In Facebook Ireland Ltd. v. Maximillian Schrems (Schrems II) (July 16, 2020), the European Court of Justice (CJEU) invalidated the Privacy Shield, a widely-used method to transfer personal data from the EU to the US. The decision also put other data transfer mechanisms—Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCRs)—into significant doubt. The court’s concern was the deficiency of the US law’s regulation of government surveillance, and this concern is difficult to fix with better contracts or stricter binding rules. The decision has thus left great uncertainty about how most forms of personal data transfer can occur from the EU to the US.
In a surprising turn of events, the LGPD–Brazil’s new privacy law–went from an expected delayed implementation to being fully active. The twists and turns of the LGPD’s jolt to life make one’s head spin. It was originally scheduled to become active on August 16 of this year, but then delayed until May 2021 due to Covid. But then the plan shifted with a proposal to shorten the delay to December 31 of this year. But the legislature then abruptly changed course and through a maneuver, dropped all delays, reverting back to the law’s original active date of August 16th. So, to adapt something J.R.R. Tolkien might have said, we’ve journeyed to there . . . and there . . . and there, and back again . . .
Now, the switch has been flipped, and the LGPD has risen from the table. Instead of tracing the bizarre procedural maneuverings that got us to where we are, I want to provide some information about the LGPD that can help folks who are suddenly starting to contend with this new law.
• The LGPD stands for the name of the law in Portuguese – the Lei Geral de Proteção de Dados Pessoais.
• Regulatory sanctions for LGPD violations will not start until August 1, 2021.
• There is still no regulation to help implement the LGPD.
• Like the GDPR, the LGPD is extraterritorial in its scope. This means that it applies to organizations outside of Brazil offering goods or services to people in Brazil that process the personal data of people in Brazil.
In this video, we discuss Privacy and Women’s Equality, Leadership, and Mentorship with Alisa Bergman (Adobe), Lindsey Finch (Salesforce), Tanneasha Gordon (Deloitte) and Susan Markel (Wirewheel). I hosted this discussion along with Justin Antonipillai (Wirewheel).
Numerous privacy laws are requiring that companies provide individuals with data rights — rights to access their data, correct their data, learn about uses of their data, delete their data, and more. Administering these rights can be quite complicated for organizations.
In this video, I discuss the aftermath of Schrems II with Justin Antonipillai (Wirewheel) and Peter Swire (Georgia Tech and Alston & Bird).
Peter Swire’s new Lawfare piece on how to address the individual redress issue is After Schrems II: A Proposal to Meet the Individual Redress Challenge.