PH Privacy
Timeline for Selected Global Privacy Compliance Activities in Light of COVID-19
April 17, 2020
Jacqueline Cooney, Daniel Julian, and Brianne Powers
Potential Delays in Privacy Legislation Effective & Enforcement Dates
As COVID-19 continues to disrupt business operations and compel a significant shift to a remote work environment for companies globally, both industry and government interests continue to consider – and selectively revise – their approach to the rapidly changing privacy landscape. Specifically, privacy-related legislation has become an increased point of focus, with various proposals to change the implementation and enforcement of certain jurisdictional deadlines.
Calls to Delay US Privacy Law Enforcement Deadlines
In the United States a broad coalition of industries – including telecommunications, retail, advertising, technology, and transportation – recently filed a letter with the Office of the Attorney General of California requesting a delay in the enforceability of the California Consumer Privacy Act (“CCPA”) from the current July 1, 2020, deadline, until January 2, 2021. The request was ultimately rejected by the California Office of the Attorney General.
In New York, the cybersecurity requirements of the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act became effective on March 21, right in the midst of the escalating COVID-19 pandemic. Privacy and legal groups have similarly asked the New York Attorney General to delay enforcement proceedings against businesses that may not be in compliance with the SHIELD Act. At this time, the New York Attorney General has not responded to the requests to delay enforcement of the SHIELD Act and it seems unlikely that enforcement will be formally put on hold.
However, as we have previously written, enforcement of the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has been relaxed in light of the COVID-19 pandemic. Further, the US Office of Management and Budget (“OMB”) has issued guidance encouraging government Privacy and Freedom of Information Act (“FOIA”) Act staff to work remotely, resulting in potentially significant delays in responding to these requests.
International Privacy Law Enforcement Deadlines
We separately have posted about how European Union regulators may react to COVID-19, with no apparent easing of privacy enforcement at present.
Elsewhere, on April 3, the Brazilian Senate approved a Bill of Law outlining emergency measures related to COVID-19. This included the postponement of enforcement of the Brazilian General Data Protection Law (“LGPD”). Based upon this legislation, the LGPD will become effective in January 2021 and enforceable after August 2021. Given the urgency of the emergency bill as it relates to COVID-19, it appears almost certain that it will be passed and will include the LGPD delay. As with the CCPA, however, several groups disagree with the proposed postponement and argue that Brazilian data subjects continue to have the imminent need for transparency when it comes to their information privacy.
We are continuing to watch how other international data protection laws may or may not be affected by the COVID-19 pandemic. For example, in India the Personal Data Protection Bill (“PDPB”) was introduced to Parliament in early December 2019 and was expected to be passed in 2020. At the end of March, however, the Joint Parliamentary Committee requested an extension for its report on the bill which would delay the report and possibly the passing of the bill to the Monsoon Session of Parliament, which runs from July to September.
Similarly, the Personal Data Protection Act (“PDPA”) in Thailand became effective in May 2019 and is scheduled to become enforceable in May 2020. While there currently do not appear to be any plans for delays in enforcement, businesses operating in Thailand appear to be taking the PDPA even more seriously as the privacy implications of gathering and sharing COVID-19 information become apparent.
Finally, South Korea had recently take steps to align its Personal Information Protection Act (“PIPA”) which has been in effect since 2011 to other data protection laws, including the European Union General Data Protection Regulation (“EU – GDPR”), by introducing amendments that were to become effective in June 2020. It remains to be seen how these amendments will be further debated and adopted.
Deadlines to Keep in Mind
While the respective legislative and judicial bodies continue to debate the pros and cons of delaying the effective and enforcement dates of the data protection laws, it is vitally important that, notwithstanding these potential delays, businesses continue their implementation of privacy-related compliance efforts as they relate to these applicable data protection laws. Implementation of privacy requirements not only will assist with companies’ compliance postures in the future, it also will assist in protecting the personal data they process as they continue to dedicate resources and focus on data protection.
Current Timeline for Enforcement of Global Privacy Laws
Data Protection Law |
Current Effective Date |
Current Enforcement Date |
Proposed Effective Date |
Proposed Date for Enforcement Delay |
California Consumer Privacy Act (“CCPA”) |
January 1, 2020 |
July 1, 2020 |
N/A |
N/A – Requests to delay denied by California Office of the Attorney General |
New York SHIELD Act (cybersecurity requirements) |
March 21, 2020 |
March 21, 2020 |
N/A |
TBD |
EU – General Data Protection Regulation (“GDPR”) |
May 28, 2018 |
May 28, 2018 |
N/A |
N/A |
Brazilian General Data Protection Law (“LGPD”) |
August 2020 |
August 2020 |
January 2021 |
August 2021 |
Other laws to watch: Personal Data Protection Bill (“PDPB”) – India; Personal Data Protection Act (“PDPA”) – Thailand; amendments to Personal Information Protection Act (“PIPA”) – South Korea |
Paul Hastings’ Recommendations for Staying on Course for Privacy Compliance
The current environment, especially the increased collection and use of employee and consumer personal information stemming from the shift to an increased online presence both at work and at home, dictates increased vigilance in protecting consumer, employee, and business-sensitive information. Efforts, at the very least, to stay the course in advancing both the privacy and cybersecurity functions of the enterprise must remain at the forefront of business activities and investment. This is especially important as cyber-criminals may exploit this time of uncertainty to target businesses and gain access to critical information. While significant numbers of workforce members are working from home, a significant data breach can be exceedingly detrimental and further drain already taxed cybersecurity and incident response teams.
We recommend reviewing your current privacy and cybersecurity compliance activities now to ensure that your business is keeping on the same schedule as it was prior to COVID-19. Paul Hastings, LLP continues to assist clients in navigating the new and increasingly complex COVID-19 privacy and cybersecurity landscape including:
- Reviewing data security issues pertaining to telework, including review of policies and functionality of virtual private networks, videoconferencing security, remote access, employee monitoring, data loss prevention (see our prior guidance here and here);
- Conducting privacy and cybersecurity security risk assessments and program development;
- Advising on the disclosure of health information in accordance with the Health Insurance Portability and Accountability Act of 1996 and applicable state health privacy laws (see our prior guidance here);
- Reviewing state information security laws or regulations concerning the safeguarding of personal information;
- Advising as to the permitted or required sharing of information with state and federal public health authorities;
- Monitoring of employee health information, including temperature, to prevent continued spread of COVID-19 through appropriate denial of entry to company offices or facilities;
- Drafting employee communications on COVID-19 exposure at a company’s office or facilities;
- Drafting employee and visitor questionnaires identifying travel history, health status and potential exposure to COVID-19;
- Review of mobile applications development to facilitate tracking of potential COVID-19 exposure;
- Drafting of contractual restrictions that apply to the use and disclosure of information related to COVID-19; and
- Providing guidance on international data transfer mechanisms to permit the legal transfer of personal information, including health information.
For more information on the legal implications of the COVID-19 pandemic, please review our Client Alerts.