Data other than important data and personal data can flow freely across borders. The Q&A emphasizes that, in principle, the requirements of Chinese law are intended to ensure the security and free flow of data. They apply only to personal data and important data because the transfer of such data outside of China may affect national security and public interests.

The methodology for assessing the necessity of transferring personal data outside China has been further elaborated. The CAC will consider whether there is a necessity for the transfer itself, the types of data subjects involved, and the categories of personal data transferred (each an “assessed factor”). The necessity test is satisfied with respect to an assessed factor if (i) the data to be transferred are directly related to, limited to the minimum necessary for, and retained only for the time required to achieve the purposes of the processing, and (ii) the processing has a minimal impact on the data subjects concerned. Thus, the context of the transfer is very important. The Chinese authorities will formulate sector-specific guidance to assist companies in assessing necessity in different transfer contexts.

Important data can be transferred outside of China if a security assessment shows that the transfer will not endanger national security or public interests. As of March 2025, the central CAC has completed a total of 44 applications for transferring important data outside of China. 7 out of 44 of such applications failed the assessment. The failure rate at the application level is 15.9%. These 44 applications include 509 important data fields, of which 325 important data fields were allowed to be transferred outside China after the assessment. The success rate at the data field level is 63.9%.

As to the scope of important data, the Q&A provides that companies may identify the important data that they process in accordance with a national standard (i.e. GB/T 43697-2024 Technical Data Security Data Classification and Grading Rules Appendix G Guidelines for Identifying Important Data) and report the identification results with the relevant authorities. But the Q&A restates and emphasizes at the same time that, it is not necessary for companies to make assessment applications for transferring important data outside of China, unless they have been notified by the authorities that the data being processed is important data or has been included in any public important data catalogues.

There are certain convenient channels that international organizations may consider to legitimize their intra-group transfers. For example, if several Chinese affiliates are transferring data outside of China in the same or similar patterns, they may choose a representative and make a filing or application on a group basis. If the transfers are more complex, the group affiliates, both inside and outside China, may consider applying for a transfer compliance certificate to cover all intra-group transfers. This certificate will exempt the covered affiliates from the requirement to sign stand-alone bilateral Standard Contractual Clauses (SCCs).

More flexible transfer arrangements will be made available to companies registered in free trade zones (FTZs). At present, the FTZs in Tianjin, Beijing, Hainan, Shanghai, Zhejiang and other places have published negative lists covering cross-border data transfers in 17 sectors, such as automobiles, medicine, retail, civil aviation, reinsurance, deep-sea industry and seed industry. Transfers covered by the negative lists can be exempted from the requirements of signing SCCs, making filings, or obtaining government approvals. More importantly, according to the Q&A, if one FTZ has already published a negative list for the same sector, the other FTZs can directly refer to and implement it. This means that companies registered in different FTZs may be able to benefit from the same policy.

Overall, this Q&A has sent a positive signal. After completing the necessary compliance actions, companies can transfer personal data and important data outside of China to carry out legitimate intