Five Key Things to Know about California Privacy Rights Act (CPRA)

The California Privacy Rights Act 2020, the CPRA, is a US state privacy law that took effect in December 2020 and comes into force fully on 1 January 2023. The CPRA expands the existing California Consumer Privacy Act (CCPA) to protect the rights of California consumers. CPRA defines and protects sensitive personal information, places a duty on businesses to put in place reasonable information security measures and expands the right to delete personal information.  The right to opt-out of the sale of personal information (called “Do Not Sell”) has been extended to include limits on non-sale data sharing (“Do Not Share”). The law creates a new regulator called the California Privacy Protection Agency, which will inherit the California Attorney General’s rule making and enforcement powers from 1 July 2021.

  1. What types or organisations are covered by CPRA?

The law applies to Businesses, defined in four categories 1.1, 1.2, 1.3 and 1.4:

(1.1) A legal entity organised or operated for the profit or the financial benefit of shareholders, that collect consumers’ personal information or have personal information collected on its behalf.  This entity also determines the purposes and means of the processing of consumers’ personal information, alone, or jointly with others, does business in the state of California and meets one or more of the following threshold criteria:

(a) As of January 1, of the calendar year, have annual gross revenues more than $25,000,000 in the last calendar year, or

(b) Alone or in combination, annually buy or sell, or share the personal information of 100,000 or more consumers or households, or

(c) Creates 50% or more of its annual revenues from selling or sharing consumers’ personal information.

(1.2) Any entity that controls or is controlled by a business falling within criteria 1.1 (above) and that share common branding and consumers’ personal information with each other.

(1.3) A Joint Venture or Partnership composed of businesses in which each business has at least a 40 percent interest. Each business in the Joint Venture or Partnership is seen as a separate single business.

(1.4) Organisations doing business in California, but are not covered by criteria 1.1, 1.2 or 1.3 above and voluntarily certifies to the California Privacy Protection Authority that they are compliant.

2. What types of data or information are covered by CPRA?

Like the CCPA, the CPRA protects the personal information of California consumers. Personal information includes many different types of data and information including identifiers (name, address, social security number and online identifiers etc), protected characteristics, commercial information, biometric information, internet activity, geolocation data, audio files, visual files, employment information, education information, profiles and inferences taken from data that reveal a consumer’s characteristics, psychology, predispositions, attitudes and intelligence.

The CPRA introduces a new category of sensitive personal information which includes a wide range of personal data such as passport details, driving licence details, specific geolocation information, race or ethnic origin information, genetic data and biometric data. These types of data require greater protection. 

3. What are the main CPRA obligations for businesses?

Businesses must ensure that:

(i) When selling or sharing personal information with third parties, binding contracts are in place to ensure that third parties comply with CPRA requirements and their contractual obligations.

(ii) Service providers and contractors must help businesses to respond to verifiable personal information CPRA requests. Service providers are not required to fulfil requests received directly from consumers.

(iii) They inform consumers about the data categories they collect and whether information will be sold or shared.

(iv) Businesses cannot collect additional categories of personal information in ways that are incompatible with the original purposes, once the businesses inform consumers of these purposes.

(v) Third-parties that control personal information collection must provide the same disclosures on their website, as the business that engages them.

(vi) Have systems that protect availability, authenticity, integrity, and confidentiality of personal information. Detect security incidents, resist malicious, deceptive, fraudulent, or illegal actions and ensure the physical safety of individuals. Reasonable security practices and procedures must be introduced, including robust email address and password protections.

(vii) Ensure that consumers can exercise their right to limit or restrict the use of sensitive personal information and receive full notices about data use, purposes and retention.

(viii) Ensure that consumers can exercise their rights to request deletion and correction of their personal information.

(ix) Put in place clear policy and procedures for children under 16 years old to opt-in to the selling or sharing of their personal information.

(x) Develop clear data retention and deletion policy and retention schedules to ensure that personal information is deleted when legitimate use ends.

4. If businesses comply with the European Union’s General Data Protection Regulation (GDPR) and the CCPA, will they automatically comply with CPRA?

