By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Gabriela Aroca Montaner, Samantha M. Laufer, and Molly Whitman

Key Points:

• The proposed amendments, which clarify or expand many of the COPPA Rule’s existing provisions, would be the first updates to the Rule in over a decade and would formalize recent FTC guidance and enforcement in the COPPA space.
• Key modifications include revisions to the definitions of “personal information” and “a website or online service directed to children”; mandates for separate, stand-alone parental consent for the disclosure of children’s data to third parties; new mechanisms for obtaining verifiable parental consent; additional data security requirements; and additional guidance regarding data retention.

On December 20, 2023, the Federal Trade Commission (FTC or Commission) issued a Notice of Proposed Rulemaking (Notice) recommending amendments to the Children’s Online Privacy Protection Rule (COPPA Rule or Rule).

The FTC last updated the COPPA Rule more than 10 years ago, in 2013, to account for changes in the ways children use and access the Internet (the 2013 Amendments). The Notice incorporates feedback received in response to the Commission’s 2019 request for comment on the effectiveness of the 2013 Amendments in creating “stronger protections for children,” as well as the FTC’s own enforcement experience over the last several years.

Once the FTC formally publishes the Notice in the Federal Register, it will open an additional 60-day public comment period, after which it will finalize and publish the amended regulations.

Learn more in this Client Alert.

By Jennifer C. Archie, Matthew A. Brill, Gabriela Aroca Montaner, Chad Kenney, and Molly Whitman

On December 21, 2023, a divided Federal Communications Commission (FCC or the Commission) released a Report and Order updating its data breach reporting rules for certain telecommunications providers. The updated rules require that providers of telecommunications services, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) adequately safeguard sensitive customer information and report data breaches to the Commission. The rules will also likely apply to providers of broadband Internet access services when the Commission completes its recently initiated rulemaking proposing to reclassify broadband as a telecommunications service covered by the data breach rules.

In a 3-2 vote, the Commission expanded the breach notification regulations to cover breaches that involve personally identifiable information (PII), in addition to customer proprietary network information (CPNI). Both PII and CPNI are now considered “covered data” under the applicable rules. Further, the rules now extend to inadvertent disclosures of covered data, along with intentional disclosures without authorization. Upon determining that a breach has occurred, carriers must notify the Commission via the FCC’s existing central reporting facility in addition to notifying the FBI and the Secret Service.

Federal agency notifications must be submitted “as soon as practicable,” but no later than seven business days after determination of a breach. The Commission emphasized that, depending on the circumstances, a “failure to swiftly report breaches may … be untimely and unreasonable, even if within the seven business day timeline.” Carriers must also notify affected data subjects in a timely manner — eliminating the mandatory seven-day waiting period after notifying law enforcement that previously applied before a carrier could begin notifying customers.

Learn more in this Client Alert.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth

The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules^[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:

1. an independent agency responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and
2. the Indian government has framed the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology).

The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.

The DPDPA is triggered when digital personal data is processed within India. The law also has an extraterritorial effect in that it applies to digital personal data processing outside of India if such processing relates to the offering of goods or services to individuals (known as “data principals”, which are equivalent to “data subjects” under the EU and UK General Data Protection Regulations (the GDPR)) within India.

The DPDPA follows broadly similar principles to those set out in the GDPR and specifies rules for data fiduciaries (equivalent to “controllers” under the GDPR) and data processors, and rights for data principals (equivalent to “data subjects” under the GDPR). Penalties for non-compliance under the DPDPA range from INR500 million (€5.7 million) to INR2.5 billion (€28 million). The Data Protection Board is also empowered to impose urgent remedial or mitigation measures in the event of a personal data breach.

Practical Impact on Existing Privacy Compliance Programmes

The DPDPA signals a major change in the way personal data is processed in India. Organisations operating in or targeting individuals in India should consider preemptive steps to bring their privacy compliance in line with the DPDPA, including as regards data collection and consent mapping practices. Key differences between the DPDPA and the GDPR include:

• Scope: The DPDPA regulates the processing of digital personal data, i.e., personal data collected in digital form, or collected in non-digital form and subsequently digitised. Whilst the DPDPA’s personal data definition is similar to that provided under the GDPR, it excludes from its scope personal data made publicly available by the data principal or by any other person under a legal obligation to make that data publicly available.
• Legal basis for processing of personal data: The DPDPA provides that data fiduciaries may lawfully process personal data only with the consent of the data principals or for certain specified “legitimate uses”. Such legitimate uses include: processing of personal data voluntarily shared by the data principal for a specified purpose (provided that the data principal does not object); processing to comply with the law or court orders; for employment purposes; or to respond to medical emergencies, epidemics, or disasters. The DPDPA’s consent standard is similar to that of the GDPR, requiring consent to be “free, specific, informed, unconditional and unambiguous with a clear affirmative action” and, unlike the GDPR, it does not permit processing under the lawful bases of contractual necessity or legitimate interests.
• Data principal rights: Whilst data principals will have certain rights similar to those under the GDPR for data subjects (i.e., rights of access, correction, or erasure), they will also benefit from a number of new rights which are unique to the DPDPA, i.e., the right to a readily available and effective means of grievance redressal (e.g., via a grievance redressal officer), and the right to nominate an individual who will be able to exercise the rights of the data principal in the event of death or incapacity of the data principal.
• Cross-border data transfers: The DPDPA permits cross-border data transfers to jurisdictions outside of India other than those jurisdictions specifically identified by the Indian government on its list of countries to which data transfers are restricted (to be published); otherwise, the DPDPA does not require the implementation of a transfer mechanism.
• Data breach notification: Data fiduciaries are required to notify personal data breaches to the newly created Data Protection Board and to impacted data subjects, regardless of the magnitude of the breach or risk of harm. Further, the DPDPA does not prescribe specific deadlines for reporting.
• Significant data fiduciaries: The Indian government will have the power to classify certain data fiduciaries as significant data fiduciaries based on factors such as the sensitivity and volume of data processed, the impact of processing on the rights of data principals, and the impact on the sovereignty, security, and integrity of India. These significant data fiduciaries will have additional obligations, including the appointment of an independent auditor and undertaking data protection impact assessments.

This table compares the requirements of the GDPR and the DPDPA in further detail, highlighting potential gaps in GDPR-based compliance programmes and outlining possible steps to uplift such programmes for DPDPA compliance purposes. As additional rules to supplement the DPDPA provisions are issued, organisations may need to adjust their compliance approaches accordingly.

The authors would like to thank Akash Karmakar and Ridhima Khurana at the Law Offices of Panag & Babu for their contributions to this article.

Endnote

[i] Indian’s current data protection rules are made up of Section 43A and 87(2)(ob) of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

By Jenny Cieplak, Tony Kim, Arthur Long, Clayton Northouse, Serrin Turner, Yvette D. Valdez, Deric Behar, and Molly Whitman

The New York State Department of Financial Services’ (DFS) amendments (the Amendments) to its cybersecurity regulations, which were adopted last month with the first implementation deadline of December 1, 2023, impose new and enhanced requirements on covered entities.

