Since Europe’s General Data Protection Regulation took effect in May 2018, a growing number of legislatures around the world have introduced comprehensive data protection laws that emulate the GDPR or have updated existing laws to align with it. California became the first major non-European economy to catch the GDPR wave with the enactment of the California Consumer Privacy Act of 2018 in June 2018. Since then, the GDPR and the CCPA have dominated the privacy compliance agendas of most businesses and may continue to do so given the challenges posed by the Schrems II decision and California’s recent adoption of the California Privacy Rights Act of 2020. However, other major economies are catching up, and the late-2020 developments summarized in this post have made clear that the privacy world beyond Europe and California will demand increasing attention from businesses in 2021 and beyond.
After a long period of uncertainty, Brazil’s Lei Geral de Proteção de Dadostook effect on September 18, 2020. Among other requirements similar to those imposed by the GDPR, the LGPD requires organizations to establish legal bases to process personal data, give detailed privacy notices, honor Brazilians’ requests to exercise data subject rights, provide data breach notifications and adhere to cross-border data transfer restrictions. For further details on the LGPD’s requirements, see our detailed summary.
Violators of the LGPD face fines of up to 2% of the organization’s Brazilian revenue for the previous year, but fines are capped at R$50 million per violation. Although administrative enforcement of the LGPD has been delayed until August 2021, public prosecutor actions and private lawsuits based on the LGPD have emerged. On September 21, 2020, just days after the LGPD took effect, the Ministério Público do Distrito Federal e dos Territórios (MPDFT), a public prosecutor in Brasília, filed a civil action based on the LGPD. The MPDFT alleged that a data services company’s sale of personal data of half a million Brazilians violated the LGPD, which in turn constituted a violation of privacy protections guaranteed by Brazil’s Constitution. Shortly thereafter, a Brazilian court ordered a construction company to pay R$10,000 in moral damages for sharing personal data about an apartment purchaser without consent and in violation of the LGPD. More private and public prosecutor lawsuits under the LGPD are expected to follow given the litigiousness of Brazil’s legal system.
Meanwhile, Brazil’s newly constituted data protection authority, Autoridade Nacional de Proteção Dados Pessoais (ANPD), issued guidance on December 8, 2020, that addresses, among other things, when the LGPD applies, the legal bases that data controllers may use to process personal data, Brazilian citizens’ rights under the LGPD, and actions that public and private organizations must take to comply with the LGPD. The guidance also outlines ANPD’s powers under the LGPD, which include, among other things, conducting investigations and issuing sanctions for violations of the LGPD, developing guidance, promoting data protection education and awareness and cooperating with data protection authorities in other countries.
On November 17, 2020, the Canadian government introduced the Digital Charter Implementation Act, 2020. If passed, the DCIA will enact the Consumer Privacy Protection Act, a new private sector privacy law, and establish a new Personal Information and Data Protection Tribunal.
The CPPA would give Canadians:
- rights to plain language disclosures about the use of their personal information
- new data mobility rights that allow them to direct transfers of their personal information between organizations
- broader rights to compel deletion of their personal information and withdraw consent to use it
- rights to transparency about how businesses use algorithmic decision making to make significant predictions, recommendations or decisions about them
The law would also require businesses to:
- implement a privacy management program, including policies, practices and procedures designed to ensure compliance with the CPPA
- meet certain standards (similar to those of the GDPR) to rely on consent to process personal information and ensure that processing of personal information without consent falls within certain enumerated exceptions (e.g., when required to deliver a requested service and other purposes akin to those for which the GDPR does not require consent)
- meet certain standards to use de-identified data without consent
For further details, see the Government of Canada’s Fact Sheet.
The CPPA would substantially increase the potential consequences of noncompliance. Currently, the Office of the Privacy Commissioner must ask the Federal Court to enforce its orders unless organizations consent to comply with them. Under the CPPA, the OPC would have broader powers, including to compel compliance with the CPPA, to bar the collection or use of personal information and to fine organizations up to 5% of their global revenue or CAD $25 million, whichever is greater.
