Cybersecurity and data privacy regulations were complicated well before the global pandemic. Since COVID-19 swept the world, Brazil has delayed enacting its new general data protection law, California’s CCPA has gone through enforcement changes, and businesses in the U.S. are in limbo after the European Union Court of Justice overturned a Privacy Shield commonly used to satisfy US/EU data transfers. John Jackson, who chairs Jackson Walker’s Cybersecurity Litigation group, provides an update on the current status of the alphabet soup of data security regulations involving Brazil’s LGPD, the European Union’s GDPR, and California’s CCPA.
This article and the podcast were updated August 27, 2020, to include up-to-date information about the status of Brazil’s LGPD.
Greg Lambert: Hi, everyone. I’m Greg Lambert, it’s August 26th, and this is Jackson Walker Fast Takes.
Cybersecurity and data privacy are major issues even prior to the global pandemic’s effect on business operations. But these issues have definitely amplified since the beginning of the pandemic. I asked Jackson Walker litigation partner John Jackson to come on the show to talk about current events and data privacy. John, welcome to JW Fast Takes.John Jackson: Thanks very much. Happy to be here.
Greg Lambert: So, let’s jump in. What are some of the recent issues that you’re seeing when it comes to data privacy?
John Jackson: Despite the fact that we’re still in the middle of a pandemic and it’s the summer, data privacy has actually been extremely busy with lots of developments all around the world. In particular, today, I’d like to talk about three different developments – one in Brazil, one in California, and then the other in the European Union.
Greg Lambert: I know that Brazil created its own version of the EU’s General Data Protection Regulation, or GDPR, which they are calling the LGPD. How is Brazil handling the data protection issue?
John Jackson: In Brazil, they were actually planning to come out with their version of the GDPR, which is the big European legislation impacting personal data that’s been in effect for a couple years now. Recently, however, Brazil decided to postpone implementation for another year because of the COVID pandemic. So, everyone gets a bit of a reprieve with that because the Brazilian law was on the forefront of people’s minds, because it did require some additional items and some different aspects that weren’t present in the GDPR. So, it would have been something that they had to comply with by August 20 had it not been postponed. Everyone can avoid worrying about that for a little while—until next year, at least.
Greg Lambert: For those who listened to this podcast when it came out on Wednesday, there was a change in Brazil’s decision on the LGPD that just happened, and I wanted to update, with John Jackson’s approval, his answer to what Brazil is doing. While it appeared that Brazil’s LGPD, which was inspired by the GDPR, was going to be postponed until 2021, that is no longer the case.
In a shocking decision, on August 26, 2020, the Brazilian Senate reversed the planned postponement of the LGPD, and that law will now become effective as soon as it is approved by the president. That could happen any day and will happen within 15 days. There is even discussion of making the effective date retroactive to August 16, 2020.
Originally, the LGPD was supposed to take effect on August 16, 2020. Due to the COVID-19 pandemic, however, it was postponed to May of 2021. On August 25, 2020, the House of Representatives approved an alternative that would make that law effective on December 31, 2020. One potential bright spot is that administrative sanctions for violating the LGPD will not go into effect until August 1, 2021. Nevertheless, companies who do business in Brazil will need to make LGPD compliance a high priority again. So, that should get us up to date as August 27th as to where we stand with Brazil’s LGPD.
Greg Lambert: At least we get a bit of a reprieve from Brazil. But what about back here in the United States? What are some of the recent developments in the California Consumer Privacy Act, or CCPA, state regulations?
John Jackson: California continues to be at the forefront of personal data, certainly in terms of the United States. There’s been a couple of developments there. First, July 1 was the date on which the CCPA became effective for purposes of enforcement. And so the Attorney General in California began sending out letters to potential offenders and violators. The other thing that came about is that there were some proposed regulations relating to the CCPA that were issued in June. There had been several previous incarnations of these regulations, but those had all culminated in a set of proposed final regulations. Those actually became effective and the AG signed off on them on August 14. And so now, in addition to enforcing the terms of the statute itself, the AG in California is also able to pursue enforcement action with respect to those regulations that became final on August 14. That’s significant for a couple of reasons.
First, kind of, the big requirement that a lot of companies haven’t necessarily paid attention to are the accessibility guidelines for the notices under the CCPA. And what this means is that the notices and the content relating to the implementation of the requirements for the California act have to be accessible to consumers with disabilities. It’s not enough to just have the language posted on your website in the traditional manner; there also has to be the mechanism in place so that disabled persons are able to access the California privacy policy and to exercise their rights under that act. The other change a little bit is that for entities that are deemed to sell personal information as that has been broadly defined by California, those entities have to have a “DO NOT SELL” link posted at the bottom of their website. Under the previous version of the proposed regulations, there was some alternative language that said “Do not sell my information” that was going to be acceptable, but that was actually eliminated from the final regulations. Now, the exact language for that link has to read “Do Not Sell My Personal Information.” And so companies who are already complying with that alternate language in the expectation that alternative would be acceptable need to go back to the original language that’s in the statute.
Greg Lambert: And John, of course, it wouldn’t be a data privacy conversation if we didn’t talk about the EU’s GDPR, which started at all. What are some of the current issues that you’re seeing in relation to the GDPR?
John Jackson: Sure. In Europe, the big development over the summer was that in July, there was an appellate court that invalidated the Privacy Shield. The Privacy Shield was a mechanism under which companies located in the United States could obtain a certification and work to obtain evidence that their particular practices were deemed to be acceptable to Europe for purposes of transferring personal data from EU residents to the United States. At least provide assurances that their data collection and processing practices were acceptable to those in the EU, even though it’s not exactly compliant with the GDPR just by itself, it at least gave those entities a significant head start on showing they were doing what was necessary to satisfy the concerns of the regulators in Europe. But unfortunately, in July, that entire structure was determined to be invalid by the EU appellate court. And so for that reason, companies are in a little bit of a limbo in terms of what they need to do to be able to obtain personal data from EU residents and lawfully process and collect that data when it’s being transferred from the EU to the United States.
Greg Lambert: Well, John, thanks for coming on and discussing the current issues surrounding data privacy regulations from across the globe.
John Jackson: My pleasure. Thanks very much.
The music is by Eve Searls.
This podcast is made available by Jackson Walker for informational purposes only, does not constitute legal advice, and is not a substitute for legal advice from qualified counsel. Your use of this podcast does not create an attorney-client relationship between you and Jackson Walker. The facts and results of each case will vary, and no particular result can be guaranteed.
Related Insights:
Brazil’s LGPD Data Privacy Law to Become Effective Any Day »
While it appeared that Brazil’s Lei Geral de Proteção de Dados (LGPD), which was inspired by Europe’s General Data Protection Regulation (GDPR), was going to be postponed until 2021, that is no longer the case.
Privacy Shield Invalidated by European Union Court of Justice »
The Privacy Shield framework, which thousands of companies located in the United States have relied upon to receive transfers of personal data from the European Union, the United Kingdom, and Switzerland, has been invalidated by the European Union Court of Justice (ECJ).