The Public Policy Committee engages with government and support agencies across the globe and comments on issues that affect the industry’s ability to protect end-users. Members may be interested in the project mailing lists managed by this committee which are located at the Committee/SIGs page. All readers are encouraged to review published documents and comments on the Public Policy page which covers a broad range of policies.

UK-U.S. Data-Flows Agreement Announced

The UK government announced data privacy policy governing the sharing of UK citizens’ information with U.S. entities who are also signed on to the European Union–United States Data Privacy Framework (EU-U.S. DPF). The agreement, effective Oct. 12, 2023, creates a data bridge between the two countries and allows personal information to flow unfettered.

The agreement was moved forward under an assurance that adequate levels of data protection were in line with the UK’s General Data Protection Regulation (UK GDPR). Following Brexit, the UK introduced the UK GDPR as domestic law and added its own data transfer mechanisms. Those mechanisms created layers of legal and regulatory requirements that required navigating the International Data Transfer Agreement (IDTA), a UK version of the Standard Contractual Clauses.

Under the new agreement, which is a formal extension of the EU-U.S. DPF, a U.S. entity is not required to implement the UK’s IDTA if they have opted-in through the DPF. Notably, the UK-U.S. Data-Flows Agreement cannot be entered into separately from the DPF.  In cases where the U.S. entity is not participating in the DPF, the IDTA must be incorporated into commercial agreements or as a standalone agreement.

In June, the two countries reached an agreement in principle under The Atlantic Declaration: A Framework for a Twenty-First Century U.S.-UK Economic Partnership, but the actual implementation plan for data sharing was not finalized until mid-September.

California Legislature Passes Delete Act Regulating Data Brokers

The Delete Act (California Senate Bill 362, 2023-2024, Regular Session) was passed in the California State Legislature, allowing California citizens to make a single data deletion request that is binding on all data brokers registered in California. The bill awaits Gov. Gavin Newsom’s signature. Gavin’s administration has not indicated his intentions. The bill must be signed or vetoed by Oct. 14, 2023.

California Privacy Protection Agency Executive Director Ashkan Soltani said he anticipates Newsom to sign the bill. Thousands of often shadowy companies routinely traffic in the personal data of Californians. Everything from real-time location information to private financial details may be shared without agreement. Even if a citizen could identify these data brokers, there isn’t much to be done about their activities, even in California, which has some of the strongest digital privacy laws in the U.S.

The Latest Privacy Fines from U.S. State and Federal Regulators

• California Attorney General Rob Bonta announced a $93 million settlement with Google over claims against Google’s location privacy practices. The California Department of Justice determined Google deceived users by, “…collecting, storing, and using their location data for consumer profiling and advertising purposes without informed consent.” Google also agreed to additional measures, including providing users more information when enabling location-related settings, increasing transparency around location tracking and data collection, and notifying users that their location information may be used for ad personalization.
• California also announced a $49 million settlement with Kaiser Foundation Health Plan and Kaiser Foundation Hospitals over allegations that included unlawful deletion of patient’s personal data.
• The Federal Trade Commission fined background check providers TruthFinder and Instant Checkmate $5.8 million over alleged violations of the Fair Credit Reporting Act related to misrepresentations of personal data handling for credit reports.
• The Department of Health and Human Services’ Office for Civil Rights issued a $1.3 million fine to health plan provider LA Care for alleged violations of the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules.

Public Policy Update for Canada

• The House of Commons of Canada passed the Digital Charter implementation Act (Bill C-27 with Explanatory Note) on second reading. The omnibus bill includes the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act. The bill has been referred to the Standing committee on Industry and Technology for further consideration.
• Protecting and Promoting Privacy in a Digital World,the Annual Report to Parliament on the Privacy Act and the Personal information Protection and Electronic Documents Act, was tabled in the Canadian Parliament on Sept. 19, 2023. The report highlights the work of the Office of Privacy Commissioner (Phillipe Dufresne) on key issues, including investigations, under both the Privacy Act, which applies to the public sector, and the Personal Information Protection and Electronic Documents Act, which applies to the federal private sector privacy law. Additional information can be found here.