On November 1, 2023, the DFS announced the Amendments to its regulations that were initially published in 2017 (23 NYCRR part 500). The changes impose more demanding requirements for larger entities, new obligations to report ransomware incidents and payments, and expanded oversight responsibilities for board and senior management. Requirements related to business continuity and disaster recovery have also been included for the first time.

Scope of the Amendments

Covered entities subject to 23 NYCRR part 500 and the Amendments are defined as any person operating or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.

A cybersecurity incident is defined as one that has occurred at the covered entity, its affiliates (those that share information systems, cybersecurity resources, or any part of a cybersecurity program with the covered entity), or its third-party service providers, and that:

• impacts the covered entity and requires the covered entity to notify any government body, self-regulatory agency, or any other supervisory body;
• has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity; or
• results in the deployment of ransomware within a material part of the covered entity’s information systems.

Key Amendments

“Class A” Companies

The Amendments create a new category of covered entities — deemed “Class A” companies — with heightened cybersecurity obligations. These “Class A” companies are defined as having at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity combined with those business operations of the covered entity’s affiliates in New York, and either have (i) more than 2,000 employees (including affiliates), or (ii) more than $1 billion in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and its affiliates.

In addition to meeting all other requirements that 23 NYCRR part 500 imposes on covered entities, a “Class A” company must:

• design and conduct independent audits of its cybersecurity program based on its risk assessment (through auditors that can be internal or external to the company but must be free to make decisions not influenced by the covered entity);
• monitor its privileged access activity and implement a privileged access management solution;
• automatically block commonly used passwords, unless the chief information security officer (CISO) annually states in writing that such blocking is infeasible and provides alternative compensating controls; and
• implement endpoint detection to monitor anomalous activity (including lateral movement), and a solution that centralizes logging and security-event alerting (unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls).

Governance

The covered entity’s board or senior governing body is tasked with oversight, funding, and maintenance of the company’s cybersecurity risk management program. The governing body is expected to allocate “sufficient resources [for the covered entity] to implement and maintain an effective cybersecurity program,” and have “sufficient understanding of cybersecurity-related matters” to execute its oversight function, which may entail the use of advisors.

The covered entity’s CISO or equivalent officer must:

• provide additional reports annually to the covered entity’s board or senior governing body on plans for remediating material inadequacies; and
• timely report to the senior governing body or senior officer(s) regarding significant cybersecurity events and material changes to the covered entity’s cybersecurity program.

By imposing specific requirements on a banking institution’s CISO and governing body, the Amendments appear to increase management exposure to regulatory enforcement for lapses in cybersecurity oversight. Under Section 41 of the Banking Law, the DFS superintendent can remove an officer or director for violating “any law or duly enacted regulation of the superintendent” relating to a regulated banking institution. It is not clear, however, to what extent the DFS will pursue individual senior managers in the cybersecurity context rather than, as in other contexts, the entities with which they are associated.

Incident Response

The Amendments expressly include ransomware attacks as a cybersecurity event, which the regulations require to be reported to the DFS within 72 hours after determining that it has occurred. The Amendments also require a covered entity to report within 24 hours any extortion payment made in response to a ransomware attack. And, within 30 days of the payment, the covered entity must also provide the DFS with “a written description of the reasons payment was necessary, a description of alternatives to payment that were considered, all diligence performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations, including those of the Office of Foreign Assets Control.”

Covered entities’ incident response plans must also expressly address procedures for recovery from backups, root cause analysis, evaluation of business impact, and prevention of recurrence of incidents.

Certification

A covered entity’s CISO and highest-ranking executive must annually file a notice of compliance with the DFS. Importantly, the Amendments specify that the certification must be true not only at the time of certification but, instead, must accurately describe the covered entity’s material compliance with all DFS cybersecurity requirements throughout the prior calendar year.

Alternatively, the filing may acknowledge that the covered entity did not materially comply with all requirements, describing such areas of deficiency, and propose a plan and timeline for remediation (or confirmation of successful remediation). Covered entities must also retain for five years all documentation supporting a certification of compliance or acknowledgement of non-compliance and remedial efforts.

Non-Public Information

Access to systems containing non-public information must be limited to individuals who need such access to perform their jobs. Covered entities must also annually “review all user access privileges and remove or disable accounts and access that are no longer necessary.”

Risk Assessments

Covered entities must review and update risk assessments at least annually (rather than “as reasonably necessary”), and whenever a change in the business or technology causes a material change to the covered entity’s cyber risks.

Risk assessments should also be reviewed whenever a new business model is adopted or a new product is introduced.

The entity’s senior governing body must approve such programs annually.

Technical Controls

The Amendments introduce a number of heightened technical controls, including:

• Multifactor Authentication: With only very limited exceptions, multifactor authentication (MFA) is now required for “any individual” accessing “any information system” of a covered entity. A covered entity’s CISO may, however, approve the use of reasonably equivalent or more secure compensating controls. Importantly, the Amendments also removed the use of text message as an approved form of MFA, noting that it is “widely considered to be a weaker from of MFA.”
• Encryption: The Amendments remove covered entities’ ability to rely on alternative compensating controls for the requirement to encrypt non-public information in transit over external networks. The DFS noted that it is “unaware of any effective alternative compensating control currently being used in the financial services sector that is comparable to encryption in transit over external networks.”
• Vulnerability Scans: Covered entities are required to conduct automated scans of their information systems, detect security vulnerabilities, and timely remediate vulnerabilities. These scans are required on top of the requirement to conduct regular penetration testing.
• Asset Inventory: Covered entities must maintain a complete asset inventory of all of their information systems that tracks the owner, location, classification or sensitivity, support expiration date, and recovery time objective for each system.

Enforcement

The Amendments state that the “commission of a single act prohibited by [23 NYCRR part 500] or the failure to satisfy an obligation required by [23 NYCRR part 500] shall constitute a violation hereof.” A violation may include the failure to secure or prevent unauthorized access to an individual’s or an entity’s non-public information due to non-compliance with 23 NYCRR part 500, or the material failure to comply with any requirement of 23 NYCRR part 500 for any 24-hour period.

Penalties for noncompliance may vary, and an extensive list of considerations and mitigating factors are provided.

Exemptions

The Amendments relax the thresholds for small-company exemptions from the requirements of 23 NYCRR part 500. The threshold number of employees has been raised from 10 to 20, gross annual revenue from $5 million to $7.5 million (in each of the last three fiscal years from all business operations and the New York business operations of its affiliates), and total assets from $10 million to $15 million (including assets of all affiliates).

