Last Month in Privacy: June 2021
July 06, 2021
EU: EDPB adopts final version of recommendations on supplementary measures
International data transfers once again was the talk of the month as the European Data Protection Board released its finalised version of its Recommendations on Supplementary Measures following Schrems II.
The EDPB outlined the following key revisions to the recommendations:
- the emphasis on the importance of examining the practices of third country public authorities in the exporters' legal assessment to determine whether the legislation and/or practices of the third country impinge on the effectiveness of the chosen transfer tool under Article 46 of the GDPR;
- the possibility that the exporter considers in its assessment the practical experience of the importer, among other elements and with certain caveats; and
- the clarification that the legislation of the third country of destination, allowing its authorities to access the data transferred, even without the importer's intervention, may also impinge on the effectiveness of the transfer tool.
In addition, the European Commission announced that it had adopted two adequacy decisions for the United Kingdom, one under the GDPR and one under the Law Enforcement Directive. Personal data can now flow freely from the EU to the UK, however, a sunset clause has also been included, which limits the duration of adequacy to four years.
China: NPC passes data security law
The National People's Congress of the People's Republic of China announced that the Data Security Law had been adopted.
The Data Security Law regulates data processing activities, ensures data security, as well as protects the legitimate rights and interests of individuals and organisations. Specifically, the Data Security Law introduces requirements for the processing of important data, the appointment of a person in charge of data security and the conducting of risk assessments which must be sent to the relevant regulatory departments.
The law will enter into effect on 1 September of this year.
Read more here.
Colorado: Personal data privacy bill repasses in State Senate and due to be sent to Governor
Colorado looks set to become the next state to pass a comprehensive privacy law, following approval of the Colorado Privacy Act by the House of Representatives and the Senate.
The bill provides for several consumer rights including: the right to opt out of processing for purposes of targeted advertising, sale, or profiling that produces significant effects, and the rights of access, correction, deletion, and portability. Obligations imposed on controllers include with respect to privacy notices, data protection assessments, and vendor management.
The bill is awaiting signature from the Governor and would go into effect on 1 July 2023.
Read more here.