Supplement #27

Sent to subscribers in September 2018

At long last, the GDPR is in force.  It has been a long process.  I still remember reviewing the first draft of a GDPR in November 2011, and after that, all the successive drafts, wondering how long it would take to get to launch.

Here we are, almost 7 years later, GDPR is in effect! When you receive this set of supplements, GDPR will be celebrating the four-month anniversary of its enforcement date. It is still taking baby steps.  In the meantime, the first sets of lawsuits claiming violation of individuals’ rights under GDPR were filed on the inaugural day, May 25, 2018.

The GDPR grants Member States the ability to supplement some of its provisions. It was hoped that EU Member States would take advantage of the two-year period between signature of the law and the enforcement date to take the measures necessary to implement the GDPR into their national laws and take advantage of their ability to supplement it.  Some did take advantage of this opportunity. Germany and Austria were the first to have completed the process. Nevertheless, a significant number of EEA Member States are still struggling.  In numerous cases, bills are pending and still being discussed. Others are almost done; for example, Italy

While not a member of the European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR as part of its agreements with the EEA Member States.  The Swiss parliament is said to be working on a draft.

Outside the EEA region, countries are actively working on the improvement or development of their data protection laws.  On August 14, 2018, the president of Brazil signed the country first data protection law.  That laws contains numerous references to the GDPR.  Across the Andes, Chile is also working actively on developing further its existing data protection law, to bring it to current international standards.

At end of June 2018, California passed the California Consumer Privacy Act (CCPA).  Like the GDPR, the statute has a very broad reach. It applies to most business entities that collect personal information of California residents and operate in California. In the next Supplement, we will provide a summary of the CCPA, and describe the circumstances of its very turbulent launch.

According to its terms, the statute becomes effective as of January 1, 2020. However, because of its controversial content, the statute has been attacked for a variety of reasons, and the launch date is becoming uncertain.  Since its signature by the California Governor, numerous activities have been ongoing in California to attempt to amend the statute and delay its enforcement date. There are also discussions at the Federal level, which are aiming at drafting a federal law that would supersede the California statute.

One of the most amazing features of the CCPA is its definition of “personal information.” It is probably the longest of all definitions of that term, worldwide. It is 345 word-long and extends over 13 paragraphs.

While the CCPA has been presented by some as a “mini GDPR,” it is much more liminted than the GDPR.  For example, unlike the GDPR, it does not contain general data processing principles and does not require a legal basis for the processing of personal information. CalCPA focuses primarily on providing consumers with a number of rights, such as a right of access and right of portability, in a manner similar to the GDPR. It also grants consumers the right to obtain from businesses that they cease selling, sharing or disclosing their personal information with or to third parties for commercial purposes.

CCPA grants a private right of action to California residents whose personal information was compromised in a breach of security. This addition to the existing California security breach landscape is likely to significantly increase litigation.