Articles in this issue

• UK-U.S. Data Bridge Approved
• Delaware Passes Comprehensive Data Privacy Law
• EDPB/EDPS Joint Opinion on Proposed Changes to Procedures in Cross-Border Cases
• FTC Amends Complaint Against Amazon and Accuses Executives of Deceptive Prime Sign-Up Tactics
• Bill From Democrats Would Give the FTC Oversight Over Critical AI Use Cases

UK-U.S. Data Bridge Approved

The UK has approved an extension to the EU-U.S. Data Privacy Framework (DPF) called the ‘UK-U.S. Data Bridge,’ which facilitates data flows from the UK to the U.S. From October 12, 2023 personal data can be transferred from the UK to U.S. entities that have self-certified to the DPF and extended their certification to cover UK data without needing to implement the UK’s International Data Transfer Agreement (the UK equivalent of standard contractual clauses) or other ‘appropriate safeguards’ specified in the UK GDPR.

U.S. organizations that are certified under the DPF can extend their certification to cover data from the UK by selecting the option to add the UK extension through their online DPF account. As an extension to the DPF, the UK-U.S. Data Bridge cannot be entered into separately from the DPF, so U.S. organizations seeking to make use of the UK-U.S. Data Bridge must be signed up to the DPF and opt-in to the UK extension. Further information about signing up to the DPF is in Dechert’s OnPoint here. Organizations in the UK can check whether a proposed data recipient participates in the DPF and UK extension by searching the Data Privacy Framework List at dataprivacyframework.gov.

Takeaway: Notwithstanding potential challenges to its validity, most organizations should be relatively comfortable using the UK-U.S. Data Bridge. Self-certifying for UK data is straightforward for existing DPF participants and the combination of the DPF and UK-U.S. Data Bridge may be an attractive option for U.S. organizations’ data transfers. Other transfer mechanisms remain valid options and organizations should consider what mechanism works best for their specific transfers. You can read our full Dechert OnPoint on the UK-U.S. Data Bridge here.

Delaware Passes Comprehensive Data Privacy Law

On September 11, 2023, Delaware Governor John Carney signed the Personal Data Privacy Act (“PDPA”), adding Delaware to the list of states to pass comprehensive consumer privacy legislation.

The PDPA goes into effect January 1, 2025, and applies to any person that: (i) conducts business in Delaware or produces products or services that target Delaware residents; and (ii) during the preceding calendar year (a) controlled or processed the personal data of at least 35,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 consumers and derived more than 20% of its gross revenue from the sale of personal data. Notably, the PDPA contains an entity-level exemption for institutions subject to the Gramm-Leach-Bliley Act and exemptions for personal data covered by various other federal statutes, including HIPAA.

The PDPA requires controllers to, among other things: (i) limit collection of personal data to that which is adequate, relevant and reasonably necessary to the disclosed purposes for processing; (ii) establish, implement and maintain reasonable data security practices; and (iii) provide a reasonably accessible, clear and meaningful privacy policy to consumers. Similarly, consumers in Delaware will have the right to: (i) confirm whether a controller is processing the consumer’s personal data and access such personal data; (ii) correct inaccuracies in the consumer’s personal data; (iii) delete personal data; (iv) obtain a copy of the consumer’s personal data; (v) obtain a list of specific third parties to which the controller has disclosed the consumer’s personal data; and (vi) opt-out of (a) the processing of the personal data for purposes of targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

The PDPA does not include a private right of action. Rather, the PDPA grants enforcement authority to the Delaware Department of Justice.

Takeaway: We expect that companies subject to the PDPA will generally be able to comply with the law’s requirements by relying on their existing U.S. state law compliance program and expanding it to encompass consumers in Delaware. That said, compliance with privacy laws in the U.S. is becoming increasingly daunting as U.S. states continue to enact their own state-specific requirements to fill the ongoing void imposed by the absence of a federal privacy law.

EDPB/EDPS Joint Opinion on Proposed Changes to Procedures in Cross-Border Cases

On September 21, 2023, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted a Joint Opinion on the European Commission’s (“Commission”) Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR (the “Proposal”). The Proposal, initially published by the European Commission on July 4, 2023, and which followed a wish list from the EDPB sent to the Commission in October 2022, aims to harmonise procedural differences across the EU and streamline the cross-border cooperation procedure, ensuring timely investigations and swift remedies for individuals in cross-border cases.

In a press release, the EDPB explained that the Joint Opinion aims to ensure that the proposed new Regulation works for all parties involved and urged its swift adoption. According to the EDPS, the Joint Opinion aims to improve the future legislation and, in particular, to foster timely resolution of cross-border cases.

