OneTrust DataGuidance Privacy Review: Q3 2020
The third quarter of 2020 has been a particularly busy one with several notable privacy developments being seen worldwide. The landmark Schrems II case has grabbed many of the headlines since July - the invalidation of the EU-US Privacy Shield and the obligations imposed on organizations seeking to rely on standard contractual clauses for transfers to third countries has resulted in organizations having to re-think how they transfer their data from the EU. The fallout from this momentous decision is still being felt and over the course of the last three months many data protection authorities have weighed in with their thoughts and guidance on the matter.
Whilst Schrems II was arguably the biggest talking point of the last quarter, there were many noteworthy developments not least with the long-awaited LGPD entering into force after several delays. Further legislation came into force or was proposed in California, New Zealand, South Korea, and many other jurisdictions as privacy and data protection issues continue to take the spotlight.
CCPA, LGPD, and PIPEDA
In the US, there were many state-level developments, most notably with the CCPA becoming enforceable on July 1 as well as privacy laws entering into force in Maine and Vermont. Furthermore, the LGPD entered into force on September 18, and soon after the first civil action under the law was taken by a court in Sao Paulo.
In Canada, ongoing discussions around reform to both federal and provincial privacy law have continued to progress with the Government of Ontario issuing a paper on the modernization of their private sector privacy legislation. Additionally, developments around the modernization of Canada’s federal privacy law continue to be an area to watch for organizations operating in the region.
Moreover, there has been a continued focus on enforcement in Latin America with large fines being issued across the region for non-compliance and the mishandling of personal data.
Updates to the PIPC, enforcement, and privacy developments in CIS
Major legislative amendments came into effect in South Korea in August which included the PIPC being elevated to a central administrative agency and the introduction of concepts including pseudonymization and purpose limitation.
Significant developments were also seen in Kazakhstan where Law of 25 June 2020 No. 347-VI on the Amendments and Regulation of Digital Technologies introduced new data collection and processing requirements and established a data protection authority, among other things. Meanwhile, in Russia the electronic signature law entered into force and a national strategy for the protection of children’s data was announced in Ukraine.
Finally, there was continued enforcement action being levied by the Australian Communications and Media Authority, whilst there were notable fines issued in South Korea, Macau, and Singapore for data collection without consent, telemarketing, and AML/CFT failures.
Schrems II, the ICO Age Appropriate Design Code, and legal updates in Dubai, Egypt, and South Africa
In the fallout from the Schrems II decision, several DPAs issued statements and high-level guidance. The LfDI Baden-Württemberg’s guidance has debatably been the most comprehensive so far which includes a checklist of steps to take following Schrems II as well as recommended amendments and supplementary measures for SCCs.
On 2 September, the ICO’s long-awaited Age Appropriate Design Code came into effect. The code aims to establish 15 standards for the processing of children’s data in the UK. Furthermore, with Brexit looming, DCMS published a national strategy which notes that the UK will seek an adequacy decision from the EU.
Across the EMEA region, there was a range of developments to data protection laws. The DIFC’s Data Protection Law was enacted, Egypt's data protection law was published, and further sections of POPIA entered into effect.