Page 55 – Future of Privacy Forum

California SB 980 Would Codify Many of FPF’s Best Practices for Consumer Genetic Testing Services, but Key Differences Remain

Authors: John Verdi (Vice President of Policy) and Katelyn Ringrose (Christopher Wolf Diversity Law Fellow)

In July 2018, the Future of Privacy Forum released Privacy Best Practices for Consumer Genetic Testing Services. FPF developed the Best Practices following consultation with technical experts, regulators, leading consumer genetic and personal genomic testing companies, and civil society. The FPF Best Practices include strict standards for the use and sharing of genetic information generated in the consumer context. Companies that pledged to follow the guidelines, including Ancestry, 23andMe, and Helix promised to:

provide safeguards for how genetic information is collected, used, shared, and retained;
implement consent requirements for the initial collection and certain subsequent disclosures of genetic information;
guarantee consumer rights to access, correction, and deletion;
ban sharing genetic information absent consent or legal process; and
implement strong data security protections and privacy by design principles.

California lawmakers are currently considering SB 980 (the “Genetic Information Privacy Act”). SB 980 would establish obligations for direct-to-consumer genetic testing companies and others that collect or process genetic information. If passed by the legislature and approved by the Governor, the bill would become effective on January 1, 2021.

Many of SB 980’s provisions align closely with FPF’s Best Practices, including the bill’s emphasis on consumers’ rights to notice, choice, and transparency. Leading direct-to-consumer genetic testing companies are already obliged to follow the Best Practices, as they have made public commitments that are enforceable by the Federal Trade Commission and state Attorneys General. SB 980’s provisions would extend these requirements to all covered entities that do business in California.

Some of SB 980’s provisions diverge from the FPF Best Practices. For example, FPF’s Best Practices and SB 980 both require companies to obtain opt-in consent before they use DNA test results for marketing, but proposed amendments to SB 980 would further require companies to provide consumers with an opportunity to opt out of contextual marketing – ads placed on web pages and apps based on page content rather than sensitive personal information. SB 980’s treatment of contextual advertising is also inconsistent with the California Privacy Rights Act of 2020 (CPRA) – the comprehensive privacy ballot initiative that would govern the use of much sensitive health data and would not require companies to provide an opt-out for non-personalized, contextual advertising. In addition, SB 980 diverges from FPF’s Best Practices regarding government access to DNA information, with SB 980 preserving an option for companies to voluntarily provide genetic data to law enforcement in the absence of a court order or consumer consent; FPF’s Best Practices would prohibit such disclosures in most cases.

Below, we analyze SB 980’s approach to: (1) consent; (2) marketing; (3) privacy policies; (4) research; and (5) penalties and enforcement. We also examine (6) several other federal and state laws that currently regulate genetic privacy.

Consent for Genetic Data //

FPF’s Best Practices and SB 980 take similar approaches – requiring different methods of consent (express opt-in vs. opt-out), depending on the sensitivity and uses of the data. Both SB 980 and the Best Practices emphasize express, affirmative consent as a baseline requirement for collecting genetic information. They each require that companies provide opt-out consent mechanisms for consumers regarding use of non-genetic information, such as purchase histories or web browsing information.

FPF’s Best Practices require initial express consent for genetic information collection, as well as separate express consent for the use of genetic material outside of the initial scope of collection. Secondary express consent is also required before a company engages in the onward transfer of individual-level information or the use of genetic information for incompatible or materially different secondary uses. Companies are also required to provide additional consent measures for consumers or organizations that submit genetic information on behalf of others. In a similar vein, SB 980 would require prior authorization from consumers for the initial collection of their genetic information and separate authorization for each subsequent disclosure.

FPF’s Best Practices define express consent as a consumer’s statement or clear affirmative action in response to a clear, meaningful, and prominent notice, while encouraging companies to use flexible consent mechanisms that are effective within the context of the service, in-app or in-browser experience, and relationship between the company and individual.

Marketing //

The FPF Best Practices and SB 980 differ in their approach to consent for marketing and advertising purposes, including marketing on the basis of non-genetic information. The Best Practices prohibit companies from marketing to consumers on the basis of their genetic information, unless the consumer provides separate express consent for such marketing or marketing is clearly described in the initial express consent as a primary function of the product or service. Marketing to a consumer on the basis of their purchase history is permitted if the consumer is provided the option to opt-out of such marketing. Marketing to anyone under the age of 18 is prohibited.

The Best Practices do not require companies to obtain opt-in consent or provide an opt-out for “customized content or offers by the company on its own websites and services.” This provision is intended to permit 1) contextual advertising (i.e., advertising that is tailored to the other content on a particular page on a website, rather than targeted to a particular user); and 2) first-party offers displayed to users on the basis of information within the same platform, such as when a logged in user receives an email offer based on information they viewed on the company’s own website while logged in. This approach aligns with leading privacy norms, including the approach taken by the Department of Health and Human Services in interpreting the Health Insurance Portability and Accountability Act (HIPAA), which exempts certain first-party communications related to treatment and health-related products from its definition of “marketing.” It is also consistent with the California Privacy Rights Act of 2020 (CPRA), the privacy ballot initiative that would establish rights to opt out of the sale and uses of sensitive health data and would codify a narrow exemption for non-personalized, contextual advertising.