No. GDPR, CCPA and CPRA have different scopes, definitions and compliance requirements. However, there are important similarities. Organisations that are governed by CCPA are very likely to fall within the CPRA’s scope. CPRA is more closely aligned with GDPR than CCPA. GDPR data mapping and records of processing activity logs can help to identify California consumers’ personal information. Data privacy notices, policies, information security frameworks created for another law can be tailored to meet the requirements of CPRA. Data processing agreements, supply chain contracts and online notices must be specifically updated for CPRA. Do Not Sell and Do Not Share notices and their underlying management systems are unique to CCPA and CPRA and require specific technical solutions.

5. Does the CPRA apply to businesses or organisations in other US states or to foreign companies?

Yes, it can. If a business or organisation falls within the CPRA qualifying criteria and holds personal information about California consumers, then CPRA applies. Businesses that are based in other US states and companies from outside of the United States may also have to comply with the CCPA.  All organisations should seek specialist advice, review new CPRA regulations, monitor the development of the CPRA enforcement, examine official guidance and watch the regulator, the California Privacy Protection Agency for interpretation and priorities.

Five Key Things to Know about European Data Protection (GDPR) Representatives

Introduction

The General Data Protection Regulation (GDPR) applies directly to companies and organisations located in the European Union (EU) and around the world. The law has a deliberately wide scope, based on how personal data about individuals in the EU are collected, used, monitored and stored. Companies and organisations that do not have an established presence in the EU must appoint a Data Protection Representative (Representative) based in the EU in line with Article 27 of the GDPR. This rule is not new, it has been an EU requirement, in a more limited form, since 1995. The Representative allows individuals in the EU to directly enforce their data protection rights and gives EU GDPR regulators a reliable point of contact within their countries.

The Representative is a strategic role, helping foreign companies and organisations to actively monitor GDPR regulators’ priorities, enforcement and key guidance. It is also practical, allowing individuals, users and consumers in the EU to have an access point in the EU. The Representative is more likely to communicate with them in local languages and appreciate local risks, norms and expectations. The Representative is also legally required to understand data flows that affect individuals based in the EU by being involved with GDPR Records of Processing Activities (ROPAs).

1. What types of companies or organisations need European Data Protection Representatives?

Companies and organisations that have no established presence in the EU but process the personal data of individuals in the EU and carry out activities that are covered by the GDPR. This applies whether the personal data processing takes places inside or outside of the EU. The company or organisation can be a Controller or Processor as defined by the GDPR. However, non-EU based public bodies, government organisations, diplomatic missions and consular posts do not have to appoint European Data Protection Representatives.

2. When does a company or organisation need to appoint a European Data Protection Representative?

Companies and organisations should review their data flows, personal data inventories and GDPR ROPAs on a continuous basis to check if their activities are covered by the GDPR. Where companies and organisations offer goods or services to individuals in the EU, even free services, or monitor the behaviour of individuals based in the EU, the need for a European Data Protection Representatives must be considered. That a non-EU website, email address and other contact details are accessible within the the EU, does not, by itself, mean a Representative is required. Companies and organisations should consider whether they use EU languages in their trading or work, use EU currencies, deploy marketing targeted at EU users and consumers or provide users with direct facilities to order and receive goods and services. The use of geographic targeting technologies, cookies, profiling EU users and other monitoring and surveillance could indicate the need for a Representative. Foreign companies and organisations that employ staff, contractors, distributors and agents in the EU are also likely to need to consider appointing a European Data Protection Representative.

The requirement does not apply if the processing of personal data about those in the EU is occasional, small scale or there is no large-scale processing of special categories of personal data or criminal records data that negatively impact the rights and freedoms of individuals.

3. What are the legal duties and key requirements of European Data Protection Representatives?

EU GDPR Representatives:

(a) Must maintain ROPAs of the Controller’s or Processor’s personal data flows.

(b) Cooperate with EU GDPR regulators (Supervisory Authorities).

(c) Be situated in an EU country where individuals who are offered goods, offered services or have their behaviour monitored, are based.

(d) Be appointed by the foreign-based Controller or Processor and can be contacted by EU GDPR regulators and individuals in the EU, in addition to, or instead of, the Controller or Processor.

(e) Act as the Controller’s or Processor’s Representative, but the Controller and Processor remain responsible, liable and directly subject to legal and regulatory action in the EU.

