General Data Protection Regulation
Subscribe to General Data Protection Regulation's Posts

State Privacy Patchwork Spreads with Signing of Colorado Privacy Act

On July 7, 2021, Colorado Governor Jared Polis signed the Colorado Privacy Act (CPA) into law, the latest in the recent wave of state privacy legislation but unlikely to be the last. The CPA will take effect July 1, 2023, six months after Virginia’s Consumer Data Protection Act (CDPA) and the California Privacy Rights Act (CPRA) become effective. Organizations subject to the new Colorado law will have to prepare for new consumer rights and restrictions with respect to Colorado consumers’ personal data. What follows are key takeaways from the CPA and the implications for businesses grappling with the changing privacy landscape in the US.

Applicability and Exemptions

Not all organizations will be covered by the new CPA. To be subject to the law, an organization must do business in Colorado and meet one of the following requirements:

  • The organization processes data on 100,000 or more Colorado consumers annually.
  • The organization processes data on 25,000 or more Colorado consumers annually and “sells” any personal data.

This applicability threshold sets a relatively high bar, and many companies that are subject to the California Consumer Privacy Act of 2018 (CCPA)/CPRA may not meet these thresholds in Colorado.

There are a number of exemptions and limitations built into the Colorado law. Personal data regulated under existing federal privacy regimes, such as the Health Insurance Portability and Accountability Act (HIPAA), will be exempt from the CPA, as will personal data about employees and others “acting in a commercial or employment context.” Further, the CPA’s substantive requirements will not limit organizations’ ability to process data for legal compliance, fraud prevention, security, contract fulfillment or any “internal operations that are reasonably aligned with the expectations of the consumer based on the consumer’s existing relationship” with the organization.

Substantive Rights Largely Mirror Other State Privacy Laws

The CPA establishes a number of substantive rights that Colorado consumers will have with respect to their personal data. In general, these rights mirror those in the existing laws in California and Virginia, including the following:

  • Notice. Covered organizations will be required to disclose data collection and processing details in their public-facing privacy policies. In addition, a new “duty of purpose specification” requires that companies identify the “express purposes for which personal data are collected and processed.” Whether existing privacy policies are sufficiently “express” for these purposes will be an important consideration for organizations under the CPA and one that will likely lead to both confusion and potential regulation in the future.
  • Access, Correction and Deletion. Consumers will have the right to access, correct and delete their personal data. For the right to access, businesses will be required to provide data in a portable format where feasible.
  • Opt Out. Consumers have the ability to opt out of data “sales,” targeted advertising and high-risk automated “profiling.”
  • Opt In. As with the CDPA, businesses must seek opt-in consent before collecting or processing “sensitive personal data,” which includes data revealing an individual’s race, ethnicity, religious beliefs, [...]

    Continue Reading



Schrems II Special Report: What Does the CJEU’s Decision Mean for Transfers From the EEA to the US?

For our Schrems II Practical Guidance special report, members of McDermott’s internationally recognized Global Privacy & Cybersecurity group have outlined practical guidance and next steps to ensure your business is prepared for what’s next following the final ruling in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems.

As your organization navigates the post-Schrems II landscape following the CJEU’s recent decision, consider McDermott your first point of call. We have deep experience advising global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals.

Practical Guidance for Businesses (US Edition)

Practical Guidance for Businesses (Global – EEA/UK Edition)




Does GDPR Regulate My Research Studies in the United States?

The General Data Protection Regulation (GDPR) establishes protections for the privacy and security of personal data (Personal Data) about individuals in the European Union (EU) single market countries, and potentially affects the clinical and other scientific research activities of academic medical centers and other research organizations in the United States.

This On the Subject includes frequently asked questions that discuss the extent to which United States research organizations must comply with GDPR when conducting research. Future coverage will address the impact of GDPR on other aspects of the United States health care sector.

Continue reading.




Guide from the Italian Data Protection Authority on the Application of the GDPR: Recommendations on How to Get Started!

On April 28, 2017, the Italian Data Privacy Authority published a Guide on the application of the new General Data Protection Regulation (GDPR). The Guide does not set out implementing rules of the GDPR but rather provides a summary of “what will remain the same” and “what will change” in the main six areas covered by the GDPR:

  1. Legal basis for the processing
  2. Information to be provided to data subjects
  3. Data subjects’ rights
  4. Data controller,  data processor and persons in charge of the processing
  5. Data privacy risk assessment and accountability
  6. International transfer of data

In addition, for each of the above six macro areas, the Guide provides recommendations on the measures that companies and public entities can already put in place, in order to ensure compliance with specific provisions of the GDPR, which do not need further intervention at a national level for their implementation.

