Global Privacy Law Updates in 2022

New US State Privacy Bills, Proposed Rules and Guidance on Cross-Border Transfers for Turkish, Canadian, and Hong Kong Businesses, Governance Requirements in India, and European Enforcement

Over the last several months, there have been numerous developments in the global privacy law landscape both from a legislative and enforcement perspective. As personal data continues to become an even more substantial component of companies’ business practices, and technology—as well as the malicious actors who seek to exploit such technology—grows more sophisticated, there is a corresponding need for privacy laws to keep apace in ways that ensure companies can responsibly and efficiently execute their business while effectively safeguarding personal data and empowering consumers with sufficient control over how that data is used. This Advisory discusses several key developments across the world aimed at doing this, including 13 US state legislatures’ introductions of comprehensive data privacy bills in the last few weeks; France’s record-breaking fines for violations of rules governing cookie practices; liability for data protection officers in India’s proposed data protection bill; and three updates related to cross-border transfers, including a recent proposal to Turkey’s controversial cross-border transfer regime intended to streamline the flow of data across borders, Quebec’s requirement for privacy impact assessments for transfers, and newly issued clarifying guidance from Hong Kong’s privacy commissioner regarding data transfers under China’s data protection legislation.

Comprehensive US State Data Privacy Bills Introduced in 2022

Following the lead of Colorado and Virginia, in 2021 numerous jurisdictions’ legislatures¹ throughout the United States introduced comprehensive state data privacy bills modelled off of the California Consumer Privacy Act (as amended by the California Privacy Rights Act, the CCPA). This momentum has carried forward into 2022, with thirteen states already introducing—or reintroducing, in some cases—CCPA-like privacy legislation since the beginning of the new year: Alaska², Florida³, Hawaii⁴, Kentucky⁵, Indiana⁶, Nebraska⁷, New Jersey⁸, New York⁹, Oklahoma¹⁰, Pennsylvania¹¹, Vermont¹², Washington¹³, and Wisconsin¹⁴.

Many provisions of these new bills resemble those in the CCPA, Virginia’s Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act (CPA) (as well as the European General Data Protection Regulation (the GDPR)), borrowing concepts such as requiring notice at the point of data collection and empowering consumers with a set of rights regarding the use of their data, including the right to opt-out of the selling or sharing of personal data, to request a copy of their data, and to delete their data. Some do, however, contain notable differences. For example, the Senate version of the New York Privacy Act (NYPA), which amends and recommits an earlier version of the bill first introduced in the 2019-2020 legislative session then amended and passed out of the New York Senate Protection Committee in May 2021, has a considerably broader jurisdictional scope than the aforementioned laws. It would apply to any New York business that (1) has annual gross revenue of at least $25,000,000, (2) controls or processes personal data of at least 100,000 New York consumers, (3) controls or processes personal data of 500,000 natural persons or more nationwide, and controls or processes personal data of 10,000 New York consumers or more, or (4) derives over 50% of gross revenue from the sale of personal data, and controls or processes data of at least 25,000 New York consumers. Moreover, in a significant departure from the comprehensive data privacy laws enacted in California, Colorado, and Virginia, the NYPA would generally require data controllers to obtain opt-in consent from a data subject prior to processing personal data or making any changes to the existing processing or processing purpose.

As demonstrated in Florida, Senate and House versions of particular states’ bills may differ in important ways, with each adopting contrasting provisions from the CCPA, VCDPA, and/or CPA. Not only may the House version of Florida’s privacy bill generally exclude more smaller businesses from its jurisdictional scope, it provides for a consumer private right of action in line with the CCPA. The Senate version of the bill, on the other hand, follows the CPA and VCDPA by not including a consumer privacy right of action. Notably, however, both the House and Senate versions would be enforced by the Florida Office of the Attorney General similar to the CPA and VCDPA, which are enforced by the respective attorney generals in each state. Beginning on January 1, 2023, the CCPA will be enforced by the newly created California Privacy Protection Agency.

This significant level of ongoing activity at the state level demonstrates that consumer privacy remains an important issue for both legislators and consumers alike. And with no sign of a federal law being enacted anytime soon that would pre-empt state privacy legislation, companies should continue to anticipate what changes they might need to make to their business practices—and whether they should advocate for or against states’ adoptions of such legislation—as this complex patchwork of state laws continues to develop.

Enforcement: France’s Data Protection Authority Issues€210 Million in Fines for Cookie Violations Under the ePrivacy Directive, Quebec’s Private Right of Action, and Direct Fines for Data Protection Officers

On December 31, 2021, France’s data protection authority, the Commission Nationale de l’Informatique et des Libertés (the CNIL), levied fines totalling a record amount of €210,000,000—approximately $237,000,000—for failing to allow French users to easily reject tracking via cookies. Coming on the heels of nearly 100 orders and sanctions pertaining to non-compliance with its cookie legislation that became enforceable on March 31, 2021, these notably large penalties may very well indicate that the CNIL intends to continue ramping up its privacy law enforcement activities in 2022 and beyond.

