As the challenges to and requirements governing data protection continue to evolve, data privacy remains a hot topic on the minds of security and compliance professionals around the world. If the last few years provide any indication, new developments in data privacy will likely keep pace.
In our 2022 Technology Marathon, Morgan Lewis lawyers took a look back at significant recent developments on data privacy in the United States and Europe, and a look forward to updates on the Privacy Shield 2.0 and requirements for cross-border data transfers.
In April 2022, we saw changes to the French Blocking Statute. These amendments included requirements for French companies receiving discovery requests to report them to French authorities and provide them with more information to evaluate those requests.
While we await details on the so-called Trans-Atlantic Data Privacy Framework (TADPF) announced in February 2022, the TADPF will likely
Once the European Commission and US government agree to the TADPF, the approval process will commence, and we may see an EU Adequacy Decision by early 2023. In the meantime, data importers and exporters may want to rely on other data transfer tools such as the new EU Standard Contractual Clauses (see below) or, in rare instances, derogations under Article 49 of the General Data Protection Regulation (GDPR), such as individual, specific consents.
In terms of upcoming deadlines established as a result of the new Standard Contractual Clauses (SCCs) issued by the European Commission in June 2021, be aware of the following:
Conducting a data transfer impact assessment can be complicated, especially given that there are no general standards and no template provided by the European Commission to help complete the process.
The assessment consists of several components, including a risk analysis, asking for difficult determinations to be made that require a deep dive into US law, which European exporters may not be in a position to conduct.
When responding to data subject access requests (DSARs), it’s important to be mindful of the scope of access rights granted by privacy laws across jurisdictions, as well as the response deadlines, which can range from one month to 45 days. Of equal significance is familiarity with data sources. While it can be difficult to identify the systems where data can reside and extract this information from those sources, companies gearing up for compliance need to be familiar with their data systems. Reasonable measures should be used to verify the identity of a data subject, and personal information should only be released in a secure manner after verifying the request.
We expect 2023 to be a significant year for DSARs in the United States, with a likely expansion of rights in other states in 2024 and beyond. US companies can learn from GDPR/UK GDPR guidance and experiences, including from the UK Information Commissioners Office on request compliance and from the European Data Protection Board on data subject rights.
On the US front, the privacy legislative landscape is active, with data privacy laws taking effect in California, Virginia, Colorado, Utah, and Connecticut in mid- to late 2023. It’s a key time to be thinking about your requirements and the scope of your obligations under these privacy laws. Additionally, if you’re not in one of these states and you’re not covered by one of these statutes, you will likely be covered by a similar comprehensive privacy law in the near future.
Currently, only Illinois, Texas, and Washington have enacted biometric privacy laws, though in 2022, new biometric laws were considered in at least eight states. Most often the Illinois Biometric Data Privacy Act seems to serve as the inspiration for developing legislative activity in this space. It’s likely that states without biometric legislation will look to the Illinois law as a model. In some instances, localities such as New York City have regulated the collection and use of biometric data.
Currently, several US federal agencies are considering wading into potential AI regulation, including the Food and Drug Administration, Equal Employment Opportunity Commission, Department of Housing and Urban Development, and Department of Transportation. The Federal Trade Commission is considering regulations to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” Additionally, the Algorithmic Accountability Act of 2022 is pending in the US House of Representatives and Senate.
Recently, Illinois and Colorado enacted AI-related legislation and 17 states currently have AI bills under consideration. Multiple other states have formed working groups to study future AI legislation.