Dechert Cyber Bits - Issue 37

Dylan Balbirnie, Aurélien Martinot, James Smith, Emily Towill
Dechert LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Dechert LLP

Articles in this issue

  • California Court Pauses Enforcement of Most Recent CCPA Regulations until March 2024
  • President Biden Nominates Two Republican Candidates to the FTC
  • European Commission Gives Green Light to New Data Privacy Framework
  • European Commission Proposes New Procedures for GDPR Enforcement in Cross-Border Cases
  • NY DFS Proposes Updated Second Amendment to Its Cybersecurity Regulation

California Court Pauses Enforcement of Most Recent CCPA Regulations until March 2024

On June 30, 2023, the Superior Court of California, County of Sacramento (California Chamber Of Commerce v. California Privacy Protection Agency) held that the California Privacy Protection Agency (“Agency”) cannot enforce the regulations it promulgated pursuant to its authority under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”) until March 29, 2024, which is exactly one year following the publication of the Agency's regulations. These regulations include, inter alia, additional requirements related to certain data subject requests (e.g., the right to correct), notice, opt-out preference signals, targeted advertising, data processing agreements, dark patterns, and enforcement.

As background, the Agency was tasked with promulgating additional regulations to support the amendments to the CCPA by July 1, 2022, but failed to meet that deadline. Enforcement of the revised regulations was intended to start a year later, on July 1, 2023. Because the Agency did not actually promulgate final regulations until March 2023, businesses subject to the CCPA would have had only three months to prepare and become compliant with the new requirements in the regulations. Now, businesses will have the full 12 months that was originally contemplated.

Notably, the ruling affects neither the statutory text of the CCPA, nor the existing regulations that are not driven by the amendments to the CCPA. In addition, the Agency is still in the process of promulgating regulations addressing automated decision-making, cybersecurity audits, and risk assessments. Under the June 30, 2023 ruling, those regulations will not come into effect until one year following the date on which the Agency finalizes them.

Takeaway: The enforcement delay for the new requirements in the CCPA regulations is undoubtedly welcome news for California businesses subject to the CCPA. Such businesses now have a bit more time to prepare and implement changes to their compliance programs. However, covered businesses should continue to push forward and maintain their efforts to come into compliance with all requirements in the regulations as some (e.g., those related to identifying “known users” when honoring opt-out preference signals) are technical and will take time and third-party assistance to implement.

President Biden Nominates Two Republican Candidates to the FTC

On July 3, 2023, President Biden nominated Virginia Solicitor General Andrew Ferguson and Utah Solicitor General Melissa Holyoak to fill two vacant Republican seats at the Federal Trade Commission (“FTC” or the “Commission”). As background, the FTC consists of five commissioners and only three may be from the same party. The two Republican seats have been vacant since the end of March after the two Republican commissioners, Noah Phillips and Christine Wilson, resigned from their positions this past year. In a July 3, 2023 statement on the announcement of Ferguson and Holyoak to the FTC, Chair Khan congratulated them on receiving the nomination and stating that “[t]he Commission operates best at full strength.”

Ferguson has served as the Solicitor General of Virginia since February 2022, overseeing the state’s appellate litigation, including at the Supreme Court and federal courts of appeals. He served as counsel for various Senators. Holyoak has served as Solicitor General of Utah since September 2020, managing appellate litigation and the antitrust and data privacy divisions.

Takeaway: Senate Republicans are likely to support the nominations to establish balance at the FTC, although it is unlikely the FTC’s agenda will be affected, as Democrats will still control the Commission. One Republican resigned this term essentially in protest to the FTC’s aggressive enforcement and the FTC has increasingly been accused of engaging in “regulation by enforcement action.” For those who think the FTC has lost its sense of practicality and gone too far in its enforcement actions, especially when dealing with tech companies, this is a welcome development, even if the only practical effect is to bring additional viewpoints into the discussion.

European Commission Gives Green Light to New Data Privacy Framework

The European Commission has adopted an adequacy decision in relation to the EU-U.S. Data Privacy Framework (“DPF”) providing a new mechanism for EU-U.S. data transfers to comply with the GDPR’s restrictions on exporting personal data.