Compliance Timeline

The Amendments became effective on November 1, 2023. Compliance is generally required by April 29, 2024 (180 days from November 1, 2023), although the Amendments provide various dates over the next two years for compliance with specific provisions:

• By December 1, 2023, covered entities must comply with the incident reporting obligations.
• By April 15, 2024, covered entities’ CISOs and CEOs (or other highest-ranking executives) must certify compliance.
• By April 29, 2024, certified entities must comply with the amended risk assessment, cybersecurity policy, penetration testing and monitoring, training, and audit requirements.
• By November 1, 2024, covered entities must comply with obligations related to the company’s senior governing body, encryption requirements, and incident response requirements.
• By May 1, 2025, covered entities must comply with many updated technical requirements, including automated information systems scanning requirements, privileged accounts requirements, malicious code requirements, and endpoint detection solution requirements.
• By November 1, 2025, covered entities must comply with multifactor authentication and asset inventory requirements.

Conclusion

Even before the Amendments, the DFS’ cybersecurity regulations were considered to have been some of the most demanding and specific requirements that regulators promulgated with respect to cybersecurity. The Amendments reflect a continuation of that trend. For financial services companies operating in New York, the Amendments mean a continued focus on cybersecurity governance and response, more compliance obligations and potentially higher operational costs (particularly for “Class A” companies), and corresponding increased enforcement risk.

By Brian A. Meenagh and Lucy Tucker

The Saudi Data & AI Authority (SDAIA) recently issued the final Implementing and Transfer Regulations for the upcoming Personal Data Protection Law (PDPL), the first comprehensive data protection law in Saudi Arabia. This follows the publication of consultation drafts of the Implementing and Transfer Regulations in April 2023 (the Consultation Draft). The PDPL was issued under Royal Decree No. M/19 on 16 September 2021, and amended pursuant to Royal Decree No. M/148 on 27 March 2023.

The PDPL came into force on 14 September 2023; however, we do not expect enforcement activities until mid-September 2024 because its preambles include an additional one-year transition compliance period.

This article provides high-level comments on key topics in the PDPL and Implementing Regulations, with a focus on areas which deviate from the GDPR or which have recently been updated in the final Implementing Regulations.

By Robert Blamires, Clayton Northouse, Austin L. Anderson, and Jennifer Howes

Key Takeaways:

• On July 20, 2023, Oregon’s governor signed the Oregon Consumer Privacy Act into law. The law will take effect on July 1, 2024.
• On September 11, 2023, Delaware’s governor signed the Delaware Personal Data Privacy Act into law. The law will take effect on January 1, 2025.
• The Oregon law expands individuals’ right of access to their data to now include a list of names of the third parties to which a business has disclosed an individual’s personal data.[i]
• Unlike most of the other new state general data privacy laws (and several other existing data privacy regimes), both laws apply to nonprofit entities, with some limited exceptions. Oregon gives nonprofit entities a one-year grace period beyond the law’s effective date.
• Delaware requires covered businesses to obtain consent of individuals between the ages of 13 and 18 prior to processing their personal data for purposes of selling, targeted advertising, or certain profiling activities.

Oregon and Delaware have become the seventh and eighth US states this year to enact general data privacy legislation — growing the US state privacy framework to 13 states.[ii] This blog post analyzes the key requirements of both laws, including how the new laws’ provisions compare to those of the new general data privacy laws that recently passed in other states.[iii]

Notably, outside of California, we are beginning to see a trend emerge for states to adopt the more consumer-friendly Colorado model, compared to the (arguably more business-friendly) Virginia model.[iv] While the existing state laws largely impose the same requirements on covered businesses and provide the same privacy rights to individuals as Virginia, the Colorado model refers to state laws that are generally considered more consumer-friendly by, for example, adopting the broader definition of “sale” of personal data and requiring covered businesses to recognize certain privacy requests submitted through authorized agents and universal opt-out mechanisms.

Additionally, while almost all of the existing general state data privacy laws provide covered businesses with a right to cure alleged noncompliance (except California, where any cure period is now up to the discretion of state regulators), the right to cure is typically temporary under the Colorado model (generally expiring one year after the effective date), whereas the right to cure under the Virginia model is permanent.

As described below, both Oregon and Delaware follow the Colorado model, which brings the Colorado model total to five states (Colorado, Connecticut, Montana, Oregon, and Delaware), with the Virginia model still at seven states (Virginia, Utah, Florida, Texas, Tennessee, Iowa, and Indiana). Given that California diverges in many respects from the other state privacy laws, we generally do not consider it to fall within either model.

Below is a summary of the effective dates for all 13 new US state general data privacy laws.

Click on image to expand

Overview of Requirements

Like the laws in Colorado and Connecticut, both Oregon and Delaware apply to “consumers,” who are defined as residents of the state, except those acting in a commercial or employment context. Below, we use “consumers” and “individuals” interchangeably to refer to residents who fall within the scope of these laws.

1. Scope. Both Oregon and Delaware adopt similar applicability tests as other new state general data privacy laws; however, Delaware sets a lower applicability threshold than many of the laws, likely a result of its smaller population.

For Oregon, the law applies to any person who conducts business in the state or provides products or services to Oregon residents, and during a calendar year controls or processes:

• the personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
• the personal data of 25,000 or more consumers while deriving 25% or more of its annual gross revenue from selling personal data.

For Delaware, the law applies to any person who conducts business in the state or provides products or services to Delaware residents, and during a calendar year controls or processes:

• the personal data of 35,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or
• the personal data of 10,000 or more consumers while deriving 20% or more of its annual gross revenue from selling personal data.

Similar to California, Oregon’s law does not provide a blanket exception for all institutions and affiliates that are subject to the federal Gramm-Leach-Bliley Act (GLBA). Rather, the law exempts “financial institutions” as defined under Oregon’s Revised Statute 706.008, which has a narrower definition than the GLBA’s equivalent term, and in effect exempts only traditional banks and credit unions.[v]

In contrast, the GLBA broadly defines “financial institutions” as businesses significantly engaged in financial activities, which includes not only banks and credit unions but also a broad range of other entities engaged in financial services, including appraisal services, tax preparation, loan servicing, check-cashing and payday loan services, mortgage lending, and financial and investment advisory services. As a result, financial institutions under the GLBA’s definition will need to assess whether they fall within Oregon’s narrower definition of a “financial institution.” If not, Oregon does provide some relief by continuing to provide a data-level exemption for nonpublic personal information that is collected and processed under the GLBA (similar to California’s law). However, any personal data that falls outside the scope of nonpublic personal information will remain subject to the provisions of Oregon’s law. As a result, financial institutions and their affiliates will need to closely assess their privacy compliance program to determine whether additional steps are necessary to comply with the law.

Outside of financial data, both laws align with other state privacy laws by also exempting data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), data subject to the Fair Credit Reporting Act, and data subject to the federal Family Educational Rights and Privacy Act. Neither law provides an entity-level exemption for entities subject to HIPAA.

Another aspect of these two laws that distinguish them from Virginia and others is that they both apply to nonprofit entities, with some limited exceptions. For instance, both laws exempt nonprofit entities that help prevent insurance fraud, as well as personal data of a victim or witness maintained by a nonprofit entity that provides services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felonies, or stalking. All other nonprofit entities and data maintained by nonprofits are within scope of these laws, assuming the entity meets the thresholds set out above.

