprised of 60 groups, stated “A temporary deferral in enforcement of the CCPA would relieve many pressures and stressors placed on organizations due to COVID-19 and would better enable business leaders to make responsible decisions that prioritize the needs and health of their workforce over other matters.”

 

The Civil Code allows for an enforcement of the CCPA on July 1, but not prior to that.

 

According to one of the groups which is part of the coalition “The law, Civil Code Section 1798.85(c), states that ‘The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.’ So that means July 1, period.”

CCPA was approved on September 2018

Initial Proposed Regulations were first published on October 11, 2019 and two sets of modifications, on February 10, 2020 and March 11 2020, have been released since then.

According to Cristina Contero Almagro, Aphaia’s Partner, “one should note that CCPA was approved on September 2018, commencing on January 1, 2020, subject to the publication of the final regulations. This means that businesses have had more than a year so far to adapt their processes to the main requirements of the CCPA”.

 

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and CCPA consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Memorandum of understanding

A Memorandum of Understanding has been Signed Between the UK’s ICO and the Office of the Australian Information Commissioner

A Memorandum of Understanding has been signed between the UK’s ICO and the Office of the Australian Information Commissioner (OAIC), to facilitate cooperation and collaboration.

A memorandum of understanding has been signed between the UK’s ICO and the Australian Information Commissioner, due to the fact that the two share similar functions and duties in their respective countries. The two parties have realised the need for increased cross-border enforcement and cooperation, with the nature of this modern global economy, and the rate at which personal data crosses borders. With the signing of this memorandum of understanding the parties involved have set out the broad principles of their collaboration and a legal framework, which governs the exchange of irrelevant information and Intelligence between the two.

Overview of the Scope of the Memorandum of Understanding.

This memorandum of understanding that the parties signed last month should not be seen as a requirement on the part of any of these two parties to cooperate with each other. There is no legal requirement to cooperate in circumstances that would breach their individual responsibilities. This is simply a way for the two parties to deepen their existing relations and develop them further, in an effort to promote exchange and assistance with the enforcement of laws protecting personal information. The intent is to work together by sharing expertise, experiences and best practices, cooperating on specific projects and investigations and also, sharing information and Intelligence to support their individual and collective work. This collaboration is made without the intent of sharing any personal data. If the parties do wish to share personal data they will consider compliance with their own data protection laws which may require entering into a written agreement or arrangement regarding the sharing of that personal data. Based on section 132(1) of the DPA 2018, the UK commissioner can only share certain information if she has the lawful authority to do so.

Review of the Memorandum of Understanding.

The UK’s ICO and the OAIC will monitor the operation of their memorandum of understanding and biennially review it. Either of the parties do have the right to request a review sooner. There is a designated point of contact for each of the parties in the event that any issues arise in relation to this memorandum of understanding. In addition this agreement may only be amended by the parties in writing and signed by each of them.

As stated above, the memorandum of understanding between the ICO and the OAIC does not affect the transfer of personal data between both countries. Currently, there is no adequacy decision for data transfers to Australia, so one of the safeguards covered by the GDPR should apply, like Standard Contractual Clauses or Binding Corporate Rules. Furthermore, one should note that an anti-encryption law was approved two years ago in Australia, which obliges Australian companies to construct back access doors to information in such a way that it is available to the Government, while being required not to communicate the existence of such System to the users or customers, therefore directly colliding with GDPR.

Do you have questions about how this new agreement may affect your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

coronavirus pandemic and data protection

The Coronavirus Pandemic and Data Protection.

The Coronavirus (COVID-19) Pandemic and Data Protection: Guidelines for employers regarding privacy laws during the pandemic.

With recent developments in the global arena, the outbreak of the corona virus has led to many changes in the workplace. Numerous employees have taken to working from home with the new push for social distancing and self quarantining. There has been lots of concern over who may or may not be infected by, or have definitely been exposed to the virus or may have visited a country with severe outbreaks. The sharing of information has become critical as medical and other professionals recognize the need for disclosure for the sake of the health of the general public.

The ICO recently released a statement regarding data protection during the coronavirus (COVID-19) pandemic in which the organization expressed an understanding of the fact that businesses will need to adapt the way that they work. While there will be understandable delays where individuals or businesses make information rights requests during this pandemic, the ICO is unable to extend the statutory timescales. However, the ICO maintains that they will not penalise organisations who need to prioritise other aspects of their business over the usual compliance and information governance.

