In this video, Justin Antonipillai (Wirewheel) and I discuss the CPRA and its potential effects with Alastair Mactaggart (Californians for Consumer Privacy). Mactaggart’s referendum sparked the passage of the California Consumer Privacy Act (CCPA) in 2018. This year, he has another referendum (Proposition 24) called the Californian Privacy Rights Act (CPRA), which aims to amend and strengthen the CCPA.
Co-authored by Prof. Woodrow Hartzog
It was inevitable. On Monday, Zoom joined an exclusive club of tech companies – Facebook, LinkedIn, Twitter, Microsoft, Google, Uber, Snap, and more. This club involves companies that have been under a Federal Trade Commission (FTC) consent decree. In a weird sense, for tech companies, being enforced against by the FTC for a privacy or security violation has become an initiation ritual to being recognized in the pantheon of the tech company big leagues.
As is the typical process, the FTC announced a complaint and consent order against Zoom for a violation of Section 5 of the FTC Act. More specifically, the FTC charged Zoom with unfair and deceptive data security practices related to encryption and efforts to bypass browser security safeguards.
In a surprising turn of events, the LGPD–Brazil’s new privacy law–went from an expected delayed implementation to being fully active. The twists and turns of the LGPD’s jolt to life make one’s head spin. It was originally scheduled to become active on August 16 of this year, but then delayed until May 2021 due to Covid. But then the plan shifted with a proposal to shorten the delay to December 31 of this year. But the legislature then abruptly changed course and through a maneuver, dropped all delays, reverting back to the law’s original active date of August 16th. So, to adapt something J.R.R. Tolkien might have said, we’ve journeyed to there . . . and there . . . and there, and back again . . .
Now, the switch has been flipped, and the LGPD has risen from the table. Instead of tracing the bizarre procedural maneuverings that got us to where we are, I want to provide some information about the LGPD that can help folks who are suddenly starting to contend with this new law.
• The LGPD stands for the name of the law in Portuguese – the Lei Geral de Proteção de Dados Pessoais.
• Regulatory sanctions for LGPD violations will not start until August 1, 2021.
• There is still no regulation to help implement the LGPD.
• Like the GDPR, the LGPD is extraterritorial in its scope. This means that it applies to organizations outside of Brazil offering goods or services to people in Brazil that process the personal data of people in Brazil.
In this video, we discuss Privacy and Women’s Equality, Leadership, and Mentorship with Alisa Bergman (Adobe), Lindsey Finch (Salesforce), Tanneasha Gordon (Deloitte) and Susan Markel (Wirewheel). I hosted this discussion along with Justin Antonipillai (Wirewheel).
Numerous privacy laws are requiring that companies provide individuals with data rights — rights to access their data, correct their data, learn about uses of their data, delete their data, and more. Administering these rights can be quite complicated for organizations.
In this video, I discuss the aftermath of Schrems II with Justin Antonipillai (Wirewheel) and Peter Swire (Georgia Tech and Alston & Bird).
Peter Swire’s new Lawfare piece on how to address the individual redress issue is After Schrems II: A Proposal to Meet the Individual Redress Challenge.
In Facebook Ireland Ltd. v. Maximillian Schrems (Schrems II) (July 16, 2020), the European Court of Justice (CJEU) invalidated the Privacy Shield, a widely-used method to transfer personal data from the EU to the US. The decision also put other data transfer mechanisms—Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCRs)—into significant doubt. The court’s concern was the deficiency of the US law’s regulation of government surveillance, and this concern is difficult to fix with better contracts or stricter binding rules. The decision has thus left great uncertainty about how most forms of personal data transfer can occur from the EU to the US.
Professor Paul Schwartz and I recently edited the Schrems II decision for our Information Privacy Law casebook. Schrems II is short for Facebook Ireland Ltd. v. Maximillian Schrems — the second challenge by Maximillian Schrems to the transfer of data between the EU and US. In Schrems I, the European Court of Justice (CJEU) invalidated the Safe Harbor Arrangement, which was a special arrangement to transfer personal data from the EU to the US. Schrems II invalidated Privacy Shield and put other data transfer mechanisms into significant doubt. Editing the opinion was truly a challenging task, as the court’s prose is incredibly formal, wordy, and dry. After whittling it down to a few pages, I think I understand it a lot better, and I have the following reflections on the opinion as well as where we go from here.
Yesterday, the European Court of Justice issued its decision in Facebook Ireland v. Schrems, a case known as Schrems II. The court’s opinion sent shock waves throughout the privacy world. I had a terrific discussion with Justin Antonipillai (Wirewheel), Gabriela Zanfir-Fortuna (Future of Privacy Forum), Ralf Sauer (European Commission), Jocelyn Aqua (PwC) and Bob Litt (Morrison & Foerster, former General Counsel for the Director of National Intelligence) about the case. The video is about 1 hour and 20 minutes long.
My quick synopsis of Schrems I and Schrems II.