2. Privacy Notice. Oregon and Delaware have similar privacy notice disclosure requirements as other state privacy laws, including the following:

• the categories of personal data (including sensitive data) processed;
• the purposes for which personal data is processed;
• the categories of personal data shared with third parties;
• the categories of third parties to whom personal data is disclosed; and
• how individuals can exercise rights in relation to personal data about them, including how to appeal a denied rights request.

Additionally, if the business sells personal data or processes personal data for purposes of targeted advertising or profiling, such activity must be clearly and conspicuously disclosed in the privacy notice.

3. Privacy Rights. Similar to other state privacy laws, Oregon and Delaware will require businesses to honor consumers’ privacy rights, including the right to access, correct, delete, and opt out of the following activities: (i) the sale of personal data, (ii) the processing of personal data for the purposes of targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Where the laws start to diverge, however, is the scope of such rights. For instance, Oregon expands the right of access by requiring covered businesses to provide a list of third parties to which the business has disclosed the specific individual’s personal data. Delaware also expands on the existing right of access to include “a list of the categories of third parties to whom the controller has disclosed the consumer’s personal data.” Other state privacy laws, in comparison, require that the business only provide the categories of third parties to which the business has disclosed any individual’s personal data. Therefore, covered businesses subject to the Oregon and Delaware laws will now need to maintain a historical list of all third parties (in the case of Oregon) or categories of third parties (in the case of Delaware) to which the business has disclosed a specific individual’s personal data, and provide the list upon request.

Additionally, both laws provide individuals with the ability to opt out of the sale of their personal data and the processing of their personal data for targeted advertising purposes through a universal opt-out mechanism. Under both laws, businesses are required to comply with such opt-out requests received via a universal opt-out mechanism by January 1, 2026.

4. Appeals Process. Similar to the majority of the other state privacy laws, Oregon and Delaware require covered businesses to establish a process for individuals to appeal a business’s decision not to take action on a rights request. Delaware aligns with the majority of the other state privacy laws by providing covered businesses with 60 days to respond to the appeal request, informing the individual of the reasons for its decision. Oregon, however, imposes a shorter time frame of 45 days to respond to an individual’s appeal request. Under both laws, if the appeal is denied, the business must provide the individual with a method to contact the state Attorney General to submit a complaint.

5. Consent. Like many of the other state privacy laws, Oregon and Delaware require covered businesses to obtain consent, to a high-standard — freely given, specific, informed, and unambiguous — similar to the UK/EU’s general data protection  from individuals prior to (i) processing personal data about them for secondary purposes, (ii) processing sensitive personal data about them, and (iii) for individuals between the ages of 13 and 15 (inclusive) in the case of Oregon and 17 (inclusive) in the case of Delaware, processing personal data about them for purposes of selling it or for targeted advertising; and (iv) in Delaware only, processing personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

6. Contractual Obligations. Both laws impose specific contractual requirements for agreements between controllers and processors. These requirements mirror those in many of the other new general state data privacy laws.

7. Data Protection Impact Assessments. Similar to many other states, Oregon and Delaware require businesses to conduct a data protection impact assessment (DPIA) prior to: (i) processing sensitive personal data, (ii) selling personal data, (iii) processing personal data for targeted advertising, (iv) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, and (v) processing activities involving personal data that present a heightened risk of harm to consumers. Like other laws, a DPIA conducted for purposes of complying with another applicable law may satisfy the requirements of the Oregon and Delaware laws, so long as it is reasonably similar in scope and effect.

Enforcement

The Oregon and Delaware laws will be exclusively enforced by the respective state Attorneys General. Oregon’s law provides for civil penalties of up to $7,500 per violation and injunctive relief. The law also provides a 30-day right to cure to remedy alleged noncompliance; however, the right to cure is set to sunset on January 1, 2026.

For Delaware, the law does not expressly state what penalties the Attorney General may seek other than stating that violations will be prosecuted in accordance with the provisions of Subchapter II of Chapter 25 of Title 29, which provides for civil penalties of up to $10,000 per violation, as well as injunctive relief, which, if violated, can result in enhanced civil penalties of up to $25,000 per violation. The law also provides covered businesses a 60-day right to cure to remedy alleged noncompliance; however, the right to cure is set to sunset on December 31, 2025.

Takeaways

The passage of the laws in Oregon and Delaware adds to the increasing complexity for larger businesses, including certain nonexempt financial institutions and their affiliates, to comply with a patchwork of new state general data privacy laws. Though the laws largely adopt the Colorado model, by expanding on existing requirements under other state privacy laws, the laws in Oregon and Delaware arguably set a new compliance bar for businesses that meet the laws’ applicability thresholds. As a result, businesses subject to the new laws will need to reassess their existing privacy compliance programs to ensure compliance.

A handful of additional states may be next to pass their own general data privacy legislation, including Pennsylvania, New Jersey, New York, North Carolina, and Illinois. As such, the US privacy landscape looks set to continue to evolve and become ever more complex.

Endnotes

* This post was updated on September 25, 2023 to reflect the latest developments regarding the Delaware law.

[i] The Oregon law provides covered businesses the option to provide either: (a) the list of third parties it has disclosed a particular individual’s personal data to or (b) the list of all third parties to which the business has disclosed any personal data. Many covered businesses may find it simpler to keep the latter list.

[ii] The list of current general state privacy law includes: California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia. Other states have recently passed health-specific privacy laws, including Nevada and Washington, as discussed here.

[iii] Search this blog for our analysis of the privacy laws in California, Virginia, Connecticut, Iowa, Indiana, Montana, Tennessee, Florida, and Texas.

[iv] Colorado and Virginia were the first states to pass general data privacy laws reflecting these approaches.

[v] Oregon’s Revised Statute 706.008 defines “financial institutions” as:

• Insured Institutions, defined as a company subject to the federal Bank Holding Company Act of 1956, the deposits of which are insured under the provisions of the Federal Deposit Insurance Act;
• Extranational Institutions, defined as a corporation, unincorporated company, partnership or association of two or more persons organized under the laws of a nation other than the United States, or other than a territory of the United States, Puerto Rico, Guam, American Samoa or the Virgin Islands, that engages directly in banking business;
• Credit Unions, defined as a cooperative, non-profit association, incorporated under the laws of [Oregon], for the purposes of encouraging thrift among its members, creating a source of credit at a fair and reasonable rate of interest and providing an opportunity for its members to use and control their own money in order to improve their economic and social condition;
• Interstate Credit Unions, defined as a credit union organized under the laws of another state may conduct business as a credit union in [Oregon] with the approval of the Director of the Department of Consumer and Business Services and satisfies the conditions described in subsection (3) under Oregon’s Revised Statute 723.042 ; and
• Federal Credit Unions.

By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes

On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables organisations to transfer personal data from the EEA to organisations in the US that have self-certified under the DPF with immediate effect. As of 10 July 2023, organisations that were certified under the EU-US Privacy Shield (Privacy Shield) are now certified under the DPF and can begin receiving data from the EEA via the DPF.

