Joseph Stoker – Dotdigital

Update: EU Standard Contractual Clauses

Joseph Stoker — Mon, 07 Jun 2021 00:00:00 +0000

On Friday 4th June 2021, the European Commission published finalized versions of new Standard Contractual Clauses (SCCs).

What are Standard Contractual Clauses?

Standard Contract Clauses have been around for a long time and are used by companies worldwide to help them transfer personal data from the UK and Europe to other countries in compliance with the principles of European data protection law. Since the introduction of the GDPR (as well as high-profile cases like Schrems II), this mechanism has been under the spotlight as being outdated.

What has happened?

The SCCs have been discussed and much anticipated (by privacy practitioners at least) for some time. At a very high level, the new SCCs have been updated to:

bring the wording of the SCCs in line with the GDPR;
address the requirements made in the Schrems II decision; and
broaden the scope of the situations where these data transfers may take place.

The decision comes into effect on 24 June 2021 and companies can use the previous SCCs for a further three months. After that, companies will have a further 15 months to get the new SCCs to replace the existing SCCs.

Your data and dotdigital

We understand that our clients (particularly their Data Protection Officers and privacy teams) will be keen to understand the impact this will have on your relationship with dotdigital. dotdigital has entered into contracts with the organizations listed on our Trust Center to ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the EU and UK GDPR and entering into the old SCCs (where relevant) to ensure that all customer data is protected. As a result of the recent update, we will be looking to update these safeguards with the new SCCs. Depending on your location, we may well have entered into the old SCCs with you directly. Similarly, we will be looking to update any existing SCCs with the new SCCs soon. Please note that dotdigital will be analyzing the content of the new SCCs over the coming days and will communicate specific updates and reach out to affected clients directly in due course. No immediate action is required by you.

Privacy Shield update

Joseph Stoker — Tue, 21 Jul 2020 00:00:00 +0000

Last week, on Thursday 16 July, the European Court of Justice set out a judgement that has important implications for international data transfers. The main takeaway from the judgement was that the EU – U.S. Privacy Shield was held to be invalid. At dotdigital, we take our responsibilities around data protection very seriously and wanted to make sure that we address any immediate questions that our customers may have.

Background

The EU – U.S. Privacy Shield was a mechanism where U.S.-based organizations could self-certify to comply with EU data protection requirements when transferring personal data from the European Union to the United States. The decision in the Schrems II case last week focussed on whether U.S. laws ensured the adequate protection of data, looking at two widely relied-upon mechanisms of transferring data to the U.S. – the Privacy Shield framework and Standard Contractual Clauses (SCCs). In summary, the court declared that the EU – U.S. Privacy Shield was insufficient to ensure the protection of EU personal data. Importantly, the court confirmed that the SCCs remained a valid mechanism for the transfer of data from the EU to the U.S.

What this means

The big impact is for any companies that until now have relied on the EU–U.S. Privacy Shield for data transfers from the European Union to the United States – as these are no longer valid. Any organization relying on this mechanism alone should implement alternative safeguards.

Your data and dotdigital

dotdigital has maintained U.S. Privacy Shield certification and we do have a number of relationships with organizations in the United States. More details around these sub-processors can be found on our Trust Center pages here. However, the Privacy Shield has been under scrutiny for some time and we have never relied on the Privacy Shield alone. dotdigital has entered into contracts with the organizations listed on our Trust Center to ensure the safeguarding of personal data, including entering into Data Processing Agreements reflecting the obligations under the GDPR, passing down the measures of the EU Model Contract Clauses to ensure that all customer data is protected. We will of course continue to monitor developments in relation to any transfers around personal data to make sure that any customer data is safeguarded.

If you have any questions relating to the above, please email privacy@dotdigital.com This article should not be interpreted as legal advice and the contents are intended for informational purposes only.

How the CCPA compares to the GDPR: 10 things you need to know

Joseph Stoker — Mon, 20 Jan 2020 00:00:00 +0000

1. Why is the CCPA important?

While the GDPR applied a unified privacy law across Europe, the USA has no comparable federal law that compares. There have been ripples of state-led laws, granting similar rights to the CCPA – more of which are below – but the CCPA is the first major privacy legislation in the USA given its scope in introducing how data is handled about Californian residents.

It is important for two reasons; its application is a major step given the absence of privacy laws before it, but also it is paving the way for discussions at a federal level to introduce uniform legislation across the USA.

2. Who has to comply?

Compliance with the CCPA applies to any businesses operating for profit that collect and/or control California residents’ personal data and meets one of the three criteria below:

1. Have annual gross revenues in excess of US$25 million; or

2. Receive or disclose the personal information of 50,000 or more California residents, households, or devices on an annual basis; or

3. Get 50% or more of their annual revenues from selling California residents’ personal information.

The big difference compared to the GDPR is that the GDPR applies to any business (without being limited by CCPA-esque criteria) that determines the means and purposes of processing personal data about EU citizens.

3. Scope

Rights under the CCPA are provided to “consumers”, meaning natural persons who are California residents (i.e. not someone in California for a temporary or transitionary purpose).

The concepts of processing are broadly similar, captured under the CCPA as “collecting or selling” personal data. However, where the GDPR applies to all processing of data, the CCPA is principally focused on the sharing or selling of information. There are also a number of elements that sit outside of the definition of what personal data is, including publicly available information.

4. Legal basis for processing

The GDPR introduced legal bases for processing personal data under which businesses had to align to their processing of data. This included consent and legitimate interest.

The CCPA does not introduce the concept of legal grounds for processing personal information.

5. Rights for individuals

What the CCPA does introduce is a number of rights for Californian residents. These overlap the GDPR in most respects, including the right to:

erasure / deletion, free of charge (with exceptions);
be informed (i.e. the individual must be provided with details of what personal data is collected & why);
access (i.e. a process allowing individuals to have full visibility of the data an organization holds about them);
data portability (i.e. when data is requested under an access request that this is provided in an easy-to-read and portable format); and
object / opt-out (though there are some notable distinctions here – see below).

Deadlines to respond to consumers exercising their rights are slightly different – the GDPR specifies a response to be sent within a month, where the CCPA specifies a 45-day period. Both may be extended provided the individual is told within the initial timeframe.

One distinction the CCPA provides explicitly (although it can be argued that this is implied in the GPDR) is that individuals must not be discriminated against for exercising their rights.

6. Opting out & not selling data

The CCPA introduces a significant and distinctive requirement that is not mirrored under the GDPR.

The CCPA requires that a link with the title “Do Not Sell My Personal Information” is provided on the homepage of any business that sells personal data. Importantly, Californian residents can only opt-out of the sale of personal data, and not the collection or other uses that do not fall under the definition of “selling.”

By contrast, individuals can object to any type of processing of personal data under the GDPR. This can be done by withdrawing consent, or by objecting to processing that is based on another legal basis.

The right under the CCPA is absolute, whereas under the GDPR a business has the opportunity to demonstrate “compelling legitimate grounds” for the processing that overrides the rights of the individual.

7. Compliance

In the same way the GDPR meant a swathe of changes to every online privacy policy, the CCPA similarly requires organizations to make changes.

As well as informing Californian consumers of their rights, at least two methods of contact must be made available for them to make requests in exercising their rights. Obviously, organizations must put mechanisms in place to ensure that any such requests are dealt with.

8. Enforcement

Much was made of the eye-watering penalties that the GDPR introduced of up to the higher of €20m or 4% of worldwide turnover. The CCPA provides for penalties to be issued up to $2,500 per violation or $7,500 per intentional violation, without a maximum amount for several penalties for each violation. Enforcement powers are granted to the Californian Attorney General.

Individuals can also bring actions themselves. Where the GDPR allows claims for material and non-material damages for any violation of the GDPR, the CCPA only allows individuals a right of action where non-encrypted / redacted personal information is subject to unauthorized access; or where it has been disclosed as a result of an organization’s failure to meet its security obligations.

9. Security Obligations?

Given the risk to businesses for a failure to meet security requirements, the CCPA is surprisingly vague on what this means. The Attorney General is likely to publish further guidance, but at the present time it is worth noting that a number of security measures have historically been endorsed by the Attorney General that may be a useful point of reference in order to mitigate any risks by incorporating these into a CCPA compliance program.

10. Just the beginning…

The Attorney General is required to adopt regulations on or before July 1, 2020 so there will certainly be future developments and guidance as a result to keep an eye out for.

While the CCPA is not America’s answer to the GDPR, despite certain similarities, it is important to note that there is a real drive to introduce a harmonized privacy law at a federal level. This is some way off though, despite House and Senate hearings and FTC requests, but the CCPA may well be the first step towards this.

FAQs on CCPA for Dotdigital customers

FAQs on CCPA for Dotdigital CPaaS customers

The information in this document is for general guidance and is not legal advice. If you need more details on your obligations or legal advice about what action to take, please contact your legal advisor or attorney.