Employee Health and Data Protection.

For the duration of this global pandemic, office staff should be informed about any cases of the virus within the organisation. Names do not need to be disclosed, however because businesses do have an obligation to ensure the health and safety of their employees, data protection does allow them to divulge information on confirmed cases within the organisation.

It is not necessary to collect loads of information on employees’ health, however it is reasonable to stay informed on their travel history, or whether they are presenting symptoms of the virus. It is important, if there is a need to collect specific health data, that businesses only collect data that is necessary and treat that data with the appropriate safeguards. In the context of an epidemic, employers and relevant health officials do not need consent to process this data, especially when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests or to comply with another legal obligation.

In a recent statement, Andrea Jelinek, Chair of the European Data Protection Board (EDPB), said: “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

If it is not possible to process exclusively anonymous data, Article 15 of the ePrivacy Directive allows Member States to introduce legislative measures for the sake of national and public security. This emergency legislation is allowed under the condition that, within a democratic society, it forms part of a necessary, appropriate and proportionate measure, given the circumstances. If these measures are introduced, the Member State will need to apply adequate safeguards, like granting individuals the right to judicial remedy.

Communication of Vital Information by Authorities and the GDPR

During this time of pandemic the government, the NHS or any other health professionals may also need to send health messages to the general public either by phone, text or email. These messages are not considered direct marketing or advertising and therefore are not hindered by data protection laws.

Remote workers and Data Protection.

With more people working from home or working remotely due to the pandemic, the ICO reminds businesses that the same type of security measures must be in place for people who are working remotely as is the case for workers in a normal office setting. Employees may use their own computers and other devices, however, with security measures maintained, data protection does not hinder employees who need to work from home.

Do you have questions about how to navigate data protection laws during this global coronavirus pandemic in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

statement on privacy implications of mergers

EDPB Releases Statement on Privacy Implications of Mergers.

The European Data Protection Board released a statement last month on the privacy implications of mergers.

The European Data Protection Board has expressed concern over the privacy implications of mergers upon becoming aware of the intention of Google LLC to acquire Fitbit Inc. The board is primarily concerned that this may put a major tech company in the position to acquire even more sensitive personal data about people in Europe, and this could cause a high level risk to the fundamental rights to privacy and the protection of personal data. The EDPB has stated before that it is imperative that we assess longer-term implications of significant mergers like this, on consumer rights and data protection. In the statement, the EDPB reminds the parties of this proposed merger to assess and mitigate any possible risks of this merger to the rights to privacy and data protection before notifying the European Commission of the proposed merger.

“The EDPB therefore reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger” The board will itself consider the implications that this merger may have for the Protection of personal data in the European Economic Area and, while remaining vigilant on this and similar cases in the future, stands ready to contribute its advice on the proposed merger to the Commission if so requested.

In a 2018 statement, considering the acquisition of Shazam by Apple, the EDPB warned that increased concentration in digital markets could potentially threaten the level of data protection and freedom enjoyed by digital consumers, and advise that independent data protection authorities may aid in the assessment of such an impact on the consumer or society. They also added that “This assessment, as well as the identification of conditions or remedies for mitigating negative impacts on privacy and other freedoms, may be separate to and independent from, or integrated into, the analysis carried out by competition authorities during their assessment under competition law. “

When it comes to sharing customers’ data in this context, margers might be the suitable way to go, because they imply that the controller entity does not change. All other ways would need to be extremely transparent and give the involved users a chance to object. However, if the controller becomes part of a corporate group, the data could be shared within the group subject to a legitimate interest assessment (LIA). This should be done on a case-by-case basis anyway, as the LIA might not pass the proportionality test always.

According to Cristina Contero Almagro, Aphaia’s Partner, “the assessment of the data protection requirements and privacy implications of the merger should cover, as one of its main elements, a full evaluation of the security measures that are in place in the other company, not only the current ones, but also those implemented during the previous years. The data breach suffered by Marriott last year is a good example that shows the relevance of properly checking and monitoring the security measures before going ahead with an acquisition or a merger”.

Do you have questions about how a merger or an acquisition may impact data protection in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.