Like FPF’s Best Practices, SB 980 also requires companies to obtain opt-in consent before marketing based on a consumer’s genetic data. A recent amendment would align SB 980’s and FPF’s approaches to marketing based on purchase history, requiring provision of an opt-out. However, a related SB 980 amendment would require companies to provide users with mechanisms to opt out of contextual advertising. This approach would be inconsistent with most leading norms, including HIPAA and the California Privacy Rights Act. This is because, in contrast to targeted or behavioral advertising, contextual advertising is not typically viewed as implicating significant privacy risks. Indeed, privacy advocates have cited contextual advertising as a privacy-protective model that displays marketing messages on web pages based on the content of the page, not information about an individual.

Privacy Policies //

FPF’s Best Practices require companies to furnish privacy notices that are prominent, publicly accessible, and easy to read. The Best Practices require companies to include certain information within their policies, including standards regarding: data collection, consent, use, onward transfer, access, security, and retention/deletion practices. Furthermore, the Best Practices note that “a high-level overview of the key principles should be provided preceding the full privacy policy.” The overview should take the form of a short document or statement that provides basic, essential information, including whether the privacy policy for genetic information is different than that of other data (e.g. registration data, browsing (cookies or website) tracking, and/or personal information).

Similarly, SB 980 would require all direct-to-consumer genetic or illness testing services companies to provide consumers with “clear and complete information regarding the company’s policies and procedures for the collection, use, and disclosure, of genetic data” through “a summary of its privacy practices, written in plain language” and “a prominent and easily accessible privacy notice.”

Research //

FPF’s Best Practices encourage the socially beneficial use of genetic information in research while providing strong privacy protections. This nuanced approach strikes a careful balance between the societal benefits of genetic research and individual’s privacy interests. The Best Practices require companies to obtain informed consent before using identifiable data for research, and promote research on strongly deidentified datasets. The Best Practices require companies to engage in consumer education and make resources available regarding the implications and consequences of research.

The consumer genetic and personal genomic testing industry produces an unprecedented amount of genetic information, which in turn provides the research community the ability to analyze large and diverse genetic datasets. Genetic research enables scientists better understand the role of genetic variation in our ancestry, health, well-being, and more. In order to recognize the role of big data in corporate research and the difficulty of obtaining individual consent (see Omer Tene and Jules Polonetsky’s “Beyond IRBs: Ethical Guidelines for Data Research” identifying the regulatory gaps between federally funded human subject research and corporate research) the Best Practices recognize the important role of Institutional Review Boards (IRBs) and ethical review processes.

FPF’s Best Practices also provide incentives for researchers and others to deidentify genetic data when practical. Deidentification of genetic information is an incredibly complex issue (see FPF and Privacy Analytics’s “A Practical Path Toward Genetic Privacy”), and the risk of reidentification of genetic data can be limited by rigorous technical, legal, and organizational controls.

SB 980 also requires informed consent before using data for research, “in compliance with the federal policy for the protection of human research subjects” — effectively the same standard as the FPF Best Practices. Similarly, SB 980 also promotes strong deidentification of data, meaning data that “cannot be used to infer information about, or otherwise be linked to, a particular identifiable individual,” provided it is also subject to public commitments and contractual obligations to not make attempts to reidentify the data.

Penalties and Enforcement //

Companies that have publicly committed to comply with FPF’s Best Practices are subject to enforcement by the Federal Trade Commission (FTC) under the agency’s Section 5 authority to prohibit deceptive trade practices. State Attorneys General and other authorities have similar powers to bring enforcement actions against companies that violate broadly applicable consumer protection laws.

SB 980 includes a tiered penalty structure, with negligent violations of the act subject to civil penalties not to exceed one thousand dollars ($1,000) and willful violations between $1,000 and $10,000 plus court costs. Penalties for wilful violations would be paid to the individual to whom the genetic information pertains. Penalties could add up quickly – they are calculated on a per violation, per consumer basis. Earlier versions of SB 980 included criminal penalties; the bill sponsors recently removed criminal liability in favor of a higher civil penalty, raising the maximum fine from $5,000 to $10,000.

Other Federal and State Laws //

In the United States, a growing number of sectoral laws are applicable to companies that process genetic information. The federal Genetic Information Nondiscrimination Act (GINA) prevents genetic discrimination in health insurance and employment, but GINA does not prohibit discrimination in life insurance, disability or long term care insurance, nor does it provide general privacy protections or limits on law enforcement uses. In an attempt to close regulatory gaps, several states have enacted legislation around law enforcement access to genetic information and discriminatory practices on the behalf of life insurance organizations.

Key state laws governing genetic information include:

Alaska’s Genetic Privacy Act (2004) which regulates access, retention, and disclosure of genetic information without the “informed and written consent” of the consumer; recognizes that both the genetic information and the DNA samples collected are the property of the consumer; and provides for both civil and criminal penalties for violations of genetic privacy rights. Alaska’s law does not require valid legal process (such as a court order) for law enforcement access to genetic information.
Florida’s House Bill 1189, Genetic Information for Insurance Purposes (passed and awaiting the Governor’s approval as of March 2020), would bar life, disability and long-term care insurance companies from using consumer genetic test results for coverage purposes.
Nevada’s comprehensive Genetic Information Act (2013) prohibits the collection, retention, or disclosure of genetic information without prior consent from the individual; requires law enforcement to obtain a court order prior to accessing genetic information; provides consumers the right to inspect and obtain genetic records; requires entities holding genetic information to destroy that information if consent is withdrawn; and provides criminal penalties and a private right of action for violations of the law.

