While there wasn’t a bevy of privacy news since we last met a week ago, there were two significant developments. First, the European Commission issued its new standard contractual clauses on Friday. Those are a big deal for companies looking to transfer data out of the EU legally. Some of the changes in what must be included in a standard contractual clause stem from the Schrems II case, which invalidated the Privacy Shield agreement. Part of Europeans’ concerns about the safe transfer of data from the EU to the U.S. is specifically related to law enforcement agencies’ access. If your company relies on standard contractual clauses now or in the future, you’ll want to know about the critical changes. The first story below outlines some of those. Second, today, Colorado passed its privacy law. The bill needs a signature from the state’s governor, but he isn’t expected to veto it. Here’s what you need to know about the bill:
- It looks similar to California’s new privacy law, the California Privacy Rights Act (CPRA).
- It includes a Global Privacy Control provision, which would allow Colorado residents to opt out of personal data processing.
- It requires consumers to opt in before companies can collect “sensitive” personal data.
- It allows the Colorado attorney general to enforce the law and to start issuing guidance in 2025.
- It requires data protection assessments where data processing could present a heightened risk to consumers.
- It does not include de-identified or pseudonymous data within the definition of “personal data."
- It does not include a private right of action as a consumer remedy, unlike the CPRA.
Enjoy reading, and I'll see you next week!
European Commission issues new standard contractual clauses
Last Friday, the European Commission finally published its new terms for standard contractual clauses (SCCs). Ever since the Commission canceled the Privacy Shield as a data-transfer mechanism, companies transferring data out of the EU and into another jurisdiction have nervously waited to hear what kind of requirements they’d need to include in contracts with data importers or subprocessors. Here is a look at some of the significant changes from what used to exist to now.
2. Colorado passes comprehensive privacy law
On Tuesday, June 8, Colorado’s Senate approved a bill giving state residents rights over their data. The Colorado Privacy Act, or SB21-190, now goes to the governor’s desk for signature. The law goes into effect in July 2023 and would allow Coloradans to use a global privacy control browser setting to opt-out of data collection on all websites, The Denver Post reports.
3. Apple’s push to make privacy its competitive advantage
Apple announced new versions of its operating systems this week, “which showed that the company’s focus on privacy has taken a new turn,” CNBC reports. While Apple has made strides to come across as the most privacy-focused tech company, its latest app and feature unveiling at the World Wide Developers Conference indicated that “Apple’s privacy strategy is now part of its products.”