Santa Clara University professor and privacy law expert Eric Goldman says CCPA enforcement should be delayed.

“The DOJ should relax the July 1, 2020 enforcement date. California has declared a state of emergency and is on indefinite lockdown due to COVID-19. This is not business as usual” – says Goldman.

“These circumstances significantly hamper businesses’ ability to respond to the constantly-changing requirements of the draft regulations. Due to illness or layoffs, some businesses will not have employees available to implement the new requirements. Furthermore, businesses across the state are under extreme financial stress due to the imminent state-wide economic depression; and many businesses have seen their customer base virtually dry up overnight, making it challenging for them to meet the expenses like rent and payroll needed to keep the lights on.”

“In the face of the unprecedented public health crisis, many businesses will need adequate time to manage the logistics, and absorb the expenses, of complying with the DOJ’s regulations.”

Read Eric Goldman’s full post.

Canada’s Office of the Privacy Commissioner weighs in on data processing under COVID-19:

“There are some circumstances under which organizations may collect, use or disclose personal information without consent, including:

  • Collection in the interests of the individual and consent cannot be obtained in a timely way, e.g. critical illness.
  • Collection and use for making a disclosure required by law, e.g. public health authority requires it.
  • Disclosure requested by a government institution under a lawful authority to obtain the information and is for the purpose of enforcing or administering any law of Canada or a province.
  • Disclosure made on the initiative of the organization to a government institution, which has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction, e.g. an individual is in contravention of an invoked quarantine order.
  • Disclosure for acting in respect of an emergency that threatens the life, health or security of an individual, e.g. an individual requires urgent medical attention, and they are unable to communicate.

Read the full text of the guidance.

The European Data Protection Supervisor weighs the impact of the COVID-19 on future data protection strategy and fundamental rights.

“Covid-19 is a game changer. Thinking about the EDPS’ strategy for the next five years, we have to look again at our text. Whatever happens in the next few weeks, we know the words will not be the same. We will all be confronted with this game changer in one way or another. And we will all ask ourselves whether we are ready to sacrifice our fundamental rights in order to feel better and to be more secure.”

“I am sure we are facing a new stage in the discussion about fundamental rights. In the next few months, we will need to find the time to reflect on the crucial principles that govern our interconnected lives.”

Read the full article from the EDPB.

Ireland’s Data Protection Commission weighs in on the issue of COVID-19 and data access requests:

“The Data Protection Commission acknowledges the significant impact of the Covid-19 health crisis which may affect organisations’ ability to action GDPR requests from individuals, such as access requests.

While the statutory obligations cannot be waived, should a complaint be made to the DPC, the facts of each case including any organisation specific extenuating circumstances will be fully taken into account.”

Organizations should:
  • communicate with individuals about the handling of their request, including any extension to the period for responding and the reasons for the delay
  • consider whether it is possible to respond to requests in stages. For example, if hard copy records cannot be accessed, provide the requester with electronic records, with hard copies provided later.
  • communicate clearly
  • engage with individuals in order to ensure that the request is as specific as possible in relation to the personal data sought.
  • ensure that the request is actioned as soon as possible.
  • document the reasons for not complying with timelines

Read the full guidance.

Coronavirus and Data Protection: New York Department of Financial Services had extended the deadline for compliance with its cybersecurity requirements.

  • The Superintendent of Financial Services of the State of New York recognizes that COVID-19 may present compliance challenges for certain regulated entities and persons in meeting their legal obligations.
  • Therefore the deadline for submission of Certifications of compliance with cybersecurity requirements, and transaction monitoring and filtering programs, is extended by 45 days from the original due date.
  • Several other deadlines were extended as well, but the extensions did not include the notification of a cybersecurity event within 72 hours.

In this NYDFS joins many regulators in the extension of compliance deadlines for various laws in the wake of the COVID-19 crisis. Several U.S. states have also made resolutions to toll the statute of limitations.

This comes after requests have been made to the California Attorney General to take similar steps to extend the enforcement deadline for the California Consumer Privacy Act (CCPA) beyond July 1, 2020. Recently, it was reported the the AGs office does not intend to delay enforcement at this time.

Should enforcement of the California Consumer Privacy Act be delayed?

The current outbreak of COVID-19 warrants delaying enforcement of California’s new privacy law to January 2021, dozens of organizations say in a letter sent this week to state Attorney General Xavier Becerra.

“Now is not the time to threaten business leaders with premature CCPA enforcement lawsuits,” the organizations write. “A temporary deferral in enforcement of the CCPA would relieve many pressures placed on organizations due to COVID-19 and would better enable business leaders to make responsible decisions that prioritize the needs and health of their workforce over other matters.”

“Developing innovative business procedures to comply with brand-new legal requirements is a formidable undertaking on its own, but it is an especially tall order when there are no dedicated, on-site staff available to build and test necessary new systems and processes,” the organizations write.”

A number of EU data protection authorities, including the UK and Norway have stated they would relax enforcement due to the crisis.

Details from Media Post.

Coronavirus and Data Protection guidance from the Catalan Data Protection Authority:

  • Under Articles 6.1.(e) and 9.2.(i) GDPR, health authorities may share health data when this is needed for reasons of public interest in the field of public health, such as protection against serious trans-boundary health threats, or to guarantee high levels of quality and safety of healthcare and of medicines or health products, on the basis of Union or Member State law.
  • Under Law 18/2009, public health employers who are aware of facts, data or circumstances that may constitute a serious risk or danger to the health of the population must inform the health authorities, who must ensure the protection due to personal data.

Read the full guidance.

The Czech Republic’s Data Protection Authority, Urad pro Ochranu Osobnich Udaju, provides its guidance on GDPR and COVID-19:

  • Public health authorities are authorized to process personal data to the extent and for the purpose laid down by Act No. 258/2000 on public health protection. This includes taking appropriate measures to reduce the spread of contagious disease such as informing the population by sending alerts and calls in the form of text messages.
  • Art 9 of GDPR allows processing of health data which is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health threats.
  • Public or private entities that are required to follow the coronavirus measures should follow the guidelines and recommendations of the competent authorities. For personal data controllers, whether in the private or public sector, this means complying with applicable regulations, including current emergency measures of the Government of the Czech Republic and other central authorities and only to process or transfer personal data in accordance with the regulations.

Read the complete guidance.

Following a series of opinions from individual nations’ Data Protection Authorities, the European Data Protection Board (EDPB) has issued long-awaited guidance on compliance with the General Data Protection Regulation under the strain of a pandemic.

The EDPB does not go into detail regarding legal bases but states that:

  •  GDPR does not get in the way of fighting the global pandemic
  • Transparency, proportionality and adequate protections are key
  • Mobile device tracking should not be the first option and, if used, should be proportionate and highly scrutinized.

Read my detailed analysis of the guidance.

The Austrian Data Protection Authority weighs in on Coronavirus and GDPR:

  •  Employers may collect the personal contact information of employees for the purpose of efficient communication during the pandemic. This information may not be used for any other purpose and must be deleted after the pandemic is over.
  • Collecting this information is permissible under Art. 6(1)(c), (d) and (f) GDPR and is subject to providing a notice of processing under Art 13 GDPR
  • The legitimate interest in question is (a) the reduction of an employee’s health risks in the workplace and (b) the containment of the spread of infection.
  • AT provides a sample notice to employees and a sample Art 13 notice with respect to this processing.

Read the full text of the guidance.