The press release highlighted positive aspects of the Proposal, including: the Commission's efforts to harmonise information required to be provided to supervisory authorities in cross-border cases in order to lodge a complaint (with the admissibility of a complaint being determined by the supervisory authority with which the complaint was lodged); the clarifications concerning the right of access to an administrative file; and the proposal to boost consensus-finding early in the cooperation procedure.

However, the EDPB and EDPS also recommended that:

• concerned supervisory authorities (“CSAs”) should be more involved in the different steps of the procedure to avoid disputes at a later stage (and in particular, the ‘preliminary findings’ addressed to the parties under investigation and the ‘preliminary view’ to reject the complaint should be shared with the CSAs before they are submitted to the parties under investigation or the complainant);

• there should be defined time limits for certain procedural steps to allow swift and efficient enforcement;

• CSAs’ ability to raise relevant and reasoned objections on a draft decision, (including on the scope of the investigation) should not be unduly restricted;

• the current approach to the parties’ right to be heard in the dispute resolution procedure, which is triggered when data protection authorities fail to find a consensus on a case, should not be changed; and

• the Chair of the EDPB should not be required to provide the parties under investigation and the complainant with a ‘statement of reasons’, as this is not in line with the architecture of the One-Stop-Shop system and is unnecessary as current practice allows the EDPB to take the views of the parties into account and reach a decision within the deadlines.

Takeaway: The Joint Opinion provides some useful and practical recommendations in relation to the Proposal, which if, as seems likely, are taken on board, will help to ensure a more efficient and timely enforcement of the GDPR in cross-border cases.

FTC Amends Complaint Against Amazon and Accuses Executives of Deceptive Prime Sign-Up Tactics

On September 20, 2023, the Federal Trade Commission (“FTC”) updated its complaint against Amazon, accusing the company and three of its senior executives of knowingly enrolling consumers into its Amazon Prime membership program without their consent and making it difficult for them to cancel their subscriptions.

The amended complaint alleges that, despite being informed by other Amazon employees about these issues as early as 2016, the three named executives allegedly chose not to act. As well as naming the three individuals, the updated complaint contains significant details of the alleged misconduct, including internal communications which, as claimed by the FTC, reveal the extent to which the company and its management team were aware of concerns regarding its Prime membership.

The complaint accuses Amazon of slowing, avoiding, and in certain circumstances reversing user experience changes that would have reduced nonconsensual enrollment because those changes would negatively affect Amazon's bottom line. The complaint also alleges that this company created a labyrinthine cancellation process for Prime, codenamed "Iliad," a reference to Homer’s epic poem about the lengthy Trojan War.

A spokesperson for Amazon described the FTC’s decision as “unwarranted under the facts and the law.”

Takeaway: This is yet another in a string of FTC enforcement actions where the FTC included individual executives as part of its Complaint. In addition, the FTC’s amended complaint against Amazon underscores the agency’s efforts to address business practices it considers deceptive, particularly in the realm of subscription services. Amazon is one of many companies the FTC has pursued recently in its efforts to identify and address the alleged use of dark patterns that it believes are intended to deceive customers. Companies should be aware of the FTC’s focus on this area and may want to consider reviewing their subscription processes for transparency.

Bill From Democrats Would Give the FTC Oversight Over Critical AI Use Cases

On September 21, 2023, Senator Ron Wyden, together with Senator Cory Booker and Representative Yvette Clarke, introduced the Algorithmic Accountability Act of 2023 (the “AAA”) to create new protections for people affected by artificial intelligence (“AI”) systems in areas such as housing, health, finances, and education.

If enacted, the AAA would require companies to assess the impacts of using AI to make “critical decisions,” defined as a “decision or judgment that has any legal, material, or similarly significant effect on a consumer’s life” relating to access to or the cost, terms, or availability of an array of services, such as education, employment, housing and healthcare. The impact assessment would require companies to describe their need for AI decision-making tools and the intended benefits of employing such technology, and to identify any known harms or material negative impacts the company’s use of AI may have on consumers. Companies would also be required to take steps to eliminate or mitigate any impacts that demonstrate a likely material negative impact on a consumer’s life. Under the AAA, the Federal Trade Commission (“FTC”) would publish an anonymized annual report on trends in automated decision-making programs and establish a public data repository to inform consumers about, and allow researchers to study, the use of automated decision systems.

Takeaway: Lawmakers and regulators continue to focus on AI and machine learning. The AAA is the latest proposal to address an issue that has received, and is expected to continue to receive, sustained regulatory attention—namely, how should AI be deployed and regulated when the technology is used to aid decision-making in settings that can have critical impacts on individuals’ lives? While it remains to be seen whether the AAA will gain traction in Congress, we, at minimum, expect discussion on how best to address these issues to continue.