The DPF was finalised following lengthy negotiations between the US government and the EC after the European Court of Justice (CJEU) invalidated the Privacy Shield in July 2020 (commonly referred to as the Schrems II case). The CJEU’s main concern with respect to the Privacy Shield related to US public authorities’ potential use of and access to EEA citizens’ personal data without being restricted by the principle of proportionality. The CJEU also concluded that EEA data subjects had no effective redress mechanisms to challenge US surveillance practices. To address these concerns, the US introduced safeguards and a new redress mechanism via an executive order.^[1] In addition, the US Attorney General established a new Data Protection Review Court (DPRC).

While the binding adequacy decision only recently went into effect, activists in the EU will likely challenge it soon. The EC and US government have expressed confidence that the DPF meets the CJEU’s concerns in Schrems II and should survive any such challenge. Unless and until any such challenge is successful, organisations can transfer EEA citizens’ personal data to DPF-certified organisations in the US, safe in the knowledge that such transfers are lawful under the GDPR and, importantly, the adequacy decision is binding on local data protection authorities.

What should organisations do next?

The next steps for organisations in the US that receive personal data from the EEA largely depend on whether the organisation is already a participant in the Privacy Shield (and whether they now wish to rely on the DPF or continue to rely on other transfer mechanisms, in particular standard contractual clauses (SCCs)).^[2] Wider considerations, including the impact of the DPF on existing Transfer Impact Assessments (TIAs), will also be relevant for organisations transferring personal data from the EEA to the US. We summarise below the key considerations for relevant organisations.

Privacy Shield-certified organisations

Organisations that have maintained their Privacy Shield certification are now certified under the DPF. The DPF requires such organisations to update their relevant privacy notices to replace references to the Privacy Shield with references to the DPF by 10 October 2023,^[3] but otherwise, their certification to the DPF transitions automatically.

At the time of publication, the Data Privacy Framework list, published on the DPF website, has transposed the listings of each Privacy Shield-certified entity to an equivalent DPF listing.

Other organisations

Organisations that are not Privacy Shield-certified, but want to rely on the DPF for personal data transfers from the EEA to the US, will need to submit an application on the DPF website. Note that the DPF (similar to the Privacy Shield) is only available to entities that are subject to the jurisdiction of the Federal Trade Commission (FTC) or Department of Transportation. The US government has stated that it is in discussions with the EC to consider whether other entities (such as banks) can also be eligible to adopt the DPF.

Organisations that already comply with the GDPR are likely well-positioned to comply with the DPF, since the DPF adopts similar compliance principles to that of the GDPR. Accordingly, such organisations would need to carefully review their compliance program and develop evidentiary support for any self-certification. The DPF principles also share similarities with existing US state laws, such as the California Consumer Privacy Act.

Regardless of their compliance with existing privacy legal regimes, organisations should be careful to evaluate the specific DPF requirements, such as particular disclosure obligations, choices that must be offered to EEA data subjects, and requirements relating to the processing of sensitive data.

Significantly, certifying organisations must subject their processing of EEA data under the DPF to an enforcement authority of the FTC or Department of Transportation.

In deciding whether to certify to the DPF, organisations should consider that alternative transfer mechanisms (such as SCCs) remain valid and may prove simpler in some circumstances. Indeed, the EC and US government have clarified that the changes to US law in response to Schrems II are applicable to personal data transfers from the EEA to the US, regardless of the transfer mechanism.

All EU organisations which transfer data to the US

Since the changes to US law also apply when data is transferred by other mechanisms (such as SCCs), EEA organisations should consider reviewing their TIAs underpinning all EU-US personal data transfers, and updating these to reflect the new US regime, i.e., the safeguards and new redress mechanism introduced via Executive Order (EO) 14086 and the DPRC, as noted above. EEA organisations can largely rely on the EC’s assessment of US law in the adequacy decision, which should simplify this exercise.

Summary of adequacy decision

In order to determine the adequacy of data transfers under the DPF, the EC has reviewed the steps that the US took to revise its practices in response to the issues identified in Schrems II. The EC assessed the safeguards that EO 14086 introduced, concluding that the new safeguards and redress mechanism address all of the CJEU’s concerns. The EC concluded that:

• in relation to redress, the new mechanism includes the establishment of the DPRC, an independent tribunal to which EEA individuals now have access;^[4]
• in relation to the US government’s access to personal data, US law contains various limitations and safeguards with respect to the access and use of personal data for criminal law enforcement and national security purposes; and
• US law provides appropriate safeguards, subject to adequate oversight and redress, limiting access to EEA data by the US intelligence agencies to what is necessary and proportionate.^[5]

The DPF will be subject to periodic reviews by the EC, together with representatives of European data protection authorities and competent US authorities. If the EC is concerned that an adequate level of protection is no longer ensured, it is authorised to suspend, amend, or repeal the adequacy decision or limit its scope. The EC’s first review will take place in July 2024.

UK and Swiss extensions

Following its departure from the EU, the UK will not be covered by the adequacy decision. The UK government will instead need to agree on an alternative arrangement with the US to cover the flow of UK personal data to the US. Such a framework would require the US to designate the UK as a “qualifying state” and the UK to issue an adequacy decision. On 17 July 2023, the UK confirmed that US organisations that are part of the DPF can also self-certify for the “UK extension” the DPF, but cannot currently rely on it for UK personal data transfers until the UK adequacy decision is in place. We expect a timetable be published in the coming months.

Organisations certified under the Swiss-US Privacy Shield Framework will also be able to transition to the DPF. However, as with the UK, transfers cannot be made until Switzerland is designated as a “qualifying state” and Switzerland’s adequacy decision is in force.

Endnotes

[1] EO 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities” (EO 14086).

^[2] While the Privacy Shield ceased to be a valid mechanism for international data transfers following Schrems II, many organisations remained certified.

^[3] Changes are required within three months of the effective date of the DPF (10 July 2023).

^[4] The EU and Iceland, Lichtenstein, and Norway (together making up the EEA Member States) were designated as “Qualifying States” by the US Attorney General on 30 June 2023, effective immediately following the adoption of the adequacy decision on 10 July 2023.

^[5] In addition to the changes made by EO 14086, and pursuant to its terms, the US intelligence community adopted various policies and procedures, which were published on 3 July 2023.

By Heather B. Deixler, Clayton Northouse, Austin L. Anderson, Kiara E. Vaughn, and Kathryn Parsons-Reponte

Key Takeaways:

• On April 27, 2023, Washington State enacted the My Health My Data law (My Health My Data Act), a health privacy law that broadly applies to personal information that is or can be linked to a consumer and identifies the consumer’s physical or mental health status.
• On June 16, 2023, Nevada passed a similar law by enacting Senate Bill 370 (Nevada Health Privacy Law).
• Both laws apply to consumer health information not covered under health data privacy laws like the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). However, while Nevada’s law shares similar terminology as Washington State’s law, it is narrower in scope and unlike the Washington State law, it does not include a private cause of action.
• The requirements under both laws include publishing a consumer health data privacy policy, obtaining consent for the collection and sharing of consumers’ health data with prescriptive requirements, and establishing consumer health data rights.
• While both laws will be enforced by the states Attorney General, the Washington State law also provides a private right of action, allowing individuals to directly bring an enforcement action against a business.
• With certain exceptions (see small businesses and the geolocation restriction under My Health My Data), both laws will go into effect on March 31, 2024.