On October 21, 2020, China released its draft Personal Information Protection Law. The PIPL aims to provide a national and comprehensive protection of personal data for residents of mainland China, drawing substantially from the GDPR. The PIPL, if passed, will coexist alongside China’s existing Cybersecurity Law, Data Security Law and the PRC E-Commerce Law.
The PIPL would apply not only to organizations that operate in China, but also to organizations located outside China that process personal data of individuals resident in China for the purpose of providing them with products or services or analyzing or evaluating their behavior. The law also contemplates the potential expansion of its extraterritorial reach by future legislation or regulatory action.
Notably, the PIPL would require a company seeking to transfer personal data out of China to first undergo a security assessment by the Cyberspace Administration of China if the company operates certain critical information infrastructure or the transfer involves a volume of data above a threshold to be specified by the CAC. Otherwise, the company may proceed with the transfer so long as it has (a) a data protection certification issued by a professional organization in accordance with CAC regulations or (b) executed an agreement with the foreign recipient requiring it to process the data in accordance with the PIPL’s standards.
However, the PIPL would authorize the CAC to prohibit transfers on an ad hoc basis to recipients whose data processing may harm Chinese citizens’ privacy interests or endanger Chinese national security or public interest.
The PIPL would also emulate the GDPR by treating consent as one of several legal bases on which an organization may be able to process personal data and by imposing data breach notification requirements.
The PIPL proposes significant penalties for serious violations, including rectification orders, confiscation of illegal gains, business suspension, revocation of business licenses and fines for noncompliant organizations of up to RMB 50 million or 5% of their revenue in the previous year. Individuals responsible for an organization’s data protection measures would also be subject to fines of up to RMB 1 million.
On December 1, 2020, the New Zealand Privacy Act 2020 (Privacy Act) became effective and repealed and replaced the Privacy Act 1993.
The Privacy Act gives New Zealand’s privacy regime extraterritorial effect by providing that the law applies to organizations that collect personal information in the course of “carrying on business” in New Zealand, even if the organization does not have a place of business in New Zealand.
The Privacy Act also requires organizations to notify the Office of the Privacy Commissioner and affected individuals of privacy breaches that have caused or are likely to cause serious harm to those individuals. Notifications must be made as soon as practicable after the organization becomes aware of the privacy breach unless certain exceptions apply.
The Privacy Act restricts the transfer of personal information outside of New Zealand unless the receiving organization is:
- subject to the Privacy Act
- subject to privacy laws that provide safeguards comparable to those in the Privacy Act
- subject to a specified binding scheme (e.g., binding corporate rules)
- subject to the privacy laws of a country to be specified in regulations or
- required (e.g., by contract) to protect the data in a way that, overall, provides comparable safeguards to those in the Privacy Act
OPC recommends using its model contractual clauses to ensure that the required safeguards are implemented for cross-border data transfers, but organizations can modify the clauses so long as the relevant contract requires comparable safeguards.
If none of the above exceptions apply to the data transfer, an organization may make the cross-border transfer with the consent of the relevant individuals, who must be expressly informed that their personal information may not be given the same protection as provided by the Privacy Act.
Organizations that fail to notify the OPC of a notifiable privacy breach, fail to comply with a compliance notice of the OPC or otherwise violate the Privacy Act face fines of up to NZ$10,000 per violation. The Privacy Act also introduces potential criminal penalties for certain fraud-related violations of the law and permits enforcement by private lawsuits in certain circumstances.
For more details, see the New Zealand Privacy Commissioner’s website.
While these emerging laws resemble the GDPR and the CCPA in certain respects, compliance with the GDPR or the CCPA does not equate to compliance with global privacy laws. Companies that do business internationally would be well-advised to employ a global perspective in designing their 2021 compliance efforts to ensure they address the rapidly expanding scope of privacy laws beyond Europe and California.