On October 10, 2023, California Governor Gavin Newsom signed S.B. 362, the Delete Act (the “Act”), into law.  The new law represents a substantive overhaul of California’s existing data broker statute, which requires data brokers to register with the California Attorney General annually.  The passage of the Act follows a renewed interest in data broker activity nationwide, including a request for comments from the Consumer Financial Protection Bureau and the introduction of similar legislation at the federal level.   Below, we outline a number of key provisions:

Continue Reading California Amends Data Broker Law

Late yesterday, the EU institutions reached political agreement on the European Data Act (see the European Commission’s press release here and the Council’s press release here).  The proposal for a Data Act was first tabled by the European Commission in February 2022 as a key piece of the European Strategy for Data (see our previous blogpost here). The Data Act will sit alongside the EU’s General Data Protection Regulation (“GDPR”), Data Governance Act, Digital Services Act, and the Digital Markets Act.

Continue Reading Political Agreement Reached on the European Data Act

The Connecticut legislature passed Connecticut SB 3 on June 2, 2023.  If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.

The health-related provisions would take effect on July 1, 2023.  Most provisions related to minors’ data would take effect on October 1, 2024.  However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.

As reflected in this bill, state legislatures appear increasingly focused on health privacy.  Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data.  Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope.  For additional detail on Washington’s My Health My Data Act, please review our blog post here

Continue Reading Connecticut Legislature Passes Amendments to the Connecticut Data Privacy Act

On May 28, 2023, the Texas legislature passed the Texas Data Privacy and Security Act, making it the sixth state to pass a comprehensive data privacy law this year.  The Act shares many similarities with Virginia, although there are some distinctions.  If signed into law, the Act would take effect on July 1, 2024.  This blog post summarizes the Act’s key takeaways.

  • Scope: The Act applies to a person that (1) conducts business in Texas or produces products or services consumed by Texas residents, and (2) processes or engages in the sale of personal data (“sale” means a disclosure of personal data to a third party for “monetary or other valuable consideration”).  The second prong of this language is not found in other comprehensive state privacy laws and so does not have a well-settled interpretation.   The scope of the Act also excludes a small business as defined by the United States Small Business Administration, except with respect to the provision that requires small businesses to obtain consumer consent prior to selling sensitive data.
  • Consumer Rights:  Consumers have rights to: (1) confirm whether a controller is processing their personal data and access such personal data; (2) correct inaccuracies in the consumer ’s personal data; (3) delete personal data provided by or obtained about the consumer; (4) obtain a portable copy of the consumer’s personal data and (5) opt-out of processing for purposes of (a) targeted advertising (defined as displaying advertisements that are selected based on the consumer’s activities over time and across nonaffiliated websites), (b) the sale of personal data; or (c) profiling (definition is limited to “solely automated processing”) in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.  The Act also requires controllers to implement opt-out preference signals by January 1, 2025.
  • Sensitive Data: Controllers must obtain consent before processing a consumer’s sensitive data.  Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexuality, or citizenship or immigration status; genetic or biometric data processed to identify individuals; personal data collected from a known child; and precise geolocation data (i.e., identifies a consumer within a radius of 1,750 ft.).  If a controller sells sensitive data or biometric data, it must post a specific notice (i.e., “NOTICE: We may sell your [sensitive/biometric] personal data.”) in its privacy notice.
  • Controller & Processor Contracts:  The Act uses the terms “controller” and “processor.”  Under the Act, processors must assist controllers in meeting their obligations, including responding to consumer requests and conducting data protection assessments.  The Act would require certain contractual terms between controllers and processors, including those requiring the processor to maintain a duty of confidentiality.
  • Data Protection Assessments: The Act requires controllers to conduct data protection assessments of processing activities that involve targeted advertising, the sale of personal data, profiling (in limited circumstances), sensitive data, or otherwise present a heightened risk of harm to consumers. 
  • Enforcement & Cure: The Texas Attorney General has the exclusive authority to enforce the Act.  The Act provides controllers and processors with a 30-day cure period, which would not expire.

On May 4, 2023, the Court of Justice of the European Union (‘CJEU’) decided, in case C-487/21, that the right to obtain a ‘copy’ of personal data means that the data subject must be provided with a faithful and intelligible reproduction of all personal data.  This can also include documents or extracts from databases containing personal data, where it would be necessary to ensure that the personal data is intelligible, as per Article 15(3) GDPR.

Continue Reading CJEU Clarifies the Right to Obtain a Copy of Personal Data under the GDPR

On April 26, 2023, the General Court of the European Union issued its judgment in Case T-557/20, SRB v EDPS.

The Court held that pseudonymized data transmitted to a data recipient will not be considered personal data if the data recipient does not have the means to re-identify the data subjects.  The Court also clarified that an individual’s opinions cannot be assumed to be personal data; instead, a case-by-case assessment is necessary.

Continue Reading EU General Court Clarifies When Pseudonymized Data is Considered Personal Data

Washington’s My Health My Data Act (“HB 1155” or the “Act”), which would expand privacy protections for the health data of Washington consumers, recently passed the state Senate after advancing through the state House of Representatives.  Provided that the House approves the Senate’s amendments, the Act could head to the governor’s desk for signature in the coming days and become law.  The Act was introduced in response to the United States Supreme Court’s Dobbs decision overturning Roe v. Wade.   If enacted, the Act could dramatically affect how companies treat the health data of Washington residents. 

