On September 18, 2020, as confirmed by Brazilian firm Mattos Filho, Veiga Filho, Marrey Jr. e Quiroga Advogados, Brazil’s President signed a bill from Brazil’s Congress bringing the new Brazilian data protection law (Lei Geral de Proteção de Dados Pessoais, “LGPD”) into effect with a retroactive applicability date of August 16, 2020. The LGPD’s sanctions provisions will apply beginning August 1, 2021, based on a previous delay passed by Brazil’s legislature. As we previously reported, on August 26, 2020, Brazil’s Senate had unexpectedly rejected the President’s provisional measure aimed at postponing the applicability of the LGPD. The President has also recently issued a decree regulating the new Brazilian data protection authority (Autoridade Nacional de Proteção de Dados).
On September 15, 2020, the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) announced five more settlements under its HIPAA Right of Access Initiative. The OCR announced its Right of Access Initiative in 2019, promising vigorous enforcement of HIPAA’s access rules. The five newly announced settlements bring OCR’s total to seven completed enforcement actions under the Right of Access Initiative.
On September 7, 2020, the European Data Protection Board (the “EDPB”) published Guidelines on the Targeting of Social Media Users (the “Guidelines”). The Guidelines aim to provide practical guidance on the role and responsibilities of social media providers and those using targeting services, such as for targeted advertising, on social media platforms (“targeters”).
On September 9, 2020, the UK Information Commissioner’s Office (“ICO”) published an Accountability Framework, designed to assist organizations in complying with their accountability obligations under the EU General Data Protection Regulation (“GDPR”). The GDPR’s accountability principle requires that organizations both comply with their legal requirements under the GDPR, and also demonstrate their compliance. The ICO states that its Accountability Framework “supports the foundations of an effective privacy management programme.”
On September 9, 2020, Portland, Oregon became the first jurisdiction in the country to ban the private-sector use of facial recognition technology in public places within the city, including stores, restaurants and hotels. The city Ordinance was unanimously passed by the Portland City Council and will take effect on January 1, 2021. The City Council cited as rationale for the Ordinance documented instances of gender and racial bias in facial recognition technology, and the fact that marginalized communities have been subject to “over surveillance and [the] disparate and detrimental impact of the use of surveillance.”
On September 8, 2020, AB 1138, the Parent’s Accountability and Child Protection Act, was enrolled and presented to the California Governor for signature. If signed into law by the Governor, the bill would require a business that operates a social media website or application, beginning July 1, 2021, to obtain verifiable parental consent for California-based children that the business “actually knows” are under 13 years of age (hereafter, “Children”). The bill defines “social media” to mean an electronic service or account held open to the general public to post, on either a public or semi-public page dedicated to a particular user, electronic content or communication, including but not limited to videos, photos or messages intended to facilitate the sharing of information, ideas, personal messages or other content.
On September 7, 2020, the European Data Protection Board (“EDPB”) released draft Guidelines 07/2020 on the concepts of controller and processor in the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines aim to (1) clarify the concepts of controller, joint controllers, processor, third party and recipient under the GDPR by providing concrete examples with respect to each, and (2) specify the consequences attached to the different roles of controller, joint controllers and processor. The Guidelines replace the previous opinion of the Article 29 Working Party on these concepts.
On September 8, 2020, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced in a position statement that it no longer considers the Swiss-U.S. Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. This decision follows the July 2020 ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case, which invalidated the EU-U.S. Privacy Shield for EU-U.S. transfers of personal data. This ruling was considered as part of the annual review of the Swiss-U.S. Privacy Shield Framework by the FDPIC since, as Switzerland is not a member of the EU, it is not bound by the CJEU ruling.
The Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Data Security Council of India (“DSCI”) have published a report on Enabling Accountable Data Transfers from India to the United States under India’s Proposed Personal Data Protection Bill (the “Report”).
On September 1, 2020, the Centre for Information Policy Leadership at Hunton Andrews Kurth (“CIPL”) and the Centro de Direito, Internet e Sociedade of Instituto Brasiliense de Direito Público (“CEDIS-IDP”) released a new paper (“Paper”) on the Top Priorities for Public and Private Organizations to Effectively Implement the New Brazilian General Data Protection Law (“LGPD”). This paper is part of their joint-project on effective implementation and regulation under the LGPD.