Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider: Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

The Cyprus Presidency of the Council of the European Union has made clear its objective to achieve a general partial approach on certain articles of the new legislative package on data protection by December 2012, with a view to having the whole legislative package adopted in 2013 or early in 2014. 

The Cyprus Presidency has so far achieved agreement within the Justice and Home Affairs (JHA) Council (a body that brings together the justice and interior ministers of the EU Member States and whose remit includes civil protection) on three principal issues: (i) to avoid creating additional and disproportionate costs for small and medium-sized businesses, (ii) to implement a common set of data protection regulations for the private and public sector, with some flexibility for public-sector organizations and (iii) to limit the enhanced powers proposed in the new legislative package so that the EU Commission is not able to regulate through delegated acts without the approval of the European Parliament.

While the Cyprus Presidency has been praised by Viviane Reding, Vice President of the EU Commission, for supporting the new reform package, it is clear that there is still a lot of work to be done to bring the package into law.

For more information, see:  http://www.cy2012.eu/index.php/en/news-categories/areas/justice-and-home-affairs/feature-step-by-step-towards-data-protection

 

 

On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old).  The consultation will conclude on October 7, 2022.  According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14).  The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.

Continue Reading Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.

Continue Reading A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill

This quarterly update summarizes key federal legislative and regulatory developments in the second quarter of 2022 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and data privacy, and highlights a few particularly notable developments in U.S. state legislatures.  In the second quarter of 2022, Congress and the Administration focused on addressing algorithmic bias and other AI-related risks and introduced a bipartisan federal privacy bill.

Continue Reading U.S. AI, IoT, CAV, and Data Privacy Legislative and Regulatory Update – Second Quarter 2022

After more than seven months since China’s Personal Information Protection Law (《个人信息保护法》, “PIPL”) went into effect, Chinese regulators have issued several new (draft) rules over the past few days to implement the cross-border data transfer requirements of the PIPL.  In particular, Article 38 of the PIPL sets out three legal mechanisms for lawful transfers of personal information outside of China, namely: (i) successful completion of a government-led security assessment, (ii) obtaining certification under a government-authorized certification scheme, or (iii) implementing a standard contract with the party(-ies) outside of China receiving the data.  The most recent developments in relation to these mechanisms concern the standard contract and certification.

Continue Reading Cross-Border Data Transfer Developments in China

On June 14, 2022, representatives of the EU’s Consumer Protection Cooperation (CPC) Network, together with several national data protection authorities in the EU and the secretariat of the European Data Protection Board (“EDPB”), endorsed five key principles for fair advertising to children (see press release here).  These recommendations are based on relevant requirements in EU data and consumer protection laws.

According to the authorities, this joint initiative arises from the proliferation of digital business models that increasingly rely on the use of personal data for commercial purposes, which may be subject to specific rules under both data privacy and consumer protection legislation in Europe. 

In their joint statement, the authorities cited research indicating that children (defined as any individual below the age of 18 years old) are unable able to recognize certain forms of advertising — particularly ads that are deeply embedded in the context of digital media and online games — and as a result, they are particularly susceptible to certain forms of advertising potentially inappropriate for children.  Therefore, the authorities published these key principles for businesses to apply in order to (1) avoid practices that can be harmful for children and (2) better inform children about when and how their data is used for advertising purposes.

The five advertising principles are:

  1. Take into account the specific vulnerabilities of children when designing advertising or marketing techniques that are likely to target children (in particular, do not deceive or unduly influence them, and consider whether certain types of personalized marketing are inappropriate for them altogether);
  2. Do not exploit the age or credulity of children when engaged in marketing;
  3. Explain to children, in a manner that is appropriate and clear to them, whenever general marketing content is addressed to them or is likely to be seen by them;
  4. Do not target, urge or prompt children to purchase in-app or in-game content, and games marketed “for free” should not require in-app or in-game purchases to continue playing them in a “satisfactory manner”; and
  5. Do not profile children for advertising purposes. 

The authorities emphasize that these five key principles are without prejudice to applicable EU laws, particularly in the areas of consumer protection and data privacy, including any applicable national implementing rules. 

These principles follow a wave of recent child-oriented standards published by European data protection authorities, including (among others) the UK ICO’s Age Appropriate Design Code (see our blog posts here and here), the Irish DPC’s Fundamentals for a Child-Oriented Approach to Data Processing (see our blog posts here, here and here), and the French CNIL’s Eight Recommendations for Protecting Children Online (see our blog post here). 

Moreover, the latest draft of the EU’s Digital Services Act, which has been provisionally agreed by the European Parliament and the Council, requires providers of digital services to implement specific safeguards for protecting children.  Among other things, it requires putting in place “appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service”.  It also prohibits providers from showing targeted advertising on their platforms using personal data of individuals who they are “aware with reasonable certainty” to be minors. 

These developments demonstrate the continued focus of European lawmakers and regulators on safeguarding the interests of children, and the importance of businesses staying apprised of these evolving rules and putting in place appropriate measures to ensure compliance.  

The Covington team will keep monitoring any developments in the area of children’s privacy and is happy to assist with any inquiries on the topic.

On May 4, 2022, the General Court of the EU handed down a decision that helps clarify the standard of proof required to demonstrate that information that does not identify someone by name constitutes “personal data” under EU data protection law.  The court also clarifies that the burden of proof falls on the entity alleging that the information is personal data.

The case concerns an online press release published by the European Anti-Fraud Office’s (“OLAF”) announcing that it had determined that a Greek scientist had committed fraud using EU funds intended to finance a research project.  Among other things, the scientist alleged that the press release contained “personal data” about her and, therefore, OLAF breached data protection law because it did not have a legal basis to disseminate her “personal data”.  She also alleged that OLAF’s press release had enabled two journalists to identify her and write each an article mentioning her by name.

The court disagreed with the position taken by the scientist, holding that the she was not able to demonstrate that the published information enabled her identification and, therefore, it had not demonstrated that the information was “personal data”.  It also decided that OLAF was not responsible for the news articles that identified the scientist by name.

Continue Reading General Court of the EU Finds that Individual was Unable to Prove that Information Published Online Constitutes “Personal Data”

Nine million texts are sent daily in Ireland, a huge increase on when the first text was sent in 1992.  All are subject to the data retention and access regime currently in place under the Communications (Retention of Data) Act 2011.  That regime has now been given the kiss of death by the Court of Justice of the European Union (“CJEU”) in its recent decision on a referral by the Irish Supreme Court dealing with the validity of electronic communications evidence collected under it.

The legislation, brought in to transpose EU Directive 2006/24, regulates the retention of data by electronic communications providers and access to that data by state authorities.

Continue Reading CJEU Strikes Down Metadata Collection in Irish Criminal Case

On April 12, at the International Association of Privacy Professionals’ global privacy conference, Colorado Attorney General Phil Weiser gave remarks on his office’s approach to the rulemaking and enforcement of the Colorado Privacy Act. Continue Reading Colorado Attorney General Remarks on CPA Rulemaking