Hot Topics in Data Privacy: A Midyear Look Ahead

July 07, 2022

As the challenges to and requirements governing data protection continue to evolve, data privacy remains a hot topic on the minds of security and compliance professionals around the world. If the last few years provide any indication, new developments in data privacy will likely keep pace.

In our 2022 Technology Marathon, Morgan Lewis lawyers took a look back at significant recent developments on data privacy in the United States and Europe, and a look forward to updates on the Privacy Shield 2.0 and requirements for cross-border data transfers.

EU Data Privacy Regulatory Activity

In April 2022, we saw changes to the French Blocking Statute. These amendments included requirements for French companies receiving discovery requests to report them to French authorities and provide them with more information to evaluate those requests.

Privacy Shield 2.0

While we await details on the so-called Trans-Atlantic Data Privacy Framework (TADPF) announced in February 2022, the TADPF will likely

  • include new safeguards to limit access to data by US surveillance agencies;
  • include a two-tier redress system to investigate and resolve complaints of EU individuals on access of data by US surveillance agencies, which includes an independent Data Protection Review Board; and
  • enhance oversight of intelligence activities.

Once the European Commission and US government agree to the TADPF, the approval process will commence, and we may see an EU Adequacy Decision by early 2023. In the meantime, data importers and exporters may want to rely on other data transfer tools such as the new EU Standard Contractual Clauses (see below) or, in rare instances, derogations under Article 49 of the General Data Protection Regulation (GDPR), such as individual, specific consents.

Standard Contractual Clauses

In terms of upcoming deadlines established as a result of the new Standard Contractual Clauses (SCCs) issued by the European Commission in June 2021, be aware of the following:

  • There are now four modules for SCCs that organizations can use to cover the particular circumstances of their data transfers.
  • “Docking clauses” are included in the new SCCS, which provide the flexibility to add additional parties (e.g., subprocessors) in the future.
  • The new SCC provisions can negate the need for a separate data processing agreement (DPA).
  • You must now conduct data transfer impact assessments to document the specific circumstances of the transfer, the laws of the importing country, and the additional safeguards put in place for the imported data.
  • Old agreements can be relied on until December 27, 2022, for prior data transfers if data processing operations have not been modified.
  • After December 27, 2022, organizations cannot lawfully rely on old SCCs to transfer data to the United States and other countries without an adequacy decision.
  • Following Brexit, the United Kingdom is on a different regime. For transfers from the United Kingdom, the old SCCs can be used for new processing arrangements until September 2022 and the old SCCs can be relied on until March 2024.

Data Transfer Impact Assessments

Conducting a data transfer impact assessment can be complicated, especially given that there are no general standards and no template provided by the European Commission to help complete the process.

The assessment consists of several components, including a risk analysis, asking for difficult determinations to be made that require a deep dive into US law, which European exporters may not be in a position to conduct.

Data Subject Access Requests

When responding to data subject access requests (DSARs), it’s important to be mindful of the scope of access rights granted by privacy laws across jurisdictions, as well as the response deadlines, which can range from one month to 45 days. Of equal significance is familiarity with data sources. While it can be difficult to identify the systems where data can reside and extract this information from those sources, companies gearing up for compliance need to be familiar with their data systems. Reasonable measures should be used to verify the identity of a data subject, and personal information should only be released in a secure manner after verifying the request.

We expect 2023 to be a significant year for DSARs in the United States, with a likely expansion of rights in other states in 2024 and beyond. US companies can learn from GDPR/UK GDPR guidance and experiences, including from the UK Information Commissioners Office on request compliance and from the European Data Protection Board on data subject rights.

US Data Privacy Developments

On the US front, the privacy legislative landscape is active, with data privacy laws taking effect in California, Virginia, Colorado, Utah, and Connecticut in mid- to late 2023. It’s a key time to be thinking about your requirements and the scope of your obligations under these privacy laws. Additionally, if you’re not in one of these states and you’re not covered by one of these statutes, you will likely be covered by a similar comprehensive privacy law in the near future.

Biometric Data Privacy: Regulatory Landscape

Currently, only Illinois, Texas, and Washington have enacted biometric privacy laws, though in 2022, new biometric laws were considered in at least eight states. Most often the Illinois Biometric Data Privacy Act seems to serve as the inspiration for developing legislative activity in this space. It’s likely that states without biometric legislation will look to the Illinois law as a model. In some instances, localities such as New York City have regulated the collection and use of biometric data.

Artificial Intelligence (AI): Regulatory Landscape

Currently, several US federal agencies are considering wading into potential AI regulation, including the Food and Drug Administration, Equal Employment Opportunity Commission, Department of Housing and Urban Development, and Department of Transportation. The Federal Trade Commission is considering regulations to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” Additionally, the Algorithmic Accountability Act of 2022 is pending in the US House of Representatives and Senate.

Recently, Illinois and Colorado enacted AI-related legislation and 17 states currently have AI bills under consideration. Multiple other states have formed working groups to study future AI legislation.

If you are interested in Hot Topics in Data Privacy, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.