Conclusion //

Genetic and personal genomic tests increase consumers’ access to and control of their genetic information; empower consumers to learn more about their biology and take a proactive role in their health, wellness, ancestry, and lifestyle; and enhance biomedical research efforts. The consumer genetic and personal genomic testing industry is producing an unprecedented amount of genetic information, which provides the research community the ability to analyze a significantly larger and more diverse range of genetic data to observe and discover new patterns and connections. Access to genetic information enables researchers to gain a better understanding of the role of genetic variation in our ancestry, health, well-being, and much more. While genetic information poses incredible benefits, genetic information is also sensitive information that warrants a high standard of privacy protection.

FPF’s Best Practices provide a model for strong privacy safeguards with detailed provisions that support clinical research and public health. Key portions of California SB 980 are consistent with the Best Practices, and would require all companies to provide consumers with important transparency, choice, and security safeguards. Several SB 980 amendments and provisions diverge from the Best Practices in important ways, including how the bill would treat contextual advertising and government access to data.

Change Could be Soon Coming to the FTC, the Lead U.S. Agency on Privacy

The U.S. Presidential election is almost upon us, and it could have a big impact on the future of the Federal Trade Commission (FTC), the de facto national privacy regulator and law enforcer. The FTC lineup has been steady since 2018 but that could soon change – no matter who wins the election.

Prior to the appointment of the five current Commissioners, the FTC had only two serving. This happened because new Commissioners were not appointed by the President and confirmed by the Senate as they finished their terms and departed. Though all five current FTC Commissioners were appointed in 2018, their terms in office end years apart.

FTC Commissioners’ Terms

Commissioners serve seven-year terms, with appointment and expiration dates set on a staggered schedule. The FTC Act has been interpreted to mean that Commissioners’ seven-year terms run “with the seat,” so that the term expires on the scheduled date, regardless of when the Commissioner was appointed, confirmed, and sworn in. If a Commissioner’s replacement is not appointed at the end of their term, they may stay on until their replacement is seated. This is currently the case with Commissioner Chopra, whose term ended in September 2019.

Commissioners can be re-appointed. Sometimes they leave before the end of their term.

Commission Chairs often leave when there is a change in Presidential Administration. If FTC Chairman Joe Simons chose to step down, his vacancy could be filled by a new Chair, or a non-Chair Commissioner could be appointed and a sitting Commissioner elevated to Chair.

Nominating New Commissioners

Two of the five Commissioners must not be from the President’s political party. It’s typical for the Administration and Senate leaders to agree to “pair” appointees from each party when there is more than one vacancy in order to ease Senate confirmation. That would be unlikely in a new Democratic administration because there would not be a Republican vacancy unless more than one sitting Republican vacated their seats. But “pairing” can happen across agencies, with Senate leaders of each party agreeing to move the nominations they support as part of complicated bi-partisan agreements.

Although the current Commissioners reflect a range of ideological perspectives, the agency has generally been fortunate to be led by appointees recognized for their professionalism, integrity, policy smarts, and ability to collaborate across party lines – traits that will be valued in their eventual successors as well.

The European Commission Considers Amending the General Data Protection Regulation to Make Digital Age of Consent Consistent

The European Commission published a Communication on its mandated two-year evaluation of the General Data Protection Regulation (GDPR) on June 24, 2020 in which it discusses as a future policy development “the possible harmonisation of the age of children consent in relation to information society services.” Notably, harmonizing the age of consent for children across the European Union is one of only two areas in the GDPR that the Commission is considering amending after further review of practice and case-law. Currently, the GDPR allows individual Member States some flexibility in determining the national age of digital consent for children between the ages of 13 and 16. However, upon the two-year review, the Commission expressed concerns that the variation in ages across the EU results in a level of uncertainty for information society services–any economic activities taking place online–and may hamper “cross-border business, innovation, in particular as regards new technological developments and cybersecurity solutions.”

“For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is also essential that national legislation does not go beyond the margins set by the GDPR or introduces additional requirements when there is no margin,” stated the Commission in its report. Some believe stringent child privacy requirements can push companies to abandon the development of online services for children to avoid legal risks and technical burdens, which creates a void for companies from countries with lax child privacy protections. In addition to the GDPR’s varying ages of digital consent, there are also differing interpretations of the obligations on information society services regarding children. For example, the United Kingdom’s proposed Age Appropriate Design Code defines a child as a person under the age of 18 and lays out additional requirements for information society services to build in privacy by design to better protect children online.

Prior to the GDPR, European data protection law did not include special protections for children, instead providing the same privacy protections across all age groups. The GDPR recognized that children are particularly vulnerable to harm and exploitation online and included provisions extending a higher level of protection for children. However, a universal consensus on the age of a child does not exist, and the flexibility provided by the GDPR creates a fragmented landscape of ages requiring parental consent across the EU. While complying with different ages of consent is relatively straightforward in the physical world where activities are generally limited within national boundaries, given the nature of online services operating across states, the lack of consistency of ages is a significant barrier for companies. Information society service providers are obliged to verify the age of a user, their nationality, and confirm the age of consent for children for that Member State prior to allowing access to their services. This burden may pose a competitive disadvantage for companies operating in the EU or result in measures depriving children and teens the benefits of using these services, as companies choose either to invest significant resources in age verification and parental consent mechanisms or to abandon the market for children and age gate their services instead.