Washington State and Nevada have now passed health data privacy laws that impose obligations relating to the collection, processing, and sharing of “consumer health data.” Both laws (collectively, State Health Data Privacy Laws) go into effect on March 31, 2024, with some exceptions. The Washington State law’s ban on geofencing went into effect on July 23, 2023, and the law also includes a slight delay for small businesses, which are not subject to most of the law’s requirements until June 30, 2024.

With passage of these two new laws, states are stepping in to regulate companies that collect or process health-related information outside the scope of HIPAA. However, as detailed below, the Washington State law imposes very broad requirements that regulate many companies that operate beyond the healthcare industry, and it fails to include clear guidance for industry in many critical ways, including with respect to many of its defined terms. As a result, businesses that collect or process personal information in these states will need to carefully assess these new laws as they introduce novel requirements and pose significant compliance challenges.

Key Definitions

1. Regulated Entity

The State Health Data Privacy Laws apply to “Regulated Entities” defined as any person that:

• conducts business in the applicable state or targets applicable state residents, and
• alone or jointly with others determines the purpose and means of collecting, processing, sharing, or selling consumer health data.

Note that, according to the Frequently Asked Questions (FAQs) that the Washington State Attorney General distributed, if an entity’s processing is limited to storage, it will not be subject to the My Health My Data Act.

Washington’s My Health My Data Act delays the effective date for a “small business,” which is a Regulated Entity that:

• collects, processes, sells, or shares consumer health data of fewer than 100,000 consumers during a calendar year; or
• (1) derives less than 50% of gross revenue from the collection, processing, selling, or sharing of the consumer health data, and (2) controls, processes, sells, or shares consumer health data of fewer than 25,000 consumers.

Notably, the State Health Data Privacy Laws apply to for-profit and non-profit entities, departing from existing state privacy laws, with the exceptions of the Colorado Privacy Act and Oregon Consumer Privacy Act[1]. The State Health Data Privacy Laws, however, do not apply to employers or B2B business contacts with respect to health data they maintain about their employees, similar to other state laws, with the notable exception of California where all state residents are now in scope under the California Consumer Privacy Act, as amended (CCPA).

The My Health My Data Act also exempts data governed by HIPAA, the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act (FERPA). The Nevada Health Privacy Law takes a broader approach to such exemptions by including entity-level exemptions for any person or entity subject to HIPAA and any financial institution or affiliate subject to the GLBA. As a result, though entities subject to HIPAA and GLBA are exempt from Nevada’s law, they may still be subject to the My Health My Data Act to the extent they collect “consumer health data” that is outside the scope of such laws.

2. Consumer Health Data

The Health Data Privacy Laws adopt the same term of “consumer health data” but the definitions diverge significantly in scope. Under the My Health My Data Act, “consumer health data” is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” In contrast, the Nevada law specifically limits the definition to “personal information that is linked or reasonably linkable to a consumer and that a Regulated Entity uses to identify the past, present, or future health status of a consumer.” The inclusion of “uses to” notably narrows the definition so that the incidental collection of personal information that could be used (but is not actually used) to identify a consumer’s health status does not trigger the Nevada Health Data Privacy Law’s requirements.

While neither law defines “health status,” both laws provide the following categories of information that qualify as consumer health data:

• information relating to health condition or diagnosis; social, psychological, behavioral, or medical interventions; the use and acquisition of prescribed medications; surgical or other health-related procedures;
• gender-affirming care information (including efforts to research or obtain gender-affirming care services or products; e.g., social or physical interventions, cosmetics, psychological interventions, etc.);
• biometric data (which is itself defined to include iris and retina scans; fingerprints; hand, face, and palm images; voice recordings; keystroke patterns; gait patterns; and rhythms that contain identifying information);
• reproductive or sexual health information (including efforts to research or obtain);
• precise location information that could reasonably indicate a consumer’s attempt to acquire or receive health services or supplies; and
• any data that is derived or extrapolated from non-health information (including through machine learning and algorithms) that is used to associate or identify a consumer with the data described above.

Nevada’s Health Data Privacy Law also provides an express carve-out of consumer health data for information that: (i) is used to provide access or enable gameplay on a video platform, and (ii) information that can identify the shopping habits or interests of a consumer, if that information is not used to identify the specific past, present, or future health status of the consumer, further narrowing the definition.

In comparison, the My Health My Data Act’s broad definition of “consumer health data” may impact both small and large businesses in all industries, regardless of their knowledge or intent of collecting such data. The Washington State Attorney General FAQs provide some limiting parameters around what may be considered consumer health data. They clarify that information does not constitute health data if it does not identify a consumer’s physical or mental health status. For example, the FAQs note that purchases of toilet paper are not consumer health data but an app that tracks the consumer’s digestion would be. The FAQs also clarify that information derived from non-health data to identify the consumer’s mental or health status would be considered consumer health data. As an example, the FAQs cite reports that a retailer had been assigning a “pregnancy prediction score” to consumers based on the purchase of certain products. While the purchase of the underlying products would not be considered health data, the “pregnancy prediction score” derived from those purchases would be.

Though nonbinding and merely of persuasive authority, the FAQs, in combination with the broad definition of consumer health data, will likely provide flexibility to Washington State courts interpreting what is and what is not consumer health data on a case-by-case basis. For example, companies that collect precise location data may become subject to the law if such location data can be used to infer that someone visited a particular healthcare facility. Additionally, companies that collect unique identifiers from website cookies, pixels, or other tracking tools could now find themselves within the scope of the law if they track activities such as an individual searching for a recommendation for a specific type of doctor, researching an article on methods for handling anxiety or depression, or purchasing a book for expecting mothers.

Obligations and Restrictions

Both laws impose numerous requirements on Regulated Entities. Unless stated otherwise, both laws share the same requirements. We highlight some of the notable requirements below.

Regulated entities must:

• Implement Health Data Privacy Policy and Security Measures: Regulated entities are required to maintain a “health data privacy policy” with a link from the homepage of their website that specifies, among other things: (i) categories of health data collected; (ii) categories of sources from which consumer health data is collected; (iii) categories of consumer health data shared; (iv) categories of third parties and specific affiliates with which the entity shares consumer health data; (v) how the consumer can exercise their rights; and (vi) unique to the Nevada Health Data Privacy Law, a disclosure stating whether third parties “may collect consumer health data over time and across different Internet websites or online services when the consumer uses any Internet website or online service of the regulated entity.” This likely means that Regulated Entities will need to create and post a separate “health data privacy policy” and link to it from their homepage. The Health Data Privacy Laws also require entities to implement and maintain administrative, technical, and physical data security measures (including restricting access to Consumer Health Data to employees for which access is necessary).
• Obtain Affirmative Opt-In Consent for Collection and Sharing: Unless necessary to provide products or services, a Regulated Entity is not allowed to collect (which is defined to include processing activities) or share (including with affiliates) consumer health data without first obtaining a consumer’s affirmative, specific, and voluntary opt-in consent that is “separate and distinct” from other agreements or consents.
• Provide Consumer Health Data Rights: Regulated Entities are required to provide consumers with the following rights related to their consumer health data:
  • Right to confirm whether a Regulated Entity is collecting, sharing, or selling a consumer’s health data;
  • Right to access such data, including a list of third parties with whom the consumer’s health data has been shared or sold to;
  • Right to withdraw consent/cease a Regulated Entity’s collection, sharing, or selling of the consumer’s health data; and
  • The right to delete consumer health data.