(f) Carry out the Data Protection Representative Service as specifically agreed with the Controller or Processor.

(g) Are subject to enforcement proceedings for non-compliance by the Controller or Processor.

(h) Are designated and appointed in writing by the Controller or Processor.

4. What are the differences between GDPR-appointed Data Protection Officers and GDPR European Data Protection Representatives? Can the roles be carried out by the same person or organisation?

The Data Protection Officer is largely an internal appointment who must act independently and report to the highest level of management in a company or organisation. The Data Protection Officer should not perform an operational role in charge of data processing in the organisation, at the same time. The Data Protection Representative is largely outward facing, positioned to liaise with individuals whose personal data are being processed and with EU GDPR regulators. The Representative is not restricted from taking part in the operational aspects of the Controller’s or Processor’s data processing activities.

The Representative must act within the terms of the appointment and the mandate of the Controller or Processor, as a type of agent. The Representative is not legally required to be independent but must represent and stand in the place of the Controller or Processor within the EU. If a single entity or person attempted to act as both a GDPR Data Protection Officer and a European Data Protection Representative at the same time, there is likely to be a conflict of interest and practical limitations. However, both roles share the need for ROPA expertise and the ability to work effectively with individuals and EU GDPR regulators.

5. The United Kingdom (UK) has left the EU, should UK Data Protection Representatives be appointed to comply with UK data protection law? Do companies and organisations based in countries that have a data protection adequacy agreement with the EU need to appoint European Data Protection Representatives?

The UK’s exit from the EU means that it is no longer an EU Member State. The UK Information Commissioner’s Office (ICO), the data protection and GDPR regulator, is no longer a GDPR Supervisory Authority or member of the European Data Protection Board (EDPB). The UK has carried forward the GDPR, and so where a company or organisation needs to appoint a European Data Protection representative, if the same or similar data processing activities take place in the UK, a UK Data Protection Representative should be appointed. This requirement will continue even when the UK gains a data protection adequacy agreement from the EU. At present, all companies and organisations in the European Economic Area (EEA) and those based in countries that have an EU data protection adequacy agreement still need to appoint Data Protection Representatives in the EU, if they process personal data, have no established presence within the EU but offer goods, offer services (even for free), or monitor individuals’ behaviour in the EU.  This is true, even where this data processing activity never takes place on equipment that operates within the EU (or the UK).  

To access our European Data Protection (GDPR) Representative services, UK Data Protection Representative services, Data Protection Officer services or Brexit data services, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS012021

Brexit Now: Future Impacts on UK, EU, EEA and Global Personal Data

Briefing

On 24 December 2020, the European Union (EU) and the United Kingdom (UK) signed the EU-UK Trade and Cooperation Agreement (the “Trade Deal”) to provide an ordered and more certain outcome for the end of the transition period on 31 December 2020. A process of ratifications will take place in January 2021.  A no-deal Brexit has been avoided, but this Trade Deal has been described as “thin.” The Trade Deal includes a zero-tariff regime for many goods. The UK economy is approximately 20% in goods, leaving the majority 80% of services sectors with operational uncertainties. The EU’s combined economy is 25% goods and 75% services. From a data protection, General Data Protection Regulation (GDPR) and information security perspective, the Trade Deal provides some clarifications. However, there are still uncertainties to be worked out in the coming months and years.

UK Data Protection Adequacy

The UK will not receive a data protection adequacy decision from the EU before 31 December 2020. As a result, the Trade Deal has extended the data protection status quo that operated during the Brexit transition period, for a further 6 months to June 2021. UK data protection adequacy is not guaranteed in June 2021 and adequacy could be withheld by the EU, but the language of the Trade Deal appears optimistic. An adequacy decision will allow personal data to flow freely from the UK to the EU/European Economic Area (EEA) and from the EU/EEA to the UK, without the need to use the international data transfer mechanisms in the GDPR designed for non-EU third countries. The Trade Deal states that the UK will not be considered a third country for EU/EEA to UK data transfers, for the purposes of EU GDPR, during the agreed extension period. Companies and organisations have a grace period, but still need to plan for the future based on an adequacy decision and also non-adequate third country status.