According to the CNIL’s restricted committee, the body responsible for issuing sanctions, the websites offered users one button to immediately accept cookies but did not provide an equivalent option that would enable users to easily refuse the same cookies. The restricted committee concluded that the complexity of the refusal mechanism discouraged users from refusing cookies and improperly influenced them to consent. As a result of these violations, the CNIL issued the combined €210 million in fines and ordered the companies provide users located in France with a means of refusing cookies as easily as the means of accepting them.

These types of fines may not be limited to Europe. Enforcement may loom under Québec’s updated privacy law, which allows for administrative penalties of up to CA $10 million or 2% of annual worldwide turnover (and higher penal penalties). More importantly, this new Canadian law provides for a private right of action for privacy infringement. And India’s proposed Data Protection Bill has been updated to provide for direct penalties and fines against any person who violates it, including the required appointed data protection officer.

The sanctions issued by the CNIL pursuant to the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive), and the new enforcement mechanisms and focus, serve to remind companies—particularly those engaging in online advertising, profiling, and related activities—that they may be subject to harsh penalties under international laws and regulations beyond just the GDPR. In addition to staying apprised of similar enforcement actions brought by non-US authorities such as the CNIL, businesses might consider reviewing and reassessing their obligations under all international rules that may apply to their operations. In so doing, companies will reduce the risk of business interruption and minimize potential liability.

Cross-Border Data Transfers: Proposed Amendments to Cross-Border Transfer Provisions in Turkish Data Protection Law, Guidance from Hong Kong, and Québec’s Privacy Law Updates

Turkey’s data protection authority, the Kişisel Verileri Koruma Kurumu (KVKK), submitted a proposal (Proposal) on August 10, 2021, to amend the Law on Personal Data Protection numbered 6698 (LPDP). If adopted, the amendments would, among other things, create substantially more flexibility for Turkish companies to transfer personal data outside of the country in accordance with a cross-border transfer regime that more closely resembles the GDPR. The Proposal is currently under review by public institutions and associations, and has not yet been submitted to the National Assembly.

The Proposal would amend Article 9 of the LPDP, which provides that, absent a data subject’s consent, personal data may only be transferred pursuant to legal grounds to those countries where adequate measures are in place to protect data. Since the KVKK has not issued any list of adequate countries, this provision has significantly limited Turkish companies’ ability to transfer personal data across borders by obligating them to apply to the KVKK with an undertaking to obtain a permit or approval of Binding Corporate Rules (BCRs), processes which can take more than a year. In particular, this has resulted in Turkish companies having limited flexibility to implement technology infrastructure around the world.

The Proposal would significantly streamline the cross-border transfer process by allowing Turkish companies to export personal data pursuant to certain legal grounds upon issuance of an adequacy decision by Turkey’s data protection board (known as Kişisel Verileri Koruma Kurulu (Board)). In the event an adequacy decision has not been issued, Turkish companies would be able to transfer personal data based on (1) notification to the KVKK with a standard undertaking; (2) submission of a written agreement to the KVKK, including protective measures that will be applicable, and obtaining a permit; (3) approval of Binding Corporate Rules (BCRs), or (4) agreement between public entities and bodies in Turkey with compatible ones in the transferred country. These circumstances under which Turkish companies would be able to transfer data would supplement their ability to do so in other particular scenarios, such as obtaining a data subject’s explicit consent and executing the duties of state bodies or professional institutions with public duties.

In China, Hong Kong’s Privacy Commissioner for Personal Data (PCPD) recently published guidance (Guidance) on how businesses can interpret certain provisions related to cross-border transfers under China’s data protection law (known as the Personal Information Protection Law (PIPL)). As the PCPD notes, the PIPL—which became effective on November 1, 2021—can apply extraterritorially to Hong Kong businesses, particularly those that process personal data of individuals located in China. Importantly, the PCPD reaffirms that separate consent, one of the prerequisites for processors seeking to export personal data out of mainland China, must be obtained for each specific processing activity, meaning that “bundled consent given for multiple data processing activities may not be valid.” Moreover, the Guidance encourages businesses to rely on the Draft Measures on Security Assessment of Cross-border Data Transfer, which were published (but not yet finalized) by the Cyberspace Administration of China on October 29, 2021, when interpreting the PIPL. This suggests that companies should already be conducting self-assessments of the risk of cross-border transfers akin to a transfer impact assessment conducted under the GDPR. China is not the only country to implement these transfer-related assessments. Under Québec’s new privacy law, companies are required to conduct privacy impact assessments for data leaving Canada. 

In short, while Turkey has provided some relief to companies seeking to transfer data cross-border, most jurisdictions have implemented requirements or issued guidance suggesting companies be careful about the global nature of its data flows. Companies should act now to follow basic privacy principles globally, an approach that previously may have been Europe-focused, to avoid noncompliance, fines, and litigation.

© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.