Notably, the Nevada Health Data Privacy Law right to access does not include the right to access the consumer’s health data. Rather, Regulated Entities are only required to respond to a right to access request with the list of third parties with whom the consumer’s health data has been shared or sold.

• Establish Appeals Process: Regulated entities are required to establish a process through which a consumer may appeal the Regulated Entity’s refusal to act on a request within a reasonable period of time after the consumer’s receipt of the decision. Upon receipt of an appeal request, the Regulated Entity must provide a response of the appeal’s determination and reason for such action within 45 days of receipt. If the appeal is denied, the Regulated Entity shall also provide the consumer with an online mechanism or other method through which the consumer may contact the state Attorney General to submit a complaint.
• Retain Authorization Records: Regulated entities are required to retain a record of a consumer’s written authorization for at least six years after the date on which the written authorization expired.

Regulated entities must not:

• Sell Without Specific Authorization: To sell consumer health data (defined as “the exchange of consumer health data for monetary or other valuable consideration”), a Regulated Entity must obtain prior written authorization (separate from any other consent or terms). This authorization must include the: (i) data elements that will be sold; (ii) name and contact information for the selling and purchasing entities; (iii) purpose of the sale; and (iv) disclaimers that the provision of goods or services are not conditioned on the authorization. Significantly, the authorization can be revoked at any time and has an expiration date of one year, meaning entities will need to obtain consent annually. A Regulated Entity that sells consumer health data shall also provide a copy of the written authorization to the consumer who signed the written authorization and the purchaser of the consumer health data.

• Implement a Geofence Around Healthcare Facilities: Regulated entities are prohibited from implementing a geofence within 1,750 feet around any facility that provides in-person healthcare services if the geofence is used to identify, track, market to, or otherwise profile consumers. Note that, in Washington State, this provision came into effect on July 23, 2023, for all Regulated Entities.

Enforcement

The My Health My Data Act is the first state data privacy law to provide consumers with a private right of action for alleged violations related specifically to their consumer health data. In addition to the private right of action, the Washington State Attorney General may also bring an action against the company for alleged violations. Violations of the law are considered an “unfair or deceptive act in trade or commerce and an unfair method of competition” under the Washington Consumer Protection Act, which imposes civil penalties of up to $7,500 per violation, up to $25,000 in treble damages at the sole discretion of the court, and injunctive relief. For consumers who bring a direct action against a company, the law permits private litigants to recover (i) actual damages sustained by the consumer, (ii) treble damages, which are capped at $25,000 for violations of RCW Chapter 19.86; and (iii) recovery of reasonable attorney’s fees.

By contrast, Nevada’s Health Data Privacy Law will be exclusively enforced by the Nevada Attorney General, similar to other state data privacy laws. Violations of the law similarly constitute a deceptive trade practice which can result in up to $10,000 civil penalties per violation and injunctive relief.

Takeaways

One of the primary drivers of the My Health My Data law was to address a common critique of HIPAA — its limited applicability to certain entities. Indeed, the Washington State legislature notes that HIPAA “only covers health data collected by specific health care entities, including most health care providers. Health data collected by noncovered entities, including certain apps and websites, are not afforded the same protections.” As a result, the expansive definition of “consumer health data” seeks to bridge the gap by imposing requirements on the collection, use, and sale of consumer health data on businesses not subject to traditional healthcare regulation.

Moreover, with the passage of Nevada’s Health Data Privacy Law, we are beginning to see a new privacy patchwork developing with other states considering similar legislation for protecting their residents’ consumer health data. For example, Connecticut recently passed an amendment to its existing state privacy law that also seeks to regulate consumer health data. Companies that conduct business in Washington State, Nevada, and other states with similar laws should closely evaluate whether they are subject to these laws and, if so, assess their privacy compliance programs to determine which additional steps may be needed to comply.

Endnote

[1] Oregon’s privacy law provides non-profits with an additional year to comply. Delaware’s privacy law, HB 164, also does not exempt non-profits, with some limited exceptions. At the time of writing, HB 164 has been passed by the Delaware legislature and is awaiting action by the governor.

By Kieran Donovan and Jacqueline Van

On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling And Data Breach Notifications” (the Guidance Note). While the Guidance Note broadly aligns with the last update in January 2019 (the 2019 Guidance), it also contains further details and recommendations to organisations on how to respond to data breaches.

The PCPD published the Guidance Note following a surge in reported data breach incidents, which have increased by more than 20% in the first half of this year compared to the second half of 2022.

Requirements Under the PDPO

The Guidance Note reminds organisations that data breaches (i.e., security incidents that expose personal data to the risk of unauthorised or accidental access, processing, erasure, loss, or use) may amount to a contravention of Data Protection Principle (DPP) 4 contained in Schedule 1 to the Personal Data (Privacy) Ordinance (Chapter 486) of Hong Kong (the PDPO). While contravention of a DPP is not in itself an offence, it may lead to an investigation and issuance of an enforcement notice by the PCPD. Non-compliance with an enforcement notice is a criminal offence under the PDPO.

DPP 4(1) requires data users to take reasonably practicable steps to safeguard personal data (with regard to various factors, including the type of data and potential harm, physical location where data is stored, and measures implemented to the equipment, access rights, and transmission). A data breach may also indicate a contravention of DPP 4(2), which requires data users to adopt contractual or other means when engaging data processors, to prevent unauthorised or accidental processing of data by data processors.

Organisations should note that the PCPD periodically conducts investigations of data breaches and may issue enforcement notices to data users who fail to adequately protect the security of their personal data. These enforcement notices may require data users to take remediation measures such as engaging an independent data security expert to review and audit security systems, conducting regular vulnerability scans, or organising periodic staff training on information security, and to provide evidence of compliance to the PCPD.

For more information on the PCPD’s increased monitoring and compliance actions during 2021-22, including in relation to data breach incidents, please refer to this Latham blog post.

