Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider: Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

On July 15, 2021, the Belgian Supervisory Authority (“SA”) released a 40-page draft recommendation on the use of biometric data and launched a public consultation to solicit feedback about it.

Most notably, the SA points out that there is no valid legal basis other than explicit consent (with all the GDPR limitations attached to it) that would enable the processing of biometric data for authentication purposes (e.g., security), because Belgian lawmakers failed to adopt the required national legislation to supplement the GDPR (specifically, to underpin the public interest exception found in Art. 9(2)(g) GDPR for processing sensitive personal data).  The SA considers this outcome a departure from the rules that applied prior to the GDPR, and will therefore allow a one-year grace period to give controllers and lawmakers sufficient time to address the issue.

Continue Reading Belgian Supervisory Authority Launches Public Consultation on the Use of Biometric Data

With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.

Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19.  This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)).  This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).

Continue Reading COVID-19: Processing of Vaccination Data by Employers in Europe

South Africa’s Information Regulator (the “Regulator”) issued, on June 22, 2021, a Guidance Note on Exemptions from the Conditions for Lawful Processing of Personal Information (“Guidance Note”), arising under sections 37 and 38 of the Protection of Personal Information Act, 4 of 2013 (“POPIA”).  The purpose of the Guidance Note is to provide guidance to “responsible parties” who: (i) intend to apply for an exemption from one or more of the eight conditions for the lawful processing of personal information, as prescribed by POPIA (section 37 of POPIA), or (ii) may automatically be exempt from some of these conditions where the processing occurs in the performance of a “relevant function” (section 38 of POPIA).  In a media statement, also issued on June 22, 2021, the Regulator confirmed that the June 20, 2021 deadline for responsible parties to register their Information Officers (“IOs”) and Deputy Information Officers (“DIOs”) was postponed indefinitely.

Continue Reading South Africa: Guidance on POPIA Exemptions and Registration of Information Officers

On July 5, 2021, the Italian Supervisory Authority (“Garante”) announced that it has fined Foodinho S.r.l. (“Foodinho”) 2.6 million EUR for its use of performance algorithms in connection with its employees. The authority held Foodinho in breach of the principles of transparency, security, privacy by default and by design, and held it responsible for not implementing suitable measures to safeguard its employees’ (i.e., riders’) rights and freedoms against discriminatory automated decision making. The Garante’s decision is the first of its kind in the realm of the algorithmic management of gig workers. According to the Garante, Foodinho’s management violated Article 22(3) of the GDPR. Continue Reading Italian Supervisory Authority Fines Foodinho Over Its Use of Performance Management Algorithms

On July 2 and July 5, 2021, China’s Cybersecurity Review Office (“CRO”), an office established under the Cyberspace Administration of China (“CAC”) responsible for coordinating the implementation of China’s Cybersecurity Review framework (more details about this framework can be found in our previous blogpost, available here), announced that it had initiated cybersecurity reviews against four mobile applications operated by three Chinese companies:  Didi Chuxing (“Didi”), Yunmanman, Huochebang and BOSS Zhipin (announcements are available here and here).

According to CRO’s announcements, these cybersecurity reviews were initiated based on requirements under the National Security Law (“NSL”), the Cybersecurity Law (“CSL”) and the Measures on Cybersecurity Review (“Measures”) and are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.”  This is the first time that CRO publically announced the initiation of cybersecurity reviews against companies after the Measures took effect on June 1, 2020.  Per the announcements, these apps are prohibited from registering new user accounts during the review period.

Separately, on July 4, CAC ordered the Didi app to be removed from Chinese app stores on the ground that the app seriously violated Chinese laws and regulations by “illegally collecting and using personal information” (the announcement is available here).  It is unclear whether this “take down” order is related to CRO’s ongoing cybersecurity review of Didi.

This post explains the requirements and procedures of cybersecurity review under the Measures, analyzes the focus of the current review against these three companies, and provides more background on recent enforcement actions against apps illegally collecting and processing personal information. Continue Reading China Initiates Cybersecurity Review of Didi ChuXing and Three Other Chinese Mobile Applications

On June 24, 2021, Australian parliament passed legislation establishing a framework for its enforcement agencies to access certain electronic data held by companies outside of Australia for law enforcement and national security purposes.  The law paves the way for the establishment of a bilateral agreement with the United States under the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Similar to the function of the CLOUD Act, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 enables Australian enforcement authorities to compel companies covered by the statute to provide data, regardless of where the data is stored.  The legislation introduces international production orders, a form of legal process for compelling real-time interception of communications or the production of stored communications and telecommunications data, which can be served directly on communications providers in foreign countries with which Australia has an agreement. Continue Reading Australia Passes Cross-Border Data Access Law, Creates a Pathway for CLOUD Act Bilateral Agreement

On June 28, 2021, the European Commission adopted two decisions finding that the UK’s data protection regime provides an “adequate” level of protection for personal data transferred to the UK from the EU.  The first decision covers transfers governed by the GDPR, and permits private companies located in the EU to continue to transfer personal data to the UK without the need for additional arrangements (such as the Commission’s new Standard Contractual Clauses (“SCCs”), which we discuss here).  The second decision covers transfers under the Data Protection and Law Enforcement Directive, and permits EU law enforcement agencies to continue to transfer personal data to their counterparts in the UK.

Continue Reading European Commission Adopts Final UK Adequacy Decisions

Earlier this month the California Privacy Protection Agency (CPPA) held its inaugural public meeting.  The CPPA was created under Proposition 24, the California Privacy Rights Act (CPRA), which was approved by California voters on November 3, 2020. Continue Reading California Privacy Protection Agency Holds First Meeting, Preparing for Upcoming Rulemaking