This blog post summarizes a few key takeaways in the statute.

Continue Reading Washington’s My Health My Data Act Passes State Senate

On March 24, 2023, the Austrian Supervisory Authority (“Austrian SA”) held that a credit referencing agency (“Agency”) breached the GDPR by unlawfully processing personal data obtained from a third party in order to process it to conduct credit assessments.  It decided that the Agency breached the GDPR’s principle of lawfulness because it did not have a valid legal basis to process the personal data.  This case will be relevant for organizations assessing their lawful basis for processing personal data.

Continue Reading Austrian Supervisory Authority Issues Decision on the Collection of Personal Data by Credit Referencing Agency

On March 2, 2023, the Court of Justice of the EU (“CJEU”) decided, in case C-268/21, that the GDPR applies to the production of evidence in civil court proceedings. The case sets limits on, but does not preclude, the production of personal data in court proceedings. 

The case arose from a dispute between a construction company and its customer concerning payment for construction works. The customer requested a Swedish court to order the construction company to provide a copy of its electronic staff register containing, among other things, the identity of the people involved in the construction works and the hours they had worked – construction companies are required to maintain such a registry under Swedish tax law. The construction company opposed the order, claiming that the reuse of the register in the context of a civil dispute was incompatible with the initial purpose of the register and therefore not allowed under GDPR. The Swedish Supreme Court referred the matter to the CJEU seeking answers on (i) whether the GDPR applies to the production of evidence containing personal data in court proceedings; and (ii) whether national courts, when assessing whether the production of evidence containing personal data has to be ordered, should have regard to the interests of the data subjects concerned. 

The CJEU found that the production of evidence containing personal data ordered by a court in the context of judicial proceedings constitutes data processing under the GDPR. The CJEU also held that, in this case, providing the register under a court order served a different purpose (i.e., civil proceedings) from the one for which the data had been collected initially (i.e., tax compliance).

However, according to the court, this “secondary use” of the register was permissible on the basis of Article 6(1)(e), (3) and (4) GDPR, because the “secondary use” was made under a national or EU law seeking to safeguard an objective referred to in Article 23(1) of the GDPR. The CJEU held that the proper administration of justice – for example through the production of documents to court – was one of those objectives. The result of this is that, in assessing whether disclosure of documents in court proceedings is consistent with GDPR, national courts will have to conduct an assessment on a case-by-case basis of whether the relevant provisions of national or EU law under which the disclosure are being disclosed meet one of those objectives in Article 23(1) of the GDPR and whether the disclosures are necessary and proportionate to meet those objectives. Where only a partial disclosure of personal data is justified, the court should consider data minimization measures, such as pseudonymization.  

Other national developments

Similar questions have been raised at the national level.

On March 8, 2023, the French Court of Cassation held that the right to obtain evidence in civil procedures can justify the production of documents affecting the personal lives of third parties. The case related to the production of pay slips of other employees, which were essential evidence for the claimant’s allegation that their employer had violated equal-pay laws. The Court held that such production of documents was permissible provided that the documents formed essential evidence for the claimant’s claim, and that the interference with privacy was proportionate to the aim pursued. However, courts will still have to limit access to documents to what is strictly necessary. 

On January 11, 2023, the Italian Garante decided that the production in civil law proceedings of a former consultant’s email communications was unlawful under data protection law. The dispute arose from a complaint concerning a company’s access to e-mails sent by a former consultant using their company e-mail account. In the context of civil proceedings, which occurred following the termination of the consultant’s agreement with the company, the company accessed the e-mails and produced some of them as evidence.

The Garante decided that the right to produce evidence does not waive the right to data protection, especially where the data concerned (electronic communications) is subject to special guarantees of secrecy under the Italian Constitution. In particular, the Garante held that the company’s legitimate interest in processing personal data to defend its own rights in court did not invalidate the consultant’s right to protection of their personal data. Unlike the two decisions above, this case involved the proactive disclosure of a third party’s personal data in a proceeding by one of the parties – not a document production ordered by a court.

                              *                             *                             *

Covington’s Data Privacy and Cybersecurity Practice monitors CJEU and national cases closely and reports on relevant Court decisions and Advocate General opinions. If you have any questions about the interaction between data protection and local laws we are happy to assist.

On February 28, 2023, the European Data Protection Board (“EDPB”) released its non-binding opinion on the European Commission’s draft adequacy decision on the EU-U.S. Data Privacy Framework (“DPF”).  The adequacy decision, once formally adopted, will establish a new legal basis by which organizations in the EU (as well as the three EEA states of Iceland, Liechtenstein, and Norway) may lawfully transfer personal data to the U.S., provided that the recipient in the U.S. certifies to and abides by the terms of the DPF (see our previous blogpost here). 

The Commission sought the EDPB’s opinion pursuant to Article 71(1)(s) of the GDPR.  The EDPB welcomes the fact that elements of the DPF represent a substantial improvement over the Privacy Shield, which was annulled by the EU Court of Justice (“CJEU”) in Schrems II (see our previous blogpost here).  Nonetheless, the EDPB notes some concerns and seeks clarification on certain aspects of the DPF from the Commission.  For example, the EDPB welcomes the establishment of a specific mechanism by which non-U.S. persons may seek redress for certain U.S. government surveillance of their personal data, but calls on the Commission to closely monitor the implementation of this mechanism in practice.

Continue Reading EDPB Releases its Opinion on the Proposed EU-U.S. Data Privacy Framework