GDPR CCPA LGPD. Protected information

Transcription

1 Stricter data protection laws are on the rise. While only a couple of years ago, data protection legislations and requirements were frequently marginalized and the position of the data protection officer within a company often was not a very strong one, the adoption of the GDPR has driven a new era of data protection laws. The most recent data protection developments in Brazil and California show that legislators use the GDPR as a benchmark when creating and adopting new data protection and privacy laws. It is likely that more countries will follow this trend and that stricter privacy and data protection standards will be pursued by authorities and regulators. As the implementation of company-wide data protection standards leads to considerable efforts (please find an example for the set-up of a GDPR compliant structure within companies here), companies should strive for implementing privacy standards that fulfil all relevant data protection requirements applicable to them. As the GDPR is a driver of privacy legislation worldwide, it will often make sense to assess whether structures introduced to cope with the GDPR may also be useful regarding other privacy laws. This may be the case for CCPA and LGPD, as below comparison of the main requirements shows: Protected information Personal data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Under the CCPA, the definition of personal information (PI) is much broader than the usual definition established in the U.S, explicitly including IP addresses. The definition of the CCPA is very similar to the definition of personal data under the GDPR: Personal information: Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal data: Any information relating to an identified or identifiable natural person.

2 Protected group of persons Data subjects: Any identified or identifiable natural person to which the personal data relates. Under the CCPA, the application scope is limited to Consumers: Consumers: Any individual who is in California for other than a temporary or transitory purpose, and any individual who is domiciled in California who is outside the State for a temporary or transitory purpose. The LGPD has a broad application scope similar to the GDPR. Natural Person: Any identified or identifiable natural person to which the personal data relates. Scope of application Unlike the GDPR, the CCPA only addresses entities or groups doing business in California under certain requirements: Anyone who (i) either processes personal data in the context of an establishment in the EU or (ii) of data subjects that are in the EU, if such processing is related to the offering of goods or services to EU residents or (iii) to monitoring of data subjects behaviour provided that the data subjects are in the EU and such behaviour takes place in the EU. Businesses: Any for-profit organisation that collects consumers personal information and does business in the State of California, and that either (i) has annual gross revenues in excess of $25,000,000, or (ii) that annually sells, alone or in combination, the personal information of 50,000 or more consumers or devices, or (iii) derives 50 percent or more of its annual revenues from selling consumers personal information. Anyone who (i) either processes personal data in Brazil or (ii) of individuals located in Brazil, if such processing is related to the offering of goods or services to Brazilian residents or (iii) if the personal data processed has been collected on Brazilian territory.

3 Privacy Rights Under the GDPR, data subjects have multiple rights to ensure transparent and fair data processing. The CCPA introduces a new requirement of transparency as well as new consumer rights which are similar to certain data subject rights under the GDPR: The LGPD grants natural person specific rights regarding their personal data similar to the GDPR. 1. Right to be informed: Data subjects have the right to be informed pro-actively on how controllers use their personal data. 2. Right to access: Data subjects have the right to access the personal data retained by the controller. Controllers are required to provide information with regard to the processing as well as a complete and unaltered copy of all the personal data undergoing processing. 3. Right to rectification: Data subjects have the right to have incomplete or incorrect personal data rectified. Controllers are obliged to examine the claimed incorrectness or incompleteness of the respective data at the latest within one month after the request was filed. 4. Right to erasure (Right to be forgotten): Data subjects can request the deletion of personal data if it is no longer necessary for the purpose it was originally obtained for, the data subject (or for minors generally aged 15 and below, the legal guardian) has withdrawn consent for the processing activity and there is no other legal basis that justifies processing, or the personal data has been processed unlawfully. 5. Right to restriction of processing: Data subjects can request controllers to restrict the processing of their personal data under certain circumstances. 6. Right to data portability: Data subjects have the right to request the transfer of their personal data to themselves in a structured, commonly used and machine-readable format or to another controller without hindrance. 7. Right to object: Data subjects have the right to object to the processing on grounds relating to their particular situation or to direct marketing. 1. Right to request disclosure: Consumers have the right to request that businesses disclose the categories and specific pieces of personal information that it collects about the consumer, as well as further information concerning the sources from which the information is collected, the business purposes for collecting or selling the personal information, and the categories of third parties with which the information is shared. 2. Right to request deletion/right to be forgotten: Consumers have the right to request deletion of personal information and businesses are required to have service providers delete the information under certain circumstances. 3. Right of access and data portability: Consumers have the right to request access to the personal information held by the business, and to obtain it in a readily usable format that allows porting the data over to another entity without hindrance. 4. Right to opt out: Consumers have the right to opt out of the sale of personal information by a business. 5. Right not to be discriminated: Businesses are prohibited from discriminating against the consumer for exercising his/her right to opt out, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer s data. Financial incentives offered to the consumer for the collection, sale, or deletion of personal information are permitted only with the prior opt-in by the consumer. For consumers aged 16 or below, businesses must obtain affirmative consent to sell personal information either from the consumer (if the consumer is between ages 13 and 16), or from the consumer s parent or guardian (if the consumer is below age 13). The CCPA defines selling of personal information as disclosing personal information to another business or third party for monetary or other valuable consideration. 1. Right to be informed: All natural persons have the right to be informed on how controllers process their personal data. 2. Right to access: All natural persons have the right to access the personal data processed by the controller. The personal data shall be stored in a format that favours the exercise of this/her right. 3. Right to request correction of incomplete, inaccurate or outdated data: All natural persons concerned have the right to request correction of incomplete, inaccurate or outdated data. 4. Right to data portability: All natural persons concerned can request the transfer of their personal data to themselves or to another controller in an interoperable format. 5. Right to erasure: Natural persons concerned have the right to request the deletion or anonymization of their personal data if the data is processed unlawfully.

4 Organizational requirements and obligations for controllers 1. Maintain a records of processing activities: Maintaining records of processing activities that must be updated continuously is mandatory. 2. Conduct a Data Protection Impact Assessment: In case a data processing activity is likely to result in a high risk to the rights and freedoms of data subjects, controllers are required to carry out an assessment of the impact of the envisaged processing activities. 3. Appoint a data protection officer: Under certain circumstances, appointing a reliable and knowledgeable data protection officer is mandatory. 4. Implement technical and organisational security measures: Implementation of appropriate and reasonable state of the art technical and organisational measures to ensure that data processing conducted is secure. 1. Implement technical and organisational security procedures: A business shall implement and maintain reasonable security procedures and practices appropriate to the nature of information processed in order to protect this information from unauthorized access, destruction, use, modification or disclosure. 1. Conduct a Data Protection Impact Assessment: In case a data processing activity is likely to result in a high risk to the rights and freedoms of natural persons, controllers are required to carry out an assessment of the impact of the envisaged processing activities. 2. Appoint a data protection officer: Appointing a reliable and knowledgeable data protection officer is mandatory. 3. Implement technical and organisational security measures Implementation of appropriate and reasonable state of the art technical and organisational measures to ensure that data processing conducted is secure. Time allowed to respond to a request of an individual 1 month 45 days Rights must be granted in an accessible and effective manner (and without cost to the person concerned). Enforcement Right to compensation and liability: Under the GDPR, any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. No fixed amount of compensation. Administrative fines: Controllers and processors can be subject to administrative fines up to 20,000,000 or 4% of the annual turnover of the preceding financial year. Private right of action: Consumers who have suffered an injury in fact to a business breach of the CCPA can sue. Businesses may have to compensate every affected consumer within the range from $100 to $750. However, prior to initiating action, consumers must provide the businesses with 30-day written notice specifying which portions of the CCPA the business is alleged to have violated. Civil penalties: Under the CCPA, the Attorney General is provided with exclusive jurisdiction to sue for civil penalties if a business fails to cure any alleged violation within 30 days of notice of the violation. Suits by the Attorney General for intentional violations can amount to penalties up to $7,500 for each violation. Violations to obligations are subject to penalties ranging from warnings to fines up to 2% of an entities revenue in Brazil in the previous year (maximum 50 million BRL). Right to compensation and liability: Any natural person that has suffered material or non-material damage as a result of a data processing activity conducted by a controller or processor has the right to receive compensation from the controller or processor. Coming into force 25 May 2018 January 2020 February 2020

5 Publications von dem Bussche/Voigt Data Protection in Germany Beck, 2 nd edition München 2017 Voigt/von dem Bussche EU General Data Protection Regulation (GDPR) a practicioner s guide Springer Science, 2017 TIER 1 Law Firm for Data Protection Germany, 2017 and 2018 Taylor Wessing is definitely one of the best in the data protection segment and is distinguished by its comprehensive knowledge and practice-oriented, very flexible consulting, both in German and European data protection law. Legal 500 Germany, 2017 Key Contacts Paul Voigt Lic. en Derecho, CIPP/E Technology, Media & Telekom Salary Partner Berlin +49 (0) p.voigt@taylorwessing.com Dr. Hannah Wirtz Technology, Media & Telekom Associate Berlin +49 (0) h.wirtz@taylorwessing.com About Us Taylor Wessing is a leading international law firm, working with clients in the world s most dynamic industries. We take a single-minded approach to advising our clients; to help them succeed by thinking innovatively about their business issues. Taylor Wessing has over 1,100 lawyers across Europe, the Middle East and Asia, offering an integrated service across the full range of practice areas. We support clients wherever they want to do business. Our 32 offices around the world blend the best of local commercial, industry and cultural knowledge with international experience to provide proactive, integrated solutions for our clients. Europe > Middle East > Asia taylorwessing.com Taylor Wessing 2018 This publication is not intended to constitute legal advice. Taylor Wessing entities operate under one brand but are legally distinct, either being or affiliated to a member of Taylor Wessing Verein. Taylor Wessing Verein does not itself provide services. Further information can be found on our regulatory page at