The Commission also initiated a pilot project to create an infrastructure for implementing child rights and protection mechanisms online, which is scheduled to commence on January 1, 2021. The project aims to map existing age-verification and parental consent mechanisms both in the EU and abroad and assess the comprehensive mapping results to create “an interoperable infrastructure for child online protection including in particular age-verification and obtaining parental consent of users of video-sharing platforms or other online services.”

Currently, Member States require or recommend varying age verification and parental consent mechanisms. In addition to the UK’s Age Appropriate Design Code, the German youth protection law requires businesses to use scheduling restrictions to ensure that content harmful to children is not available during the day when children are online; to use technical methods to keep children from accessing inappropriate content, such as sending adults a PIN after age verification; or to use age labeling that youth protection software, downloaded by parents on their children’s devices, can read. However, the efficacy of these methods is unclear and unproven. As such, a sweeping review of existing methods may reveal best practices to be widely adopted within the EU and serve as a model for other countries, including the United States.

FPF & BrightHive Release Playbook to Create Responsible Contact Tracing Initiatives, Address Privacy & Ethics Concerns

A new playbook from the Future of Privacy Forum (FPF) and BrightHive, Responsible Data Use Playbook for Digital Contact Tracing, provides a series of considerations to assist stakeholders in setting up a digital contact tracing initiative to track and manage the spread of COVID-19, while addressing privacy concerns raised by these technologies in an ethical, responsible manner.

“Digital contact tracing technologies will play an instrumental role in localities’ responses to the COVID-19 pandemic, but these technologies – if designed, developed, and deployed without thoughtful planning – can raise privacy concerns and elevate disparities,” said FPF CEO Jules Polonetsky. “Contact tracing initiatives should take a measured approach to location tracking, data sharing, purpose limitations and proportionality. If deployed hastily, these technologies risk exacerbating existing societal inequalities, including racial, socioeconomic, and digital divides.”

As COVID-19 continues to spread through communities across the United States and abroad, public health officials are turning to digital contact tracing technologies (DCTT) as a means of tracking cases, identifying sources of transmission, and informing people who may have been exposed in order to prevent further transmission. For contact tracing to be effective, however, people must share sensitive personal information on their whereabouts or with whom they have been in close proximity so that their connections or locations can be mapped and tracked, raising ethical and privacy concerns.

“This playbook is intended to support coalitions, including public health agencies and application developers, in designing and implementing a digital contact tracing initiative,” said Natalie Evans Harris, Head of Strategic Initiatives at BrightHive. “The playbook provides a series of considerations that purposefully address privacy concerns and support the development of ethical and responsible digital contact tracing protocols.”

The playbook walks stakeholders interested in setting up a digital contact tracing initiative through a checklist of actions, from coalition-building in support of the initiative to implementation across the lifecycle of the initiative. To learn more, read the playbook.

About FPF

The Future of Privacy Forum (FPF) is a non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting fpf.org.

About BrightHive

BrightHive helps organizations, networks and communities securely and responsibly link their data to enhance their impact, empower individual and collective decision making, and increase equity of opportunity. Learn more by visiting brighthive.io

FPF Welcomes New Members to the Youth & Education Privacy Project

We are thrilled to announce two new members of FPF’s Youth & Education Privacy team. The new staff – Juliana Cotto and Dr. Carrie Klein – will help expand FPF’s technical assistance and training, resource creation and distribution, and state and federal legislative tracking.

You can read more about Juliana and Carrie below. Please join us in welcoming them to the team!

Juliana Cotto

Juliana Cotto is a Policy Fellow for the Youth & Education Privacy Project at the Future of Privacy Forum. Juliana is primarily supporting FPF’s development of K-12 student privacy resources for educators, families, and students in addition to evaluating applications for the Student Privacy Pledge. Prior to joining FPF, Juliana was a graduate intern at Consumer Reports where she worked on consumer protection issues in financial services and data collection practices of financial technologies and other products. Previous to pursuing a career in policy, Juliana was an elementary school teacher for three years during which she taught for both Chicago Public Schools and Saint Louis Public Schools through the Teach for America program.

Juliana is a 2020 graduate from Carnegie Mellon University Heinz College where she earned her Master of Science in Public Policy & Management. Juliana also holds a Master’s degree in Education from the University of Missouri Saint Louis. She earned her Bachelor’s Degree from Johns Hopkins University, where she majored in Behavioral Biology.

I am most excited about contributing to FPF’s Youth & Education Privacy team’s work in developing useful and practical resources for educators to better leverage technology in their classrooms, while upholding strong student privacy protections.

Dr. Carrie Klein

Dr. Carrie Klein is a Senior Fellow and higher education lead on the Future of Privacy Forum’s Youth and Education team. Carrie’s work primarily focuses on advancing conversations, research, and consensus related to higher education privacy. Her work and experience bridge higher education, big data, and law. Prior to FPF, Carrie worked on a National Science Foundation grant at George Mason University (Mason) focused on the use of big data in higher education and as a strategic planning project manager in Mason’s office of the president. She was also the lead for the Federal Trade Commission’s honors paralegal program, where she worked on antitrust cases. She has presented and published numerous pieces on higher education’s use of data, higher education privacy policies, and equity in higher education. Carrie is a graduate of George Mason University and The University of Arizona.

I am looking forward to contributing to FPF’s Youth and Education team’s already strong commitment to, knowledge of, and work on educational privacy and am especially excited advancing educational privacy considerations in the higher education space.

