US Privacy in Flux How the California Consumer Protection Act changes US Privacy Laws IT Law Camp 2018 Frankfurt, November 10, 2018 kai.westerwelle@twobirds.com
US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield
US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield
CCPA GDPR ( Export Champion ) GDPR aligns the European privacy landscape EEA / EFTA adoptions China s new privacy and cybersecurity laws Brazilian Lei Geral de Protecao de Dados Japan s Act on Protection of Personal Information (APPI) India Mexico Argentina South Korea Columbia Argentina Canada Australia New Zealand South Africa California Consumer Privacy Act (CCPA) Slide 4
CCPA GDPR Background
CCPA GDPR Sisters but not Twins Slide 6
CCPA GDPR Scope substantial differences in coverage Fines GDPR Scope Individual s Rights CCPA Definitions TOM Transparency Slide 7
CCPA GDPR Scope substantial differences in coverage One Stop GDPR Processing Records Supervisory CCPA DPIA Controller Processor DPO Slide 8
CCPA GDPR Who is addressed limited scope v. catch all Business Ltd. Scope Not wholly outside CAL Ltd. Service Providers Change of Control (Asset Deal) < Business in = Affiliation < Servicers < Third Parties < CoC Establishm. in the EU Processing outside EU Processing of EU data No Change of Control Slide 9
CCPA GDPR Who is protected: residents v. data subjects Consumer Protection Consumer CAL Residents Outside state Children = Individuals < Residents > Outside = Children Fundament al right Data Subjects Natural persons Within EU No limits Children Slide 10
CCPA GDPR What Data personal information v. personal data Identified Associated No special categories Excludes publicly available Pseudonym ous data? = Identified = Identifiable < No limits > US PII Identified Identifiable Special Categories Publicly available Pseudonym ous data Aggregated Slide 11
CCPA GDPR Transparency privacy notice v. information requirement Some information Form readily accessible Online Do not sell = Transparent = Intentions < Less inform. > Online Full information Purpose Legal basis Data Retention To non-eu Automated decisionmaking Slide 12
CCPA GDPR Rights of the Individual privacy rights here and there Disclosure Deletion Access Portability Opt-Out No discrimination = Similar < Forgotten < Portability < Access < Opt-In < Discriminate Information Access Rectification Erasure Restrict Processing Data Portability Object Opt-In Slide 13
CCPA GDPR Security private right of action v. regulator involvement Security measures required Private Right of action Notification = TOM > Indiv. Rights < Less inform. = Notification Technical and Organizat. Measures (TOM) Regulator Controller Slide 14
CCPA GDPR Consequences of Non-Compliance damages v. fines 100 to 750 USD Per case Private action Class action = Severe! > Indiv. Rights < Authority 20 mio or 4 % annual global revenue Private claims Regulator complaints Slide 15
CCPA GDPR Reuse your GDPR Efforts TOM GDPR Processing Records Notification CCPA Transparency CRM (but opt-out) Individual s Rights Slide 16
US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield
California One of 50
California Gross Domestic Product* *billion USD (2016)
California Home of the Unicorns
California Home of the next Unicorns
California Home of the Big Guys
California Spearheading Privacy
California Spearheading Privacy California security breach notification law (California Civil Code 1798.82)
California Spearheading Privacy
US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield
US Privacy State Law v. Federal Law
US Privacy Patchwork Background Categories Activity Consumer Protection States Best Practice
US Privacy Patchwork Background Federal Trade Commission Act (FTC ACT) Children s Online Privacy Protection Act (COPPA) Financial Services Modernisation Act (Gramm-Leach-Bliley GLB) Health Insurance Portability and Accountability Act (HIPPA) HIPAA Omnibus Rule Fair Credit Reporting Act Controlling the Assault of Non-Solicited Pornography and Marketing Act Electronic Communication Privacy Act Computer Fraud and Abuse Act Judicial Redress Act Privacy Rule for broadband ISPs Industry Best Practises State security laws (technical, physical and administrative security protocols) Security breach notification laws (all states e.g. California Civil Code) State privacy regulations sometimes multiple per State, e.g. California California Electronic Communication Privacy Act Several amendments to the security breach notification law A.B. 1541 (redifining personal information, e.g. email address with passwort)
US Privacy Federal Privacy Act Race to the Bottom?
US Privacy in Flux Agenda 1 The California Consumer Privacy Act 2 California More than just one state 3 The US Privacy landscape 4 The CLOUD Act and the Shield
CLOUD Privacy Shield Clarifying Lawful Overseas Use of Date (Act) Background Extension of the Stored Communications Act (SCA) Background: United States v. Microsoft (Supreme Court Feb 27, 2018) Content: US law-enforcement orders under SCA reach foreign data Bilateral agreements for enforcement in the US Formalized procedure for companies to challenge request Limits and restrictions on enforcement ref. privacy and civil liberty Applies to (see SCA): Providers of electronic communication services / remote computing E-communication data and cloud-stored documents
CLOUD Privacy Shield CLOUD ACT Targeting Access of US enforcement agencies to data in foreign countries Legal certainty for providers cought between two conflicting laws CLOUD Act Executive Agreements (see also Art 48 GDPR) Centerpiece of the CLOUD Act Reciprocal access to data held in the other country (not U.S. Citizens!) Countries with (actually none) / Countries without
CLOUD Privacy Shield CLOUD ACT Sidenotes Allows providers to inform the foreign government of the law enforcement request so that the foreign government can object directly to the U.S. government Electronic Frontier Foundation: robbed from the American public when sneeking into the back of a 2,232 page government spending bill
CLOUD Privacy Shield Survival of the Privacy Shield Digital Right Ireland v. EU (2016) Ausschuss für bürgerliche Freiheiten, Justiz und Inneres des EU Parlaments (LIBE) (März 2017) Art. 29 Datenschutzgruppe (automn 2017) EU Parliament (non binding) resolution July 2018
US Privacy in Flux Questions Why Who What Where When We Which
Dr Kai Westerwelle Partner Tel: +1 415 623 9950 kai.westerwelle@twobirds.com The World s Leading Patent & Technology Licensing Lawyers IAM 250 One of the most recommended data protection specialists German Association of Inhouse Counsels Client Choice Award for IT-Law in Germany ILO Kai Westerwelle is recognized as a leading IT and privacy lawyer, with a particular focus on supporting both inbound and outbound business for the US market. Kai is a partner in our international Commercial Practice Group, based in San Francisco. As a German Certified Specialist Attorney in Information Technology Law, Kai has more than 25 years experience in the field. He has specialized in information technology law, particularly outsourcing and cloud computing projects, national and international license agreements as well as comprehensive transactional advice. He has supported a substantial number of national and international restructurings and IoT projects, as well as many M&A transactions and IPOs. In addition, he focuses on German, European and international data protection law, especially referring to business from and with the USA. Kai is author of numerous publications mainly in the areas of information technology law, data protection and competition law. He regularly speaks at national and international congresses and lectures data protection and compliance at universities in Germany and the USA. He is an active member of the German Society of Law and Information, the Bitkom e.v. (Germany s leading association for IT & Telecom companies), the German American Business Association, the International Association of Privacy Professionals and Member of the Board of Advisors of the International Privacy + Security Forum (USA). Kai speaks German, English and French. Slide 37
Thank you Dr Kai Westerwelle kai.westerwelle@twobirds.com (415) 623 9950 https://www.linkedin.com/in/westerwelle twobirds.com Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.