EU Institutions Reach Political Agreement on the Digital Services Act
On April 23, 2022, European legislators achieved political agreement on the Digital Services Act (“DSA”). Together with the recently agreed Digital Markets Act (“DMA”), the DSA aims to ensure a safer, open, and fair online environment in the EU.
The DSA contains obligations for “online intermediation services” that connect users with goods, services or content, i.e., access providers, cloud storage services, “very large online search engines and online platforms,” and online marketplaces. The DSA increases the accountability standard for these services. Obligations are determined by the services’ role, size, and industry impact.
The final text of the DSA is still in editing and has not been released, but its broad lines are known. In part, it contains measures designed to:
- Counter illegal goods, services or content online, such as a mechanism to easily flag such content;
- Empower users and civil society to, for example, challenge platforms’ content moderation decisions and seek redress; and by mandating transparency measures on a variety of issues, including algorithms recommending content or products to users;
- Assess and mitigate risks through measures, such as new safeguards for the protection of minors; limits on the use of targeted advertising based on sensitive data; and the requirement for larger platforms and online search engines to carry out content moderation risk assessments and undergo independent audits regarding their handling of illegal content; and
- Increase enforcement for “very large platforms.” They face fines of up to 6% of global revenues for non-compliance and a potential operating ban in the EU for repeated breaches.
Once the DSA is passed into law, it will become directly applicable across the EU, likely within 15 months or from January 1, 2024, whichever is the later.
Takeaway: Together the DMA and DSA will create an unprecedented European regulatory standard for digital services, and in particular for the larger platforms that are within scope of the DMA and face heightened enforcement under the DSA. Tech industry lobbying against the proposals, warning among other things about the risks to innovation, was largely ineffective. Next, we may see legal challenges to blunt the legislation’s impact, potentially questioning both the scope and practical implementation of obligations. Similar proposals, in particular to the DMA, are in the pipelines beyond Europe, not least in the U.S. where multiple bills are jockeying for attention and support. As with the GDPR, the EU has set an example and is leading the way.
Connecticut Enacts a Comprehensive Data Privacy Act
Connecticut has joined the U.S. jurisdictions that have enacted a comprehensive data privacy law. The new law, known as the Connecticut Data Privacy Act (“CTDPA”), has an effective date of July 1, 2023.
The CTDPA will apply to persons that conduct business in Connecticut or that “produce” products or services targeted to Connecticut residents if, in the preceding year, the business controlled or processed the personal data of: (i) at least 100,000 Connecticut residents (excluding personal data controlled or processed to complete payment transactions); or (ii) at least 25,000 Connecticut residents (if more than 25% of the business’s annual gross revenue is derived from selling personal data). The law contains certain exemptions, including for higher education institutions (which is defined broadly), nonprofits, financial institutions and data subject to the Gramm-Leach-Bliley Act, and certain entities subject to HIPAA.
Like the CCPA and other recently enacted state consumer privacy laws, the CTDPA is designed to empower consumers to control the processing of their personal data. Consumers are granted rights to: (1) know whether a controller is processing their personal data; (2) access the personal data held by a controller; (3) correct inaccuracies in personal data; (4) delete personal data; (5) obtain copies of personal data; and (6) opt-out of the processing of their personal data for purposes of sales, targeted advertising, and profiling. Consumers will have the right to appeal any denial of such a request.
The CTDPA will be enforced exclusively by the Connecticut Attorney General. There is no private right of action. As was the case with the Virginia Consumer Data Protection Act, the CTDPA will require that a task force be convened to study various topics, including issues related to algorithmic decision-making and the proper use of data to reduce bias in such decision-making (“Task Force”). The Task Force is required to submit a report to a committee of the General Assembly by January 1, 2023, on the topics. Entities will enjoy a temporary 60-day cure period for alleged violations. The cure period will be available as of right until December 31, 2024; after that time, it will only be available at the Attorney General’s discretion. Violations of the CTDPA will constitute a violation of the Connecticut Unfair Trade Practices Act (CUTPA), which could lead to injunctive relief, actual damages, punitive damages, costs and fees, and civil penalties up to $5,000 for willful violations and up to $25,000 for violations of restraining orders.
Takeaway: The CTDPA closely mirrors the data-privacy laws enacted in Colorado and Virginia. Businesses will want to consider overlap in their direct and contractual compliance obligations and strategies. Covered entities will want to be aware of any opportunities for industry appointments to the Task Force and otherwise monitor key developments, including publication of the report the Task Force makes to the General Assembly to gain insight into potential additional compliance obligations. Finally, due to the limited timeframe for the “cure” right, after December 31, 2024, businesses that receive a notice of alleged non-compliance will want to be prepared to argue to the Attorney General’s office to grant them the opportunity to cure.