Interested in student privacy? Subscribe to our monthly education privacy newsletter here. Want more info? Check out Student Privacy Compass, the education privacy resource center website.

What to Expect from the Court of Justice of the EU in the Schrems II Decision This Week

A decision of the Court of Justice of the European Union (CJEU), expected for this Thursday, may have major consequences on the dataflows coming from the EU to the United States, as well as to most of the other countries in the world. Two key legal mechanisms that ensure personal data of Europeans are protected when transferred from Europe to the US are under scrutiny: (1) the EU-US Privacy Shield framework (Privacy Shield) and (2) the Controller-Processor Standard Contractual Clauses (SCC) 2010 Decision of the European Commission. The latter also ensures that transfers of personal data originating from the EU to other countries elsewhere in the world enjoy safeguards.

If the Court decides that neither of these mechanisms meets the criteria for respecting fundamental rights under the EU Charter of Fundamental Rights, virtually all dataflows from EU Member States to the US will remain without a lawful ground and can potentially be suspended either immediately by the companies transferring data which will not want to risk hefty fines, or through orders from European Data Protection Authorities, until a new legal mechanism for transfers is put in place. An invalidation of the 2010 SCC Decision would also lead to transfers from the EU to other countries like China or India being left outside the law. The CJEU can potentially rule on the validity of both instruments, or only on the SCC Decision, leaving out the assessment of the Privacy Shield (as was recommended by the Advocate General of the Court in an Opinion published on December 19, 2019).

A complicated case

The CJEU was asked by the High Court of Ireland whether the European Commission’s Decision that establishes Controller-Processor SCCs is valid under EU law. A challenge to its validity was raised before the High Court in Ireland by the Irish Data Protection Commissioner (DPC) in a case concerning a complaint submitted to the DPC by Maximillian Schrems regarding the transfer of his personal data from Facebook Ireland (Europe) to Facebook Inc. (US). This transfer is being done relying on SCCs (standard clauses) that the two entities entered into, which are based on a Decision adopted by the European Commission.

As a rule, the EU General Data Protection Regulation (GDPR) allows transfers of personal data from the EU to countries outside the EU only if an adequate level of protection is afforded to the data, which should not undermine the level of protection that the GDPR confers to personal data of Europeans. Some countries’ legal frameworks are declared adequate by the European Commission at the end of a formal process, meaning that dataflows from the EU to those countries can occur with no restrictions. Where such adequacy decisions are not in place, SCCs allow for companies to enter into a contract with pre-determined content (established through the SCC Decision of the Commission) that provides safeguards for personal data once it is transferred from the EU to a country outside the EU.

Schrems takes the position that his personal data transferred to the US on the basis of the SCC Decision are not adequately protected due to the broad access to electronic communications data that US government agencies have under their national security mandate and a lack of effective judicial remedies for non-US persons in relation to these practices. In accordance with the SCC Decision and with powers granted by the General Data Protection Regulation, the Irish DPC can suspend a specific transfer if the Commissioner finds that the legal regime in the country of destination (in this case, the US) does not afford an adequate level of protection to personal data transferred from the EU.

The Irish DPC challenged the validity of the SCC Decision that sets up this mechanism, one of the arguments being that the SCC Decision does not ensure an effective judicial remedy against government access to data for Europeans once their personal data are transferred to the US. On the other side, Schrems maintains that the SCC Decision is valid under EU law and that the Irish DPC should use the powers granted to it by the SCC Decision and the GDPR to assess the level of protection granted by the US legal framework and eventually to suspend the transfer of his data to the US.

How could a ruling on SCCs affect the Privacy Shield?

The CJEU found in 2015, in the first iteration of this same case, that the predecessor of the Privacy Shield program, the EU-US Safe Harbor framework, was invalid since it did not ensure an adequate level of protection of personal data transferred to the US, in accordance with the fundamental rights of respect for private life and an effective judicial remedy under the EU Charter of Fundamental Rights. The European Commission and the US Government negotiated a new framework, the EU-US Privacy Shield, which was adopted in 2016. The Privacy Shield program was found by the European Commission to ensure an adequate level of protection for the personal data transferred to the US to those companies that are self-certifying with the Department of Commerce as participating in the framework. Currently, 5,378 companies have registered as transferring data from the EU to the US on the basis of the Privacy Shield, both from the US and from Europe, as shown in this recent study published by the Future of Privacy Forum.

The Privacy Shield may now be subject to scrutiny by the CJEU in addition to the SCC Decision, depending on whether the Court will find it useful or not to assess it for the outcome of the main proceedings in this case. A top advisor of the Court, Advocate General Saugmandsgaard Øe, recommended in a non-binding Opinion that the CJEU limits its assessment to the SCC Decision and declares it valid. However, he also mentioned that if the Court were to consider an assessment of the Privacy Shield necessary for the outcome of the case in Ireland, the Court should find that, similar to its predecessor, it does not respect the fundamental rights framework of the EU.

Possible outcomes of the case

From the outset it should be clear that the CJEU often finds original solutions to complicated questions, so it is challenging to predict how it will decide in an individual case. For example, in a landmark case from 2014, Digital Rights Ireland, it decided to invalidate the entire Data Retention Directive, even if only the validity of a specific provision of that directive was raised in the proceedings. The following paragraphs merely map out some of the different possible outcomes of the case and refer to potential consequences to global dataflows, but they are by no means exhaustive.

