Last week, Virginia’s Joint Commission on Technology and Science held its second meeting of the Consumer Data Protection Work Group.

Instead of following a detailed rulemaking process for implementation like that provided for in the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA) is being reviewed over the next few months by a group of state officials, business representatives, and advocates. This group will publish recommendations by November 1, 2021, which the state legislature can consider if it amends the law before the VCDPA goes into effect on January 1, 2023. A stated goal of the group is to align the VCDPA with other privacy laws that states are enacting around the country.

At the meeting, the group heard public comments as well as a presentation by Deputy Attorney General Samuel Towell on behalf of the Office of the Attorney General of Virginia (OAG). The presentation covered issues that the OAG sees with the VCDPA’s implementation and proposed a number of recommendations for the group to consider: Continue Reading Virginia Consumer Data Protection Work Group Holds Second Meeting, Hears Recommendations from the Office of the Virginia Attorney General

The Cyprus Presidency of the Council of the European Union has made clear its objective to achieve a general partial approach on certain articles of the new legislative package on data protection by December 2012, with a view to having the whole legislative package adopted in 2013 or early in 2014. 

The Cyprus Presidency has so far achieved agreement within the Justice and Home Affairs (JHA) Council (a body that brings together the justice and interior ministers of the EU Member States and whose remit includes civil protection) on three principal issues: (i) to avoid creating additional and disproportionate costs for small and medium-sized businesses, (ii) to implement a common set of data protection regulations for the private and public sector, with some flexibility for public-sector organizations and (iii) to limit the enhanced powers proposed in the new legislative package so that the EU Commission is not able to regulate through delegated acts without the approval of the European Parliament.

While the Cyprus Presidency has been praised by Viviane Reding, Vice President of the EU Commission, for supporting the new reform package, it is clear that there is still a lot of work to be done to bring the package into law.

For more information, see:



On January 12, 2023, the Court of Justice of the EU (“Court”) decided that the GDPR’s right of access gives a data subject the choice between asking a controller for (i) the identity of each data recipient to whom the controller will or has disclosed the data subject’s personal data or (ii) only the categories of data recipients.  The controller must comply with the data subject’s request, unless it is impossible to identify those recipients (e.g., because they are not yet known) or the controller demonstrates that the data subject’s access request is “manifestly unfounded or excessive.”

Continue Reading Court of Justice of the EU Decides that GDPR Right of Access Allows Data Subjects to Request the Identity of Each Data Recipient

The Colorado Attorney General released updated draft rules interpreting the Colorado Privacy Act on December 21, 2022 (“Draft Rules”).  These revisions follow a series of stakeholder sessions on November 10th, 15th, and 17th.  The Attorney General will convene a formal rulemaking hearing on February 1, 2023.  In advance of the formal rulemaking hearing, stakeholders may submit written comments for consideration. 

Continue Reading Colorado Attorney General Releases Revised Colorado Privacy Act Draft Rules

On December 15, 2022, the Advocate Generals (“AG”) of the Court of Justice of the European Union (“CJEU”) issued two separate opinions in cases C‑487/21 and C‑579/21 on the right of access, pursuant to Article 15 GDPR.  The first case concerns the proper interpretation and application of Article 15(3), which permits a data subject to obtain a “copy” of their personal data, among other things. The second case concerns whether the right of access includes the right to receive the identity of the controller’s employees, who are processing the data subject’s personal data in the scope of their employment.

Continue Reading CJEU’s Advocate General Issues Opinions on the GDPR’s Right of Access to Personal Data

The upcoming date of December 27, 2022, marks the end of the roughly one year and a half-long transition period that companies had to replace any the old versions of the standard contractual clauses for international transfers of personal data by the new standard contractual clauses, which the European Commission adopted on June 4, 2021.  As of December 27, 2022, EU Supervisory Authorities may start GDPR enforcement proceedings against any companies that still on to the old version of the standard contractual clauses.

Covington is well placed to assisting clients in amending their contracts to take into account the new standard contractual clauses and, more generally, to ensure compliance with the GDPR rules on international data transfers.

Continue Reading Countdown for Implementing the New EU Data Transfer Contracts and Overview of other EU Transfer Developments

Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue.  For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.

Continue Reading ICO Fines Easylife £1.48 Million For Data Protection and E-Marketing Violations

On October 7, 2022, President Biden signed an Executive Order directing the steps that the United States will take to implement its commitments under the new EU-U.S. Data Privacy Framework.  The framework was announced by the U.S. and the EU Commission in March 2022, after reaching a political agreement in principle (see our blog post here).

The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities is intended to address the concerns raised by the Court of Justice of the EU (“CJEU”) in its Schrems II judgment on July 16, 2020, which annulled the EU-U.S. Privacy Shield (see our blog post here).  There, the CJEU held that the U.S. did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to U.S. law enforcement and intelligence agencies to access individuals’ personal data, and an absence of effective legal remedies for EU residents in connection with those powers.  The CJEU focused on two U.S. authorities in particular:  FISA Section 702 and Executive Order 12333.

To address these concerns, the new Executive Order sets forth certain “privacy and civil liberties safeguards” for U.S. signals intelligence activities and creates a new method of redress for non-U.S. persons from “qualifying states.”  In particular, and among other provisions, the Executive Order:

  • Provides that U.S. signals intelligence activities shall be “necessary” and “proportionate” to a “validated intelligence priority.”  The Executive Order provides that U.S. signals intelligence activities may only be conducted following a determination that they are “necessary to advance a validated intelligence priority,” and “only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorized.”  Exec. Order § 2(a)(ii)(A).  The Executive Order also specifies certain “legitimate objectives” and “prohibited objectives” for which U.S. signals intelligence activities may be carried out.  Exec. Order § 2(b).  For example, the Executive Order defines “legitimate objectives” to include understanding or assessing the capabilities, intentions, or activities of foreign organizations that pose a current or potential threat to the national security of the U.S. or its allies or partners; protecting against terrorism, the taking of hostages, and the holding of individuals captive conducted by or on behalf of a foreign government, foreign organization, or foreign person; and understanding or assessing transnational threats that impact global security.  Exec. Order § 2(b)(i).
  • Sets forth requirements for the handling of personal information collected through signals intelligence.  Each element of the U.S. Intelligence Community that handles personal information collected through signals intelligence must establish policies and procedures to minimize the dissemination and retention of personal information.  Exec. Order § 2(c)(iii)(A).  For example, under the Executive Order, the U.S. Intelligence Community may not disseminate personal information collected through signals intelligence solely because of a person’s nationality or country of residence, and shall retain non-U.S. persons’ personal information “only if the retention of comparable information concerning United States persons would be permitted under applicable law.”  Exec. Order § 2(c)(iii)(A).  The Executive Order further provides that each element of the Intelligence Community must maintain appropriate training requirements to ensure that employees with access to signals intelligence know and understand the requirements of the Order.  Exec. Order § 2(d)(ii).  The Executive Order encourages the Privacy and Civil Liberties Oversight Board to review the U.S. Intelligence Community’s updated policies and procedures to ensure that they are “consistent with the enhanced safeguards” contained in the Order.  Exec. Order § 2(c)(v).
  • Establishes a mechanism for non-U.S. persons to seek review of the U.S. Intelligence Community’s signals intelligence activities.  Within sixty days of the Executive Order’s issuance, the Director of National Intelligence (“DNI”), in consultation with the U.S. Attorney General and the heads of elements of the U.S. Intelligence Community, shall establish a process for the submission of “qualifying complaints transmitted by the appropriate public authority in a qualifying state.”  Exec. Order § 3(b).  To implement this redress mechanism, the Attorney General may designate a country or regional economic integration organization a “qualifying state” based on a determination, in consultation with the Secretary of State, the Secretary of Commerce, and the DNI, that the country’s or organization’s laws establish “appropriate safeguards” for U.S. persons’ personal information that is transferred from the United States.  Exec. Order § 3(f).  The DNI’s Civil Liberties Protection Officer (“CLPO”) will investigate, review, and, as necessary, order “appropriate remediation” for complaints from qualifying states.  Exec. Order § 3(c).  “Appropriate remediation” may include, depending on the specific covered violation at issue, terminating acquisition of data where collection is not lawfully authorized, deleting data that had been acquired without lawful authorization, or restricting access to lawfully collected data to those appropriately trained.  Exec. Order § 4(a).
  • Creates a Data Protection Review Court to review the CLPO’s determination regarding qualifying complaints.  The Attorney General, in consultation with the Secretary of Commerce, the DNI, and the Privacy and Civil Liberties Oversight Board, shall appoint judges to serve on a newly created Data Protection Review Court, who will be legal practitioners with appropriate experience in the fields of data privacy and national security law, and who may not be U.S. government employees.  Exec. Order § 3(d).  Following the CLPO’s determination, the complainant (or, in the event of an adverse decision against the U.S. government, an element of the U.S. Intelligence Community) may apply to the Data Protection Review Court for review of the CLPO’s decision.  Exec. Order § 3(c)(i)(E).  Upon receipt of an application for review, a three-judge panel of the Data Protection Review Court will convene to review the application and select a special advocate to assist with the review, including by advocating the complainant’s interest in the matter.  Exec. Order § 3(d)(i)(B)‑(C).  The Data Protection Review Court’s determination shall be binding on the U.S. Intelligence Community.  Exec. Order. § 3(d)(ii).

The European Commission will now review the Executive Order and commence drafting a new adequacy decision pursuant to Article 45 of GDPR.  The European Commission must then hear from the European Data Protection Board (“EDPB”) and the EU Member States.  The formal adoption process is expected to take around six months, and may result in the final adequacy decision’s publication in March 2023.

Once adopted, any new framework is certain to be pressure-tested before the EU courts.  To date, a number of privacy advocacy groups have issued statements opining that the new Executive Order is insufficient.


The Covington team will keep monitoring any developments on the EU-U.S. Data Privacy Framework and continue to report on them on our blog Inside Privacy.

On October 10, 2022 the draft rules implementing the Colorado Privacy Act (“CPA”) were officially published in the Colorado Register.  Written comments on the draft rules are due by November 7, 2022.  The CPA draft rules share some similarities with the draft rules set forth by the California Privacy Protection Agency (“CPPA”) interpreting the California Privacy Rights Act (“CPRA”).  Both sets of draft rules address requirements for privacy policy disclosures, consumer rights requests, and providing opt-out mechanisms.  However, there are a number of key differences between the two drafts. We highlight some of these below.

Continue Reading Colorado Attorney General Releases Draft CPA Rules

On September 8, 2022, the Brazilian Data Protection Authority (“ANPD”) launched a public consultation on the processing of minors’ personal data (encompassing children under 12-years-old and adolescents between the ages of 12- and 18-years-old).  The consultation will conclude on October 7, 2022.  According to the ANPD, the purpose of the consultation is to resolve divergent interpretations among public authorities, academics, privacy professionals, and representatives of civil society regarding the Brazilian Data Protection Law’s (“LGPD”) provision on the processing of minors’ personal data (Article 14).  The Authority will use the feedback it receives to draw up guidelines on the topic and, possibly, amend the LGPD.

Continue Reading Brazil’s ANPD Launches Public Consultation on the Processing of Minors’ Personal Data