Trans-atlantic data transfer agreements a “high priority”

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

Virginia amendment passes House and Senate

Virginia HB 381, which would amend the Virginia Consumer Data Protection Act, passed out of both the state House and Senate, moving the bill forward for approval by the Governor.

The amendment would authorize controllers that receive personal data indirectly (i.e., from a source other than the consumer) to treat deletion requests as requests to opt out of processing.

WHY IT MATTERS

This bill was initiated based on findings of the Virginia Consumer Data Protection Working Group noting that it may be operationally difficult to ensure a consumer’s data is not subsequently acquired from third parties after it is deleted.

Based on this finding, the Working Group recommended that the right to delete be linked to the consumer’s right to opt out of sale to ensure controllers / processors prevent consumer data previously deleted from being reacquired or reentering their system.

Several consumer advocacy groups, including Consumer Reports, opposed the bill, arguing that consumers should have the choice to decide whether companies should delete their data or opt them out. 

PRIVACY BILLS INTRODUCED IN CT AND KY; ADVANCE IN FL, UT, WI

Connecticut and Kentucky both introduced bills closely resembling Virginia’s VCDPA. Florida and Utah voted bills out of committee, and the Wisconsin Assembly voted to adopt AB 957, moving the bill to the Senate. 

WHY IT MATTERS

 Indiana and Wisconsin are the only two states so far in 2022 to pass comprehensive privacy bills through one chamber. Both bills are modeled after Virginia’s VCDPA.  

EUROPE

Irish DPA Issued Revised Preliminary Decision re Facebook Data Transfers

The Irish Data Protection Commissioner reportedly gave Meta, Facebook’s parent company, 28 days to make submissions based on the DPA’s revised preliminary decision regarding data transfers from Facebook Ireland to the company’s U.S. parent company.

After the 28-day period, the DPA will prepare a draft Article 60 decision for other Concerned Supervisory Authorities. 

WHY IT MATTERS

This case originated with a complaint made by Max Schrems. A previous preliminary order was issued in August 2020, which Facebook challenged on procedural grounds in September 2020, putting the DPA’s inquiry on hold. The hold was lifted in May 2021 when the High Court rejected Facebook’s challenge.

Importantly, no final decision has been reached regarding the lawfulness of Facebook’s transfers to the United States. To issue a final Order, the DPA will be required to bring the draft decision to other interested supervisory authorities pursuant to the cooperation and consistency mechanisms laid down by the GDPR. 

EU Commissioner DEEMS EU/US transfer deal High Priority

At a press conference, Margrethe Vestager, the European Commission’s EVP of Digital Strategy, reportedly commented that a data transfer agreement with the US is a “high priority endeavor”, but she cautioned that it would not be easy “in order to not get a negative Schrems III judgment”.

The U.S-European Union Trade and Technology Council is scheduled to meet in May.

WHY IT MATTERS

The previous agreement between the United States and the European Union for trans-atlantic data transfers, Privacy Shield, was invalidated by the Court of Justice of the European Union pursuant to the case Data Protection Commission v. Facebook Ireland, Schrems (aka “Schrems II”).

The Court found that US surveillance laws are not sufficiently limited to what is strictly necessary and do not extend effective remedies to data subjects, as required by the EU Charter on Fundamental Rights. The Court also advised that, where the law in the recipient country of a data transfer does not ensure adequate protection, companies must provide additional safeguards or suspend transfers.

Accordingly, in order to avoid a negative “Schrems III judgment”. per Vestager’s comments, the United States and European Union will need to either agree on sufficient safeguards to protect EU data subjects or reconcile the differences between the EU Charter and U.S. Surveillance laws. 

New UK Information Commissioner Criticizes EU “regulation for regulation’s sake”

In an interview with The Telegraph, UK Information Commissioner John Edwards commented on European Court decisions regarding EU/US data transfers, noting that “it seems to proceed without any apprehension of actual harm or risk” and that the GDPR regime had “imposed a drag” on growth.

Accordingly, for the UK, Edwards said “there’s an unreleased potential to lighten the burden on business”. 

WHY IT MATTERS

Edwards’ comments are consistent with the sentiments issued by UK Prime Minister Boris Johnson and a policy document released by the UK government, both earlier this month.

The Prime Minister announced the coming of a Brexit Freedoms Bill, designed to allow for easier reform, repeal and replacement of outdated EU law, citing “data protection” as one of the areas for reform.

The government’s policy document titled “The Benefits of Brexit: How the UK is Taking Advantage of Leaving the EU” identified plans for a new “pro-growth data regime” that will “help to drive growth, innovation and competition across the country and enhance the UK’s global reputation as a hub for responsible data-driven business.”

DPG Media fined 525,000 euros for DSAR verification process. 

 The Dutch Data Protection Authority (AP) announced that it imposed a 525,000 euro fine on media company DPG Media based on the alleged unnecessary verification process required by DPG’s subsidiary, Sanoma Media Netherlands, in response to data subject deletion or access requests (DSARs).

According to the announcement, data subjects were required to upload or send a copy of an identity document before a request would be honored, which the AP found to be “too heavy a means” for verification and “far too complicated”.

The announcement noted that DPG Media has since changed its process, sending a verification email to establish the identity of a requester.

WHY IT MATTERS

Article 12 of the GDPR does allow controllers to request the provision of additional information necessary to confirm the identity of the data subject in the context of a data subject request; however, Recital 63 of the GDPR says that data subjects should have the right to exercise their right of access “easily”.

Accordingly, in designing DSAR processes, controllers should assess whether any information they are requesting is truly “necessary” for verification and whether there is a way to do so that is easier for the consumer. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.