On Thursday, perhaps the only certainty is that the CJEU will provide a judgment on the validity of the 2010 SCC Controller-Processor Decision. It could follow the AG Opinion and declare it valid, or it could find that the Irish DPC is right, and declare it invalid.

Invalidation of the SCC Decision without a transition period: If the SCC Decision is declared invalid and the Court does not provide for a transition period, this means that all transfers of personal data from the EU to countries outside the EU relying on that SCC decision will become unlawful. It is also likely that, by analogy, the Controller-to-Controller SCC Decision will be declared invalid too. This will not only affect the personal data transferred to the US on the basis of SCCs, but also the data transferred elsewhere on the basis of SCCs, like China, Singapore, India, Brazil and all other countries which do not have an adequacy decision.

As a consequence, companies may decide they will proactively suspend all transfers based on SCCs, effective immediately, in order to not risk GDPR fines for unlawfully transferring personal data outside the EU. Another option is to continue the transfers in practice, but this would be outside of the law. Theoretically, they could also rely on a fallback plan, but there is no immediate solution to provide an alternative lawful mechanism for transfers. The other options provided by the GDPR, like Binding Corporate Rules, certification mechanisms and Codes of Conduct (CoC) take a long time to be approved by Data Protection Authorities and very few are in place (particularly BCRs; there are currently no CoC or certification schemes approved for data transfers). They could also rely on one of the derogations allowed by the GDPR, like consent of those individuals whose data is transferred, but this would also risk bringing them outside the law, since derogations need to only apply in exceptional cases and not for repetitive, nor massive transfers, as per guidance from the European Data Protection Board.

However, it should be noted that the European Commission has been working for the past year to update its SCCs decisions to take into account new GDPR provisionsand it is very likely that the Commission will soon, or even very soon, adopt the new updated SCCs once it will also bring them in line with the requirements of the Court as laid out on Thursday. So there is a possibility that there will only be a short gap before the new SCCs are adopted, even if the Court invalidates the 2010 SCC Decision.

Validity of the SCC Decision is recognized: If the Court upholds the validity of the 2010 SCC Decision, then the dataflows from the EU to the rest of the world based on SCCs can continue uninterrupted. The Commission will nonetheless publish updated SCCs sometime in the near future as expected in accordance with the GDPR, but there will be no gap during the transition from the old to the new ones. Upholding the SCC Decision also means the Irish DPC will likely have to act one way or another in relation to the original complaint submitted by Schrems regarding the transfer of his data to Facebook Inc. in the US. If the DPC suspends that transfer on account of the level of protection afforded to personal data in the US, this may lead to claims by other data subjects to suspend the transfer of their data as well to all companies in the US that rely on SCCs. Those requests will need to be dealt with on a case-by-case basis. Regardless of what decision the DPC makes, challenges to it should be expected from any of the parties involved.

Possible assessment of the Privacy Shield:As for the validity of the EU-US Privacy Shield, the Court has the option of whether to assess it or not. If it will follow the AG Opinion, then the Privacy Shield will not be assessed and the dataflows based on it will continue uninterrupted for now. If the Court decides to assess the Privacy Shield, the Commission will have new criteria for its future adequacy (re)assessments. If the Court finds it valid, it would be interesting to see how the Court differentiates this finding from its existing case-law under the first Schrems judgment in 2015.

Invalidation of the Privacy Shield without a transition period: If the Court decides to assess the Privacy Shield and finds it invalid, then all dataflows relying on this framework will become unlawful. Transatlantic dataflows have been in this position before, after the first Schrems judgment in 2015, but at that time, companies had as fallback plan the possibility to enter SCCs while the US Government and the European Commission were agreeing on a new general framework for transfers. If both the SCC Decision and the Privacy Shield are declared invalid by the same judgment, at the same time, lawful dataflows from the EU will come to a standstill for a while, unless they are going to one of the 12 countries which currently have an adequacy decision or are based on the few approved BCRs or the exceptional derogations.

Assessment of the Privacy Shield without a decision on its validity: One other possibility is for the Court to engage in an assessment of key provisions of the Privacy Shield as obiter dictumand without reaching a conclusion regarding its validity. Such assessment could serve as guiding principles for the European Commission in its next annual evaluation of the effectiveness of the Privacy Shield, as well as in (re)assessing the adequacy of countries or regions/states within federal countries.

Regardless of how the CJEU will rule in this case, the judgment will have consequences for the future of global dataflows.

DCU & FPF Webinar – The Independent and Effective DPO: Legal and Policy Perspectives

On July 8th, Dublin City University (DCU) and the Future of Privacy Forum (FPF) jointly organized the webinar “The Independent and Effective DPO: Legal and Policy Perspectives.” The webinar was designed to help policymakers, regulators, and their staff better understand legal views concerning the position of the Data Protection Officer within an organization. The first half of the discussion centered around the involvement and independence of the DPO from the perspective of European data protection regulators, while the second half of the webinar explored how DPOs perceive their role. Guest speakers included European data protection regulators and DPOs from leading companies.

To learn more, watch the recording on our YouTube channel.

New FPF Study: More Than 250 European Companies are Participating in Key EU-US Data Transfer Mechanism

Co-Authored by: Drew Medway & Jeremy Greenberg

European Companies’ Participation in Privacy Shield Up Nearly 30% from the Past Year.

EU-US Privacy Shield Remains Essential to Leading European Companies.