The need for new EU and UK Data Protection Representatives

Whatever the outcome of UK data protection adequacy decision and its timing, the UK remains outside the EU. This has been a legal reality since 31 January 2020. Companies and organisations (though, not public bodies) without a presence in the EU, offering goods, services or monitoring EU citizens in the EU, will need to appoint an EU Data Protection Representative, in one of the EU’s member states, as soon as possible. This is a legal requirement under Article 27 of GDPR. The EU-UK Withdrawal Agreement and related changes to UK data protection laws require UK Data Protection Representatives for organisations based outside the UK, without a presence in the UK, who offer goods, services or monitor UK citizens in the UK. Companies and organisations, in the UK, EU, EEA and around the world should conduct gap analysis and determine whether these services are legally required.

The UK Information Commissioner’s Office (ICO) reduced role

The ICO is one of the largest and most active data protection and GDPR regulators. Its English language output has a substantial impact on large parts of the world and on international organisations. Brexit means that it is no longer an EU Supervisory Authority under GDPR and so companies and organisations should repatriate key EU GDPR roles to other Supervisory Authorities based within the EU. Ireland’s Data Protection Commission is a near-neighbour substitute. These EU GDPR roles include registering Data Protection Officers, registering Binding Corporate Rules (BCRs), making referrals to the Court of Justice of the European Union (CJEU) and participating in the work of the European Data Protection Board (EDPB) and European Commission. The ICO’s future output will bind UK companies and organisations and foreign companies doing business in the UK. The extent to which most EU, EEA and international companies, who have an EU lead GDPR Supervisory Authority, will be bound by its guidance, codes of practice, decisions and enforcement is uncertain. It is also unclear how closely the ICO will consider or follow the opinions, recommendations and decisions of the EDPB, CJEU and the European Commission. The ICO will have very little direct legal obligation to do so, going forward. The ICO’s role in the maturing and development of the EU’s GDPR will reduce over time.

The Trade Deal: Clear for Goods, More uncertain for Services

The service sectors in the UK and EU generate, use and share a lot of personal data and special categories of personal data. The Trade Deal is focused primarily on goods, security cooperation, trade dispute resolution mechanisms and other discreet areas of trade and cooperation. Data flows in many services sectors such as financial services, information technology, business services, professional services, ecommerce/online retail, leisure, tourism, travel, sports, the arts, entertainment and personal services are affected by Brexit. Established data flows will be changed by new trading restrictions, new processes and limits on data sharing. New data flows will be created that companies and organisations must map, risk assess, manage and add information security protections. Businesses and organisations in the UK may increasingly turn to non-EU partners, suppliers and customers as UK government policy promotes global trade and new international trading corridors. This will create both challenges and opportunities and require better management of international data transfers, supply chain risks, information security resilience, human rights compliance risks and geopolitical risks.

Complexities in Information Security and Cybersecurity

As the UK is no longer a member of key EU institutions, the immediate future will be uncertain as security, information security and cybersecurity relations are re-established or reconstituted. The UK will lose direct member access to the European Union Agency for Cybersecurity (ENISA), Europol and Eurojust. Cooperation on cross-European cybersecurity threats, risks and responses will be negatively affected in the short to medium term. Companies and organisations should monitor these relationships and bolster their individual cyber defence capabilities. Businesses operating in or enabling critical national infrastructure or regulated sectors such as financial services, healthcare, pharmaceuticals and high value engineering, will need to adopt more substantial measures. Will there be future conflicts over whether UK or EU/EEA cybersecurity standards will apply between UK and EU/EEA partners?  In the longer term, will international businesses choose to mandate EU/EEA information security standards over UK standards, or adhere to both at additional costs? Companies and organisations will need to strategize about appropriate solutions and sector norms.

Other Immediate and Future Impacts: Work, Travel, Employee Data, Procurement, Immigration, Professional Qualifications and related areas

Personal data requirements, collection, storage and sharing are affected in many common areas, impacting many companies, organisations, supply chains and staff mobility. Human Resources departments, already facing data protection and cybersecurity challenges from the coronavirus pandemic, will faces new, fast changing and unresolved data flows of employee data, including proof and authorisation of professional qualifications. Work permits, visa applications and new immigration rules will diversity data sets and introduce high risk data processing. Other departments and functions like sales, marketing, finance, compliance, legal, audit, information security and procurement will face immediate and longer term data and cybersecurity challenges. Companies and organisations will be in a constant process to realign, overcome uncertainties and fill gaps. The future will require embracing new ways of working together, doing business and sharing data and information between the UK, EU, EEA and globally.

