Another week, another proposal concerning Section 230 of the 1996 Communications Decency Act. This week, Senator Lindsey Graham (R-SC) introduced the Online Content Policy Modernization Act, which primarily establishes an alternative dispute resolution program for copyright small claims. Relevant to this blog, however, are the last three pages of the proposal, which limit civil liability protections of Section 230 and which are identical to the currently-pending Online Freedom and Viewpoint Diversity Act. Senator Graham also sponsored that bill along with Senators Roger Wicker (R-MS) and Marsha Blackburn (R-TN).
California Legislature Adopts CCPA Exemption for Information Deidentified in Accordance with the HIPAA Privacy Rule
On September 1, the California legislature passed AB 713, a bill that creates a new healthcare-related exemption under the California Consumer Privacy Act of 2018 (“CCPA”). All provisions of the bill will take effect immediately to prevent the CCPA from “negatively impact[ing] certain health-related information and research,” except for the required contractual provisions described below.
Under the new exemption, information is not subject to the CCPA’s obligations if it meets both of the following requirements: Continue Reading
Federal Trade Commission Updates, Streamlines COPPA FAQs
The FTC recently updated Complying with COPPA: Frequently Asked Questions, the set of FAQs meant to provide informal guidance for complying with the Children’s Online Privacy Protection Act and the Commission-issued COPPA Rule. In an accompanying blog post, the FTC staff emphasized that the revisions to the FAQs “don’t raise new policy issues” and that they were implemented primarily to streamline and reorganize the content “to make the document easier to use.” While the new FAQs generally only reinforce concepts from recent key settlements, enforcement policy positions, and separately-issued regulatory guidance, some of the updates also provide helpful additional context around specific issues such as mixed audience sites and services, age gates, and common consent mechanisms. Continue Reading
English High Court Awards Damages for Quasi-Defamation Data Claim
The English High Court has recently awarded damages in a data privacy case, with two features of particular interest. First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation. Secondly, the damages awarded (perhaps influenced by the nature of the case) were unusually high for a data privacy case.
The decision highlights an unusual use of data protection in English law, as a freestanding form of quasi-defamation claim, as the claimants sought damages for reputational harm (as well as distress) solely under the Data Protection Act 1998 (the “DPA”, since replaced by the Data Protection Act 2018, which implemented the General Data Protection Regulation ((EU) 2016/679) (GDPR) in the UK) rather than in a libel or defamation claim, or in parallel with such a claim. It also sets a potentially unhelpful precedent by awarding two of the claimants £18,000 each for inaccurate processing of their personal data, an amount that is significantly higher than has been awarded in other data protection cases brought under the DPA. If such awards were to be made in the context of a class action, the potential liability for data controllers could be significant. Continue Reading
Inside Privacy Audiocast: Episode 4 – A Look into the ACLU of California’s Position on the CPRA
On our fourth episode of our Inside Privacy Audiocast, we are aiming our looking glass at the California Privacy Rights Act, and are joined by guest speaker Jacob Snow, Technology and Civil Liberties Attorney with the American Civil Liberties Union of Northern California.
In September 2019, Alastair Mactaggart, Board Chair and Founder of Californians for Consumer Privacy, launched a new ballot initiative to appear on that state’s November 2020 ballot, the California Privacy Rights Act or CPRA. Bearing in mind that the California Consumer Privacy Act or CCPA only just went into effect on January 1, 2020, this latest proposal would now amend the CCPA to create additional privacy rights and obligations in California and further setting it apart from other U.S. states. In our episode recorded last week, Dan Cooper, Lindsey Tonsager and Jacob Snow take a look into the ACLU of California’s position on the CPRA.
Covington’s Inside Privacy Audiocast offers insights into topical global privacy issues and trends. Subscribe to our Inside Privacy Blog to receive notifications on new episodes.
European Commission proposes interim regulation to combat child sexual abuse online
On 10 September 2020, the European Commission proposed an interim regulation designed to enable online communications service providers to combat child sexual abuse online. Once in force, this regulation will provide a legal basis for providers to voluntarily scan communications or traffic data on their services for the limited purpose of detecting child sexual abuse material online.
Online Freedom and Viewpoint Diversity Act Yet Another Republican Proposal to Limit Section 230 Liability Protections
Earlier this week, a group of Republican Senators, including Roger Wicker (R-MS), Lindsey Graham (R-SC), and Marsha Blackburn (R-TN) introduced the Online Freedom and Viewpoint Diversity Act. This proposal seeks to “modify the scope of protection from civil liability for ‘good Samaritan’ blocking and screening of offensive material” under Section 230 of the 1996 Communications Decency Act. The Online Freedom and Viewpoint Diversity Act is another in the growing list of proposals to amend the scope of Section 230 that have come in 2020, which also includes: the bipartisan Senate Platform Accountability and Consumer Transparency Act (“PACT ACT”), which we analyzed here; a different Senate Republican proposal and a Department of Justice report, both of which we analyzed here; and the Trump Administration’s executive order.
EDPB Publishes Guidelines on the GDPR Concepts of “Controller”, “Joint Controller” and “Processor”
On September 2, 2020, the European Data Protection Board (“EDPB”) adopted guidelines on the concepts of “controller” and processor” under the GDPR. The Article 29 Working Party had already issued a guidance on this topic in 2010. Although the GDPR did not change the definitions of “controller” and “processor”, the EDPB’s guidelines aim to bring further clarity to these critical concepts and discuss the relationship between them.
The EDPB’s guidelines are divided in two parts. Continue Reading
Swiss Federal Data Protection Authority Removes the US from its List of Adequate Countries
On September 8, 2020, the Swiss Federal Supervisory Authority (“Swiss SA”) issued a position paper stating that Swiss companies can no longer rely on the Swiss-US Privacy Shield Framework to transfer data to the US. The Swiss SA did not revoke the Swiss-US Privacy Shield Framework because it does not have the power to do so, but it did remove the US from its list of adequate countries.
The position paper is a clear reaction to the recent ruling of the Court of Justice of the European Union (“CJEU”) in the Schrems II case and aims to bring legal certainty to Swiss companies affected by the judgment. It is understood that EU authorities encouraged Switzerland, which is the beneficiary of an EU adequacy determination, to adopt a position more aligned with the EU’s following the judgement. Continue Reading
Life After Schrems II: Practical Recommendations In An Uncertain Time
On 16 July, 2020, the Court of Justice of the EU (“CJEU”), issued its decision in the Schrems II case. In short, the CJEU invalidated the EU-U.S. Privacy Shield and clarified that the use of standard contractual clauses (“SCCs”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfer(s) and the country of destination. For a more in-depth summary of the CJEU’s decision, please see our blog post here and our audiocast here.
Now, almost two months after the decision, it is an opportune time for businesses to take stock of what exactly happened and assess the practical implications of the judgement. The result of this impact analysis may be underwhelming for some. So far, European regulators have been mostly silent (save a few exceptions[1]) and have not issued any actionable guidance to speak of. In all fairness, the obligations imposed by the CJEU’s judgement may be just as daunting for regulators to apply in practice as for businesses. As a result, companies and practitioners are left grappling with what exactly they should do in the aftermath of this decision.
In this blog post, we set out some recommendations for immediate and long-term actions that businesses may want to consider implementing. Note, however, that much depends on the nature of the personal data transfers concerned. As can be gleaned from the CJEU’s judgement, some transfers are more sensitive than others, and some sectors are more sensitive than others (in particular, the electronic communications sector). These risk-based considerations should inform how businesses prioritize remedial actions going forward.