From Major Employers such as Logitech and Siemens to Leading Technology Firms like Telefónica and SAP, European Companies Depend on the EU-US Agreement.

The Privacy Shield Program Supports European Employment While Adding to Employee Data Protections—Nearly One-Third of Privacy Shield Companies Rely on the Framework to Transfer HR Information of European Staff.

With the future of the US/EU Privacy Shield framework awaiting the Court of Justice of the European Union’s (CJEU) Schrems II decision, the Future of Privacy Forum conducted a study of the companies enrolled in the cross-border privacy program and determined that 259 European headquartered companies are active Privacy Shield participants. This is a nearly 30% increase from last year’s total of 202 EU companies in the data transfer framework. These European firms rely on the program to transfer data to their US subsidiaries or to essential vendors that support their business needs. Nearly one-third of Privacy Shield companies use the mechanism to process human resources data—information that is crucial to employ, pay, and provide benefits to workers.

Thousands of major companies, many of which are headquartered or have offices in Europe, rely on the protections granted under the data transfer agreement. With a majority of companies surveyed in a recent IAPP study relying on Privacy Shield to transfer data out of the EU, and dozens of new companies joining each week to retain and pay their employees or create new job opportunities in Europe, the agreement is an integral data protection mechanism for European consumers and companies and the European marketplace as a whole.

The Numbers:

Overall, FPF found that more than 5,400 companies have signed up for Privacy Shield since the program’s inception – more than 1,000 participants joined in the last year.

Leading European companies that rely on Privacy Shield include:

– ALDI, German grocery market chain

– Eaton Corporation, Irish multinational management company

– Ingersoll-Rand, Irish globally diversified industrial company

– Jazz Pharmaceuticals, Irish biopharmaceutical company

– Lidl, German grocery market chain

– Logitech, Swiss computer peripherals manufacturer and software developer

– SAP, German multinational software corporation

– Siemens, German computer software company

– TE Connectivity, Swiss consumer electronics company

– Telefónica, Spanish mobile network provider

FPF research also determined that more than 1,700 companies, nearly one-third of the total number analyzed, joined Privacy Shield to transfer their human resources data.

The research identified 259 Privacy Shield companies headquartered or co-headquartered in Europe. Top EU locations for Privacy Shield companies include Germany, France, the Netherlands, and Ireland. This is a conservative estimate of companies that rely on the Privacy Shield framework—FPF staff did not include global companies that have major European offices but are headquartered elsewhere. The 259 companies include some of Europe’s largest and most innovative employers, doing business across a wide range of industries and countries. EU-headquartered firms and major EU offices of global firms depend on the Privacy Shield program so that their related US entities can effectively exchange data for research, to improve products, to pay employees and to serve customers.

The conclusions follow previous FPF studies, which highlighted similar increases in participation and reliance by EU firms on the Privacy Shield program over time.

Methodology:

FPF staff recorded a list of 5,348 active EU-US Privacy Shield companies as of June 2019 from https://www.privacyshield.gov.
FPF staff performed a web search for each current company by name, checking the location of the company’s headquarters on a combination of public databases such as LinkedIn, CrunchBase, Bloomberg, and companies’ own websites.
A company that listed its headquarters in an EU member state, the United Kingdom, or Switzerland was counted as a match; companies that merely had a prominent EU office or were founded in an EU member state were not counted.
259 total EU-headquartered companies were identified using this method.

Note Regarding Brexit: Given the 130-plus UK companies reliant on Privacy Shield, we encourage the continued enforcement of the framework with the UK after the conclusion of the UK-EU Transition Period on December 31st, 2020. Companies reliant on the transfer of data between the UK and US would be wise to review the Department of Commerce’s Privacy Shield and the UK FAQs for guidance on UK-US data transfer during, and after, the Transition Period.

For the full list of European companies in the Privacy Shield program, or to schedule an interview with Jeremy Greenberg, John Verdi, or Jules Polonetsky, email [email protected].

For more information about FPF in Europe, visit https://fpf.org/eu.

Off to the Races for Enforcement of California’s Privacy Law

Yesterday, the California Attorney General’s office confirmed that it has begun sending a “swath” of enforcement notices to companies across sectors who are allegedly violating the California Consumer Privacy Act (CCPA), swiftly beginning enforcement right on the July 1st enforcement date. The law came into effect in January, after years of debate and amendment in the California Legislature. Additional proposed regulations, intended to clarify and operationalize the text of the statute, are not yet final.

In an IAPP-led webinar, “CCPA Enforcement: Enter the AG,” Stacey Schesser, California’s Supervising Deputy Attorney General, confirmed details about the first week of CCPA enforcement. Below, we provide 1) key takeaways from that conversation; 2) discuss the role of the draft regulations; and 3) observe that the successes or failures of AG enforcement will directly influence debates over other legislative efforts outside of California. Meanwhile, AG enforcement will almost certainly bolster public awareness and support for the California Privacy Rights Act (CPRA) or “CCPA 2.0” ballot initiative in November 2020.

Key takeaways and observations:

Alleged violations involve a “swath” of online businesses, likely based on “Do Not Sell” obligations.

Based on Deputy AG Schesser’s comments, we know that active enforcement of the CCPA began immediately on July 1st, with the office sending violation notice letters to a “swath” of online businesses. Under the law, companies have a thirty-day period to “cure” violations and come into compliance. As a result, these letters are unlikely to become public, unless any of them progress into full-blown investigations.