For assistance with Brexit, GDPR and EU data flows, contact PrivacySolved:

London +44 207 175 9771

Dublin +353 1 960 9370

Email: contact@privacysolved.com

PS122020

Five Key Actions to Protect Post-Brexit Personal Data Flows

Briefing

Over time, the personal data impacts of the United Kingdom (UK) leaving the European Union (EU) will be revealed. The scope of any free trade deal that addresses data protection will set the scene for immediate and long-term personal data flows. In the short to medium term, any adequacy decision will minimise costs and disruption to companies and organisations. The impact of the Court of Justice of the European Union’s Schrems II decision on Privacy Shield, as it applies to the UK, will also become clearer as decisions are made. The future will include new European Commission data protection Standard Contractual Clauses (SCCs) for personal data transfers to non-EU countries. It is likely that the UK Information Commissioner’s Office (ICO) could seek to adopt its own international personal data transfer mechanisms and arrangements over time. It is important for companies and organisations to be strategic, measured and deliberate in choosing the way forward.

Strengthen long-term Data Protection Strategy

Companies and organisations should be very clear about their ongoing data protection strategy. For UK companies with limited EU / European Economic Area (EEA) and foreign operations, they must decide their level of proximity to the EU’s General Data Protection Regulation (GDPR) or adopt a more flexible ad hoc approach to anticipate changes to UK data protection laws. For EU and EEA companies and organisations that do business or offer services to UK customers, they must decide and confirm which data protection standard will be their baseline. They must decide the level of deviation that they will permit while accommodating emerging UK data protection norms while staying true to EU GDPR. International companies and organisations must decide on the level of exceptionalism that their data governance programmes will allow for the UK. They should decide whether the UK will be treated as a default EU member state for GDPR purposes and be held to evolving EU data protection standards, despite changes to their domestic or the UK data protection regimes.   

Engage with key suppliers and high risk high value contracts

It is important that companies and organisations create and maintain clear channels of communication with their extended supply chains to coordinate their future approaches to data protection. Contracts should be reviewed to ensure that terms which directly or indirectly rely on the UK’s membership of the EU should be reviewed and updated. Key definitions for “applicable data protection law” and many other EU / EEA-centric information should be reviewed to reflect the new realities. Standard Contractual Clauses (SCCs) should be considered for large scale and high risk EU / EEA to UK data transfers.   

Monitor as the UK becomes an international data adequacy deal maker

The European Union fiercely protects its allocation of data protection adequacy decisions to countries outside the European Union. The UK is fast becoming a broker in the expansion and allocation of data protection adequacy, beyond the EU’s direct remit. Most of the countries included on the EU’s data protection adequacy list have declared that the UK has data protection adequacy. This includes the larger economies like Switzerland, Argentina, Israel and Canada. Japan and the UK have agreed mutual data protection adequacy, which is linked to a new free trade deal. In time, it is likely that the UK and the USA will come to an arrangement on broad data protection adequacy or create a mutual Privacy Shield-type arrangement to accommodate their future economic relationship.  Companies and organisations should watch these developments, constantly assess personal data risks, analyse the longer term effects of the Schrems II decision and evaluate the proximity of new adequacy arrangements to EU GDPR.

Get value from EU Data Protection Representatives

Companies and organisations should use the end of the UK ICO’s role as an EU Supervisory Authority under GDPR as an opportunity for strategic thinking about their EU / EEA GDPR exposure. Data Protection Representatives should be appointed within the EU not just to comply with Article 27 of the GDPR, but to stay connected to EU / EEA customers and users, monitor the work and priorities of other EU based Supervisory Authorities and monitor key policy changes taking place in Brussels. EU Representatives should represent non-EU based (and UK) companies and organisations from within the EU, but also feedback to UK and international companies useful insights, trends, strategic positioning and information about enforcement priorities.  