California Worker Privacy Bill Would Require Businesses to Disclose Monitoring, Automated Decision-Making and Give Workers Rights in Relation to Their Personal Information
On April 21, 2022, the California Assembly’s Committee on Privacy and Consumer Protection received a referral to continue consideration of the Workplace Technology Accountability Act (“WTAA”). The bill specifically aims to protect California workers from risks associated with worker data collection, monitoring and the application of algorithmic technologies to worker data. The bill is intended to complement the protections already given to California consumers under the CCPA and CPRA.
Though the language of the WTAA is still in flux—the bill was re-referred to committee for further discussion on April 21, 2022—the current draft gives a good indication of what may be in store for covered entities and how they may need to prepare. For example, the WTAA generally confers rights to know categories and specific pieces of worker data, the sources from which it is collected, and the purposes for which it is processed, including how it is related to the worker’s job function and used in making employment-related decisions. Employers would be under an obligation to correct and appropriately secure employee data and would be prohibited from processing it unless strictly necessary to accomplish certain specified purposes. The WTAA would also give workers the right to know when they are being monitored and when algorithms are being deployed and would require employers to prepare and publish impact assessments for the use of various technology.
An employer may be subject to injunctive relief and civil penalties in an action filed by the Labor Commissioner. The WTAA also provides for a private cause of action for individual workers with the potential for the recovery of attorneys’ fees and costs if successful.
Takeaway: Unlike the CCPA and other state consumer privacy laws, the WTAA would be solely worker-focused. The WTAA could signal a novel focus on digital worker privacy rights and protections, specifically in relation to algorithmic decision-making and workplace monitoring, and make California an early adopter of such rights and protections.
India to Tech Companies: “Report Cyber Security Incidents Within Six Hours”
Starting on June 28, companies and organizations in India will be required to report cyber security incidents to the government within just six hours, according to wide-ranging new rules published by India’s Computer Emergency Response Team (“CERT-In”). The list of reportable events extends from serious security breaches to more routine events such as “Targeted scanning/probing of critical networks/systems.” The rules also require organizations to connect their system clocks, which can be important tools for incident response and forensic investigation of data breaches, with one of the government’s Network Time Protocol (“NTP”) servers. Under a new data retention requirement, Virtual Private Network (“VPN”) service providers and cryptocurrency exchanges must retain a variety of personal information from users for five years or longer, “so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets."
Takeaway: With the passage of these rules by CERT-In, India has now taken the prize for the fastest reporting requirement in the world. These rules likely will be terribly counterproductive as companies will have to fend off threat actors with one arm, while having to assess the regulatory patchwork of reporting requirements with the other, now in just the first hours of a crisis. While U.S. agencies have tried to outdo themselves by proposing more stringent rules for reporting (from the SEC’s four business days to its 48 hours for investment advisors), this is yet another example of overzealous regulation that likely will only further hinder companies’ abilities to fight cyberattacks.
DPAs Vow to Further Enhance Cooperation on Strategic Cases
On April 28, 2022, the European Data Protection Board (“EDPB”) issued a statement outlining its agreement to improve cooperation among local Data Protection Authorities (“DPAs”) regarding enforcement of the GDPR.
This statement follows a warning last year from European Commission Vice President, Vera Jourova, that DPAs should stop quarreling over the enforcement of data protection rules or face the possibility of a centralized model of enforcement.
In its statement the EDPB recognizes its duty to ensure the consistent and effective interpretation of the GDPR and acknowledges that strong and swift enforcement is crucial. A commitment to closer cross-border cooperation will be achieved in the following ways:
- DPAs will collectively and regularly identify cross-border cases of strategic importance which will be prioritized and supported by the EDPB;
- DPAs will commit to exchanging information on national enforcement strategies with a view to agreeing on annual enforcement priorities at the EDPB level;
- the cross-border exchange of information will be facilitated by the use of a template for data subjects’ complaints and the improvement of the EDPB’s IT cooperation tools; and
- the EDBP will identify a list of procedural aspects of EU law that could be further harmonized to increase efficiency and collect best practices regarding the interpretation of national laws to ensure a more effective application of the GDPR.
Takeaway: Some DPAs have faced criticism over the duration of their investigations, as well as the level of fines imposed. This statement and the measures announced appear to attempt to: (i) address criticism some DPAs have faced concerning the pace and duration of their investigations, as well as the levels of fines imposed; and (ii) signal a more harmonized approach to enforcement in the European Economic Area, albeit without recommending formal changes to the GDPR that would require primary legislation.