We do know a few key things from this discussion, however, about the type and substance of the alleged violations under scrutiny.

For example, we know that online businesses from “across sectors” were targeted, rather than, for example, retail or other “brick and mortar” establishments that collect data in-person. And although it was not directly stated, it was implied that the violations involve perceived failures to comply with the law’s “Do Not Sell” provisions. The AG has publicly held up this specific consumer right to request that a business not sell data as the most central feature of the CCPA. As a result, major online companies or publishers that do not provide a link entitled “Do Not Sell My Information” may be under particular scrutiny.

We don’t know at this point whether the AG staff identified obvious cases where observation made it clear a company was selling data. In many cases the issue of whether data that is transmitted to third parties is a sale depends on contracts and commitments made by those parties, details that can be challenging to discern based on external observation. Some companies may use the thirty-day cure period to attempt to persuade the AG’s office that their data sharing is occurring within the context of a service provider relationship or another permissible exemption that allows them to not provide a “Do Not Sell” button.

Deputy AG Schesser also confirmed that businesses were targeted based on consumer complaints and even some reports on Twitter. It would not be surprising to see that early enforcement targets were influenced by media and Twitter reports of businesses that do or do not provide a “Do Not Sell My Information” link. For example, a February 2020 Washington Post article includes a comprehensive list of top companies and notes whether they provide CCPA-related links.

Enforcement of requirements in the AG’s regulations will have to wait (for now).

For companies still interpreting and operationalizing the AG’s regulations, Deputy AG Schesser’s comments yesterday confirmed that enforcement (for now) is limited to the text of the statute. Although the CCPA has been in effect since January 1, 2020, the additional regulations promulgated by the AG’s office are not yet finalized, with the final text of the proposed regulations under review by the Office of Administrative Law.

Despite this, it would be wise for companies to carefully review the proposed regulations. Although in some cases the draft regulations appear to create new obligations or restrictions that do not exist in the text of the CCPA — such as disclosures for large data holders — in many cases the regulations are intended to clarify existing law. In such cases, the regulations provide a useful window into how the AG’s office understands the text of the CCPA. Similarly, companies seeking to understand how the AG’s office understands the CCPA and its “Do Not Sell” provision can look to the 900+ pages of responses given to commenters in the public comment periods for the draft regulations. These responses provide important insight into the AG’s analysis of what the underlying statute requires.

The AG’s successes or failures (or perceptions thereof) will directly influence federal and state legislative debates outside of California.

The role of State Attorneys General (AGs) in enforcing comprehensive privacy laws has been at the heart of many recent debates over both state and federal legislation. For example, in deliberations regarding the Washington Privacy Act (WPA), enforcement emerged as one of the most divisive issues that led to the bill failing to pass the Washington House. Advocates and even the Washington Office of the Attorney General itself argued that the Washington AG lacked the financial and other resources to meaningfully enforce the law if it were passed, and that the law needed to also include a private cause of action for individuals to bring claims directly in court.

In the context of federal legislation, it is becoming increasingly common for proposed comprehensive privacy legislation from both Democrats and Republicans to include enforcement powers for State AGs. Industry groups sometimes argue against the inclusion of State AGs, perceiving their enforcement to be politically motivated or observing that they may lack the deep expertise of their federal agency counterparts to enforce privacy laws affecting complex emerging technologies and digital platforms. However, State AGs will almost certainly play some role in a future federal privacy law, particularly if stronger government enforcement becomes part of a compromise against a robust private cause of action.

Despite these criticisms, we see this week that State AGs can act quickly and decisively. This is in line with the growing national importance of State AGs in enforcing against novel privacy harms associated with emerging technologies (for more, see Professor Danielle Citron’s 2017 exploration of The Privacy Policymaking of State Attorneys General). If the California AG’s enforcement letters and investigations over the next six months are perceived as effective, it will continue to bolster the credibility of AGs as primary enforcers of state laws, and supplementary enforcers of a federal law.

Next up: CPRA Ballot Initiative (“CCPA 2.0”)

Meanwhile, the proposed “California Privacy Rights Act” (CPRA) has qualified for the November 2020 ballot, and if passed would modify the CCPA to provide additional consumer protections. For example, it would add the consumer right to “correct inaccurate information,” and the right to limit first-party use of sensitive categories of information (rather than only being able to limit its sale). It would also provide much-needed clarifications on the consumer right to opt out of all sale or sharing of data for purposes of online behavioral advertising, and enshrine a clearer “purpose limitation” obligation into the text of the statute.

If passed, the CPRA will likely become the new de facto minimum U.S. national standard for consumer privacy, raising the bar significantly for efforts to pass federal legislation. Despite its detailed requirements, it is not finding favor with some civil society groups such as the Consumer Federation of California, which has now formally opposed the initiative. On the other hand, Common Sense Media has now endorsed the effort. The ballot initiative process in California enables groups to submit ballot arguments in support or opposition of an initiative, which may be important to help voters understand the initiative, so stay tuned for news of additional groups that support or oppose the effort.

Author: Stacey Gray is an FPF Senior Counsel and leads FPF’s U.S. federal and state legislative analysis and policymaker education efforts. Did we miss anything? Email us at [email protected].

Image Credit: Tweet from Attorney General Becerra, @AGBecerra, Twitter, July 1, 2020, https://twitter.com/AGBecerra/status/1278377943803154432?s=20.

11th Annual Privacy Papers for Policymakers — Call for Nominations