Interact with and educate Users and Consumers

Companies and organisations should take the opportunity to update the places where they meet their users, transact with customers and provide information to them. This includes data protection policies and procedures, data protection notices, information security protocols, websites, publications, social media and staff training initiatives. GDPR Records of Processing Activities (ROPAs) should be updated to maintain transparency and accountability. Supply chains, consumers and users should not be surprised on 1 January 2021 with the sudden impacts of the end of the Brexit transition period, but should steadily receive information and guidance so that practical and strategic choices can be made by all parties.

PS112020

Cybersecurity: Key Data Security Sources for Surviving Covid-19

Briefing  

The coronavirus pandemic has created an explosion in information security awareness and a sense of hyper vigilance. Cybersecurity attacks have increased, especially malware, phishing, vishing and ransomware. As cyber awareness increases, boards, leadership teams and individuals need access to the most reliable sources of information and advice. Excellence, expertise and the ability to communicate security threats, risks, priorities, trends and effective responses are crucial. These trusted insights are vital for companies and organisations.  

Leading Data Security Sources: Centres of Excellence

The organisations below have consistently helped companies, organisations and individuals to identify threats, improve controls, increase training and reduce the risk of cybersecurity breaches and loss of reputation. Covid-19 has reinforced their importance. They understand the national and international security landscape. Their experience spans many sectors. Several of the organisations play a key role in national cybersecurity strategies and so are trusted by governments and the public services.   The organisations raise awareness, issue threat alerts, produce guidance, publish analysis, create training materials, lead certification activities, respond to data breaches, secure critical national infrastructure and work with companies and organisations to improve their cyber resilience.

UK National Cyber Security Centre (NCSC)

The NCSC was created in 2016 and spun out of the UK’s GCHQ. It combines the CESG (GCHQ’s information security arm), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK) and the cyber-related work of the Centre for the Protection of National Infrastructure (CPNI). It has responsibilities across government, for critical national infrastructure protection and the national cyber security strategy. Its guidance, standards-setting, alerts, website, social media, work with all sectors make it a leader in information security.  

National Institute for Standards and Technology (NIST)

NIST is non-regulatory agency of the United States Department of Commerce with a central role of promoting innovation and industrial competitiveness. Its main laboratory programmes include nanoscale science and technology, engineering, information technology, neutron research, material measurement, and physical measurement. For cybersecurity and data privacy, its standards and frameworks are very popular and underpin the information systems of organisations around the world. This work is supported by the Computer Security Resource Center (CSRC). Its guidance, standards, measurements, publications, website and social media output are authoritative.  

The European Agency for Cyber Security (ENISA)

ENISA is an agency of the European Union, created in 2005 and located in Athens and Heraklion in Greece. The agency works with EU Members States to advise, offer solutions and improve cybersecurity capabilities. It builds capacity to respond to large cross-border cybersecurity incidents or crises. It has developed cybersecurity certification schemes since 2015. ENISA acts as a key centre of expertise for member states, EU institutions and private organisations on network and information security. Its guidance, CERT co-ordination, standards, certification schemes, publications, website and social media output are highly influential.  

United States Computer Emergency Readiness Team (US-CERT)

US-CERT analyses and reduces cyber threats, vulnerabilities, disseminates cyber threat warnings and coordinates incident response activities. It uses advanced network and digital media analysis to identify malicious activity targeting networks in the United States and abroad. US-CERT is part of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Its work includes threat analysis and information sharing, digital analytics, operations, communications and international work. Its publications, advisories, alerts, analysis, advice, website and social media output are respected. Its unique selling point is to analyse and disseminate information about the most persistent international cybersecurity threats.

Federal Bureau of Investigations (FBI) – Cyber Division

Created in 2002, the FBI’s Cyber Division leads US national effort to investigate and prosecute internet crimes, cyber based terrorism, espionage, computer intrusions and major cyber fraud. It proactively informs the public about current trends in cybercrime. Its three key priorities are computer intrusion, identity theft and cyber fraud. It works with other agencies and takes part in cross-border initiatives.

Other Influential Data Security Organisations, include:

Australian Cyber Security Centre

Canadian Centre for Cyber Security

National Cyber Security Centre (Ireland)

National Cyber Security Centre (Netherlands)

National Cyber Security Centre (New Zealand)

The National Cybersecurity Agency of France

Cyber Security Agency of Singapore

PS102020