Privacy and Data Protection Enactment and Enforcement Timelines During COVID-19

During COVID-19, in certain areas of the law, we have seen significant flexibility from regulators and government agencies in how they are addressing typical approval processes and/or compliance requirements. In the context of privacy and cybersecurity regulations, largely, regulators are emphasizing that personal privacy and data security are important now more than ever. New information is being collected and used in new ways. Certain data security vulnerabilities may be more prevalent in this work-from-home environment.

The below summarizes the status of enactments, deadlines, and other public comments from regulators surrounding privacy and data security laws globally.

• California Consumer Privacy Act (CCPA). CCPA became effective January 1, 2020. While the regulations are still not yet final, the Attorney General is permitted to begin bringing enforcement actions on July 1, 2020. Despite urging from various coalitions and trade associations to delay enforcement, a statement from the AG’s office said that CCPA has been effect since January 1, 2020 and that the agency is committed to enforcing the law starting July 1. The office also “encourage[s] businesses to be particularly mindful of data security in this time of emergency.”

• 23 NYCRR Part 500. Financial services companies subject to New York’s cybersecurity law typically must file a Certification of Compliance annually by April 15. DFS announced that it has extended its original deadline to June 1, 2020.

• HIPAA. As we reported on in more detail here, HHS has released a limited waiver allowing for certain PHI disclosures, provided other requirements under the business associate agreement are still met, and the BA informs the covered entity within 10 days after the use or disclosure occurs.

• Brazil’s Data Protection Law. Brazil’s first comprehensive data protection law – LGPD –  was schedule to become effective August 2020. In early April, the Brazilian Senate approved a bill which would delay the effective date of the law until January 2021. In the bill, fines and sanctions for companies that fail to comply are now scheduled to become effective August 2021. The bill is now with the House of Delegates for consideration and if approved, will be sent to the President to be signed into law.

• Global Data Protection Regulation (GDPR). The EDPB has stated that businesses are not exempt from complying with the GDPR and ensuring the protection of personal data “even in these exceptional times.” While there has been nothing to signal that requirements of the laws themselves should be lessened, certain regulators, such as the UK’s ICO, has signaled that when it comes to enforcement, they will take a pragmatic approach in the context of this crisis.

Putting it Into practice. Organizations should continue to be mindful of the laws that surround the collection, use, and sharing of information both in the US and abroad. While these are extraordinary times, regulators are continuing to signal that privacy and data protection laws still apply (even if certain deadlines may be extended in particular circumstances). For organizations subject to CCPA, a reminder that the AG can consider activity as early as January 1, 2020 when it comes to enforcement.