Common Causes of Data Breaches

The Guidance Note identifies the common causes of data breaches in Hong Kong:

• Cyberattacks: This includes ransomware, brute force attacks, distributed denial-of-service attacks, or phishing. Please also refer to this Latham blog post summarising the PCPD’s recent guidelines on data security amid increased cyberattacks.
• System misconfigurations and administration errors: Examples include unauthorised access to personal data if data systems allow access without authentications or access right.
• Loss of physical documents or portable devices: Data processors contracted to handle personal data on a data user’s behalf may also inadvertently cause data loss.
• Improper/wrongful disposal of personal data: This includes accidental or improper disposal of data without adhering to organisational policies on document destruction.
• Inadvertent disclosure by email or by post: Sharing of files or documents to unintended recipients may result in unauthorised disclosure of personal data.
• Staff negligence/misconduct: Staff with valid access rights might mishandle personal data purposely, accidentally, and/or maliciously.

These common causes did not appear in the older 2019 Guidance, and are a reflection of the trends the PCPD has recently identified in Hong Kong. Organisations should therefore consider these causes when preparing and implementing security measures and policies, in order to mitigate the risk of them occurring.

Data Breach Response Plan

The PCPD recommends that organisations maintain a comprehensive data breach response plan that outlines procedures to follow in the event of a data breach. Notably, this is a new recommendation that was not contained in the 2019 Guidance.

The response plan should contain at least the following elements:

• a description of what constitutes a data breach and when the response plan will be triggered;
• an internal notification procedure to escalate the breach to senior management, the data protection officer, and/or dedicated data breach response team, and a standard form for such notification;
• a designation of the roles and responsibilities of the breach response team. The PCPD suggests that this team may comprise the data protection officer, as well as members of the IT department, customer service department, risk management department, and HR department;
• a contact list of the members of the breach response team;
• a risk assessment workflow and investigation procedure to assess the likelihood and severity of harm caused to data subjects;
• a containment strategy to mitigate the effects of the breach;
• a communication plan covering the criteria and threshold for informing data subjects and the regulatory authorities;
• a record-keeping policy to ensure that the incident is properly documented as may be required by regulatory or law enforcement agencies;
• a post-incident review mechanism to identify areas that require improvement to prevent future recurrence; and
• a training or drill plan to ensure all relevant staff can properly follow procedures when responding to data breaches.

Recommended Steps When Handling Data Breaches

The Guidance Note also provides step-by-step recommendations to organisations when handling data breaches:

1. Immediately gather essential information: Organisations should promptly gather all relevant information of the data breach to assess the impact on data subjects and identify appropriate mitigation measures. This step includes identifying when, where, and how the breach occurred, the likely impact of the breach, and considering escalating the incident to the relevant or dedicated personnel in line with procedures in the data breach response plan.
2. Contain the data breach: Organisations should immediately take remedial actions to contain and mitigate the effects of the breach. The appropriate containment measures may depend on the categories of personal data involved and severity of the breach.
3. Assess the risk of harm: Organisations should evaluate the impact of the data breach on affected individuals, considering factors such as (but not limited to) the nature of the data affected, the duration and extent of the breach, and the effectiveness of remedial measures.
4. Consider making data breach notifications: Organisations are recommended to notify the PCPD and affected data subjects as soon as practicable upon becoming aware of the data breach, particularly if it is likely to result in a real risk of harm to the affected data subjects. As a reminder, organisations may also be subject to other regulatory requirements, or trigger notification obligations under other jurisdictions.
5. Document the breach: Organisations should create a comprehensive record of the breach to facilitate a post-breach review. The review should help organisations learn from the breach, identify the root problem, devise a clear strategy to prevent future recurrence of similar incidents, and improve data handling practices going forward. Organisations should also consider whether they are subject to any mandatory documentation requirements under applicable laws.

Data Breach Notifications

The Guidance Note reiterates that organisations should follow best practice by formally notifying the PCPD, affected data subjects, and any other relevant parties (such as law enforcement agencies, other regulators, and parties that may take remedial actions) as soon as practicable after becoming aware of a data breach.

The PCPD has in parallel launched an electronic notification form by which it can be notified of data breach incidents. This tool contrasts the previous approach, which required organisations to download a paper form from the PCPD website and submit it by post, in person, fax, or email. The electronic form will enable organisations to report breaches to the PCPD in a more convenient and timeless manner.

While failure to report data breaches to the PCPD or affected data subjects is currently not an offence, the PCPD has announced it will be working to initiate legislative proposals to the PDPO, which will include establishing a mandatory notification mechanism. While the timeline of the amendments is unclear, organisations can expect more concrete proposals from the PDPO.

Conclusion

The Guidance Note is a helpful reminder for organisations to implement an effective data breach handling policy and plan, and to comply with requirements under the PDPO. The increase in data breach incidents, PDPO’s continued reporting and scrutiny on data security issues, and the proposed amendments to the PDPO for a compulsory data breach reporting regime, are encouraging organisations to formulate or review their data security and data breach procedures and practices as a matter of priority.

By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte

On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and business to business (B2B) data under the CCPA (for more information, see this Latham blog post).

Since the expiration of the exemption at the start of 2023, the CCPA has applied to personal information about California residents collected, processed, and disclosed in the employment or B2B context. This application is a unique aspect of the CCPA, as other US state general data privacy laws do not regulate information collected in B2B or employment contexts (see, for example, Latham’s blog posts on laws in Florida, Texas, and Iowa). The California Attorney General’s announcement is therefore a significant warning to businesses: they should ensure they are accounting for this California-specific requirement.

Several current US data privacy laws regulate the handling of employee data in specific contexts. For example, in New York State, the monitoring of employees’ internet usage and communications requires employers to comply with certain notice obligations. A New York law also recently went into effect regulating the use of artificial intelligence and other automated tools to make employment decisions — an issue that is also under consideration in California and other jurisdictions.

In addition, several preexisting US privacy laws apply in circumstances that can reach to the employment context, including:

• the Fair Credit Reporting Act relating to the use of credit reports, including by employers doing background checks;
• the Health Insurance Portability and Accountability Act relating to the handling of protected health information, including by employers that self-fund their employee health plan; and
• state biometric privacy laws (in particular the Illinois Biometric Information Privacy Act), which relates to the handling of biometric information, including by employers (e.g., using biometric timekeeping / identification technology).

Outside of the US, laws such as the EU General Data Protection Regulation (GDPR) generally regulate personal information about any individual — whether they are a consumer, employee, business contact, or otherwise.

However, the CCPA is currently the only US state general data privacy law to encompass personal information in the employee and B2B contexts. The California Privacy Protection Agency is considering whether to issue further regulations related to employee and B2B data, but to date the agency has identified this as a “hard” area that “[r]equires substantial research and pre-rulemaking activities” and has not yet previewed any draft regulations. The California Attorney General’s announcement prior to any further rulemaking on these topics signals a specific interest in assessing the extent to which covered businesses are complying with this change in the law. The investigative sweep may herald CCPA enforcement against companies that have not yet updated their policies and practices, and even against B2B companies that do not handle any consumer data. The announcement is particularly significant given the complexities in this area, alongside the recent change in the CCPA to remove a mandatory notice-and-cure period. It may also incentivize other states to extend their privacy laws to cover employee data.

Businesses subject to the CCPA should therefore continue to ensure they are taking appropriate steps to manage personal information of California residents processed in the employee and B2B contexts.