The Guide will be amended, updated or supplemented in light of the development of the debate at a national and European level on the application of the GDPR. The data protection authorities of France and the Netherlands published similar guides respectively on March 15 and April 13, 2017, which are however structured in a slightly different way, as they propose (especially the French one) a more systematic “step by step” methodology in order to help organizations get ready for the GDPR.

Elisabetta Pagone contributed to this blog post.




ECJ Confirms Dynamic IP Address May Constitute Personal Data But Can Be Logged to Combat Cyberattacks

On 19 October 2016, the European Court of Justice (ECJ) held (Case C-582/14 – Breyer v Federal Republic of Germany) that dynamic IP addresses may constitute personal data. The ECJ also held that a website operator may collect and process IP addresses for the purpose of protecting itself against cyberattacks, because in the view of the Court, preventing cyberattacks may be a legitimate interest of a website operator in its effort to continue the operability of its website.

The ECJ’s ruling was based on two questions referred to it by the German Federal Court of Justice (BGH). In the underlying German proceedings, a member of the German Pirate Party challenged the German Federal Government’s logging and subsequent use of his dynamic Internet Protocol (IP) address when visiting their websites. While the government is a public authority, the case was argued on the basis of German provisions that address both public and private website operators, and is therefore directly relevant for commercial companies.

(more…)




Brexit Update: The Effect of Brexit on Data Transfers between the United Kingdom and the European Union

With the United Kingdom having voted to leave the European Union (Brexit) on 23 June 2016, the free flow of personal data between the United Kingdom and EU and European Economic Area (EEA) countries is at risk. Even though Brexit will likely have the biggest impact on the financial sector, businesses in the United Kingdom that rely on the free flow of personal data to and from EU nations will also be affected. In particular, should the United Kingdom also leave the EEA and thus become a “third country” for the purposes of data protection laws, transfers to data processors in the United Kingdom would have to be based on an adequacy decision of the European Commission, standard contractual clauses (model contracts) or binding corporate rules.

Read the full article here.




Article 29 Working Party Publishes Statement on the Risk-Based Approach to Data Protection

On May 30, 2014, the European Union’s Article 29 Data Protection Working Party adopted “Statement on the role of a risk-based approach in data protection legal frameworks” (WP281).  The Working Party, made up of EU member state national data protection authorities, confirmed its support for a risk-based approach in the EU data protection legal framework, particularly in relation to the proposed reform of the current data protection legislation.  However, with a view to “set the record straight,” the Working Party also addresses its concerns as to the interpretation of such an approach and sets out its “key messages” on the issue.

Approaching Risk

In support of the risk-based approach, which broadly calls for increased obligations proportionate to the risks involved in data processing, the Working Party sets out examples of its application in the current Data Protection Directive (95/46/EC) and the proposed General Data Protection Regulation.  The Working Party confirms that the risk-based approach must result in the same level of protection for data subjects, no matter the size of the particular organisation or the amount of data processed.  However, the Working Party clarifies that the risk-based approach should not be interpreted as an alternative to established data protection rights, but instead a “scalable and proportionate approach to compliance.”  Consequently, the Working Party accepts that low-risk data processing may involve less stringent obligations on data controllers than comparatively high-risk data processing.

Key Messages

To conclude its views on the risk-based approach, the Working Party establishes 13 key messages – in summary:

  1. Protection of personal data is a fundamental right and any processing should respect that right;
  2. Whatever the level of risk involved, data subjects’ legal rights should be respected;
  3. While the levels of accountability obligations can vary according to the risk of the processing, data controllers should always be able to demonstrate compliance with their data protections obligations;
  4. While fundamental data protection principles relating to data controllers should remain the same whatever the risks posed to data subjects, such principles are still inherently scalable;
  5. Accountability obligations should be varied according to the type and risk of processing involved;
  6. All data controllers should document their processing, although the form of documentation can vary according to the level of risk posed by the processing;
  7. Objective criteria should be used when determining risks which could potentially negatively impact a data subject’s rights, freedoms and interests;
  8. A data subject’s rights and freedoms primarily concerns the right to privacy, but also encompasses other fundamental rights, such as freedom of speech, thought and movement, prohibition on discrimination, and the right to liberty, conscience and religion;
  9. Where specific risks are identified, additional measures should be taken – data protection authorities should be consulted regarding highly risky processing;
  10. WHile pseudonymising techniques are important safeguards that can be taken into account when assessing compliance, such techniques alone do not justify a reduced regime on accountability obligations;
  11. The risk-based approach should be assessed on a very wide scale and take into account every potential/actual adverse effect;
  12. The legitimate [...]

    Continue Reading



STAY CONNECTED

TOPICS

ARCHIVES