Essential equivalence is a flexible tool to assess adequacy
This December edition of PL&B International Report does not merely report, but provides substantial analysis on privacy law developments in China and an original assessment of California’s new privacy law rejecting over-simplified descriptions of it as the US version of the EU’s GDPR. It is not.
The GDPR is based on fundamental rights while the California statute is clearly intended to be a consumer privacy law. The California Privacy Rights Act of 2020 (CPRA) amends the current California Consumer Privacy Act (CCPA), which took effect earlier in 2020. This law “is the most ambitious US legislation affecting privacy more broadly than in a specific sector” writes Professor Graham Greenleaf. California’s data breach law took around 20 years for it to be copied to a greater or lesser extent in the 49 other states. But now, there seems to be some appetite for change at federal level, partly to avoid what (to many observers) is the absurd notion that a company doing business in the US has to worry about the similarities and differences in the privacy laws in 50 states.
A new administration starting in January may be more inclined to favour federal privacy legislation, also supported by some major tech companies, such as Microsoft and Apple. But firstly, the new President is certain to have other priorities and secondly, much depends on whether the state of Georgia in January returns two Republicans or two Democrats to the US Senate. If the latter, Vice President Kamala Harris will hold the casting vote in an evenly split Senate. As former Attorney-General of California, she is well aware of public support for a privacy law.
We learned in the first webinar in our 33rd Annual International Conference series last month that the text of the new California law is very complex and some words and phrases do not have their natural meanings. Two more sessions in our 11 part conference series will take place in January. Registration provides access to not only the two sessions in January but also recordings of all of them.
The clearest gain in this law is the establishment of an independent supervisory authority, the California Privacy Protection Agency which will be independent and have enforcement powers, including administrative fines. By contrast, China’s law is much more comprehensive in its scope but lacks a supervisory authority.
Heavier fines
There are signs that supervisory authorities, for example, in France and Italy, are now imposing heavier fines for breaches of data protection laws (pp.22 & 31), for example, against Google, Amazon and Vodafone. Many companies will appeal against them. There have been substantial reductions in fines imposed by the Information Commissioner’s Office in the United Kingdom after negotiations by law firms deploying arguments on the basis that any fines should be not only dissuasive but also proportionate.
Brexit looms
While we cover data law aspects of Brexit in detail in PL&B UK Report, we cover in this edition the UK’s plans to develop its own adequacy assessments of firstly the 30 European Economic Area (EEA) countries and then the 12 countries declared “adequate” by the European Union. The UK’s adequacy programme is ambitious, extending far beyond these 42 countries.
The situation will become clearer in early 2021. What is evident now is that the UK, like Switzerland, is making its own judgments of “essential equivalence” to borrow a phrase from the European Commission. Likewise, other countries, such as Israel, are making their own assessments of the United Kingdom and are bringing the Council of Europe Convention 108 back into active use as a legal basis for international transfers of personal data.
The Strasbourg-based Council of Europe celebrates the 40th anniversary of this Convention on 28 January 2021. Non EEA countries which could use this instrument as they have ratified the new Council of Europe Convention 108+ include Serbia (May 2020) and Mauritius (September 2020).
PL&B’s future conference programme
Starting in February, PL&B will run online sessions with speakers from several national Data Protection Authorities. You will be able to register for the ones most relevant to you. Details will follow in January.
Many of you have told us how much you missed our 33rd Annual International Conference in Cambridge in July. So I am happy to tell you that we have our annual conferences booked at St. John’s College, Cambridge for 5-7 July 2021 and 4-6 July 2022. Our optimistic assumption is that the combination of the mass vaccination programme and warm weather will greatly reduce the devastating impact of the pandemic. We will plan the usual outstanding 3 day programme, and have a fallback position of running it online if that becomes necessary.
PL&B’s editorial team looks forward to keeping you well informed in 2021 and beyond. Enjoy your end of year break as best you can this year, and we hope to meet in 2021.
Regards,
Stewart Dresner, Publisher
International Report 168
Lead stories:
Data transfers after Schrems II: Reflections from the Asia Pacific
Clarisse Girot of the Asian Business Law Institute, Mark Parsons of Hogan Lovells and Olga Ganopolsky of Macquarie Group discuss practical issues and geopolitical sensitivities.
China issues a comprehensive draft data privacy law
Draft PPIL marks a decade of evolution in the direction of a ‘European style’ law. By Graham Greenleaf.