The DPF replaces the EU-U.S. Privacy Shield system - a similar framework which was invalidated by the Court of Justice of the EU in July 2020 (and which itself replaced a previous iteration, Safe Harbour, which was similarly invalidated). Max Schrems, the individual who brought the court actions invalidating the previous frameworks, has announced an intention to challenge the DPF. However, the European Commission identified two major changes that purportedly address the previous critical issues with the Privacy Shield: (1) President Biden has signed an Executive Order limiting access by U.S. intelligence services to what is “necessary and proportionate;” and (2) a new Data Protection Review Court provides an impartial redress mechanism.

As with the previous iterations, the DPF is based on a system of self-certification. Organizations must commit to a set of privacy principles that reflect requirements under the GDPR. Certification also requires a submission to the U.S. Department of Commerce, disclosure of privacy policies and a public declaration of commitment to the DPF principles.

Takeaway: The DPF is in effect and open for enrollment. Organizations that are already Privacy Shield certified will be automatically rolled over onto a DPF certification but should update their documents and policies to reflect the new framework or formally withdraw. This is a critical step and should not be missed, as the FTC previously went after companies for continuing to hold themselves out as certified when the certification had lapsed, even when it was simply an administrative oversight (and the company actually was substantively in compliance). Many organizations have been relying on standard contractual clauses as their transfer mechanism. The DPF provides an important alternative for EU-U.S. transfers, but EU standard contractual clauses for international data transfers may still be the most appropriate mechanism in many cases of data transfers from the EU to the U.S.

See our full OnPoint Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework here.

European Commission Proposes New Procedures for GDPR Enforcement in Cross-Border Cases

On July 4, 2023, the European Commission published a proposed EU regulation laying down procedural rules for investigations by EU data protection authorities for non-compliance with the GDPR in cross-border cases. The proposal aims: to (i) ensure that complainants and businesses under investigation are appropriately involved in data protection authorities’ investigations and decision-making processes; (ii) harmonize procedures for complaints/investigations across EU member states; and (iii) streamline cooperation between data protection authorities.

The proposed regulation will support due process in investigations by prescribing that complainants and businesses under investigation have a right to make submissions at key points in the investigative process. In addition, the proposed rules include a right for businesses under investigation to see the relevant documents collected by the data protection authority, enabling them to understand the basis for proposed decisions and to make submissions.

Takeaway: The proposal includes key rights for businesses under investigation by data protection authorities for breaching the GDPR to ensure that they can properly understand the case against them and make submissions in response. If adopted, the rules would provide a legislative basis to hold data protection authorities to account if due process is not followed in cross-border cases. Many European data protection authorities already show a willingness to work with companies to better understand the implications of their actions, but the new due-process protections likely will provide an important tool to ensure a baseline level of fairness.

NY DFS Proposes Updated Second Amendment to its Cybersecurity Regulation

On June 28, 2023, the New York Department of Financial Services (“NY DFS”) published an updated proposed Second Amendment to its Cybersecurity Regulation (23 NYCRR Part 500) in the New York State Register, updating its previous proposed Second Amendment published on November 9, 2022. Part 500 was enacted in 2017 for entities licensed under NY DFS (including financial institutions and money transmitters), requiring, among other things, that such entities build and maintain a written cybersecurity program for their information systems and the personal data they process.

The latest proposed Second Amendment is substantially similar to the previous draft, although the NY DFS incorporated a number of changes from the previous 60-day comment period. In particular, the NY DFS continues to stress the importance of multifactor authentication (“MFA”), broadening the requirement relative to the November 2022 draft and aligning with the FTC’s amended Safeguards Rule, which requires MFA to “be utilized for any individual accessing any of the covered entity’s information systems” with limited exceptions. NY DFS also added a requirement that a covered entity’s incident response plan and business continuity plans must be tested at least annually and must be able to restore the entity’s “critical data” and information systems from backup. Moreover, the NY DFS added that it would consider the extent to which a covered entity’s relevant policies and procedures are consistent with nationally recognized cybersecurity frameworks in assessing the appropriate penalty for non-compliance.

Comments on the updated proposed Amendment are due to NY DFS by August 14, 2023.

Takeaway: Regulated financial institutions subject to the NY DFS Cybersecurity Regulation should continue to prepare for the enactment of these new requirements and make all necessary revisions and updates to their IT systems, policies, and procedures. Once finalized, most covered entities will have 180 days from the effective date to come into compliance with the amendments. The focus on MFA is a good one, as many cybersecurity incidents can be avoided by the use of this tool, which, frankly, should be in widespread use at this time, especially among those licensed by the NY DFS.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Dechert LLP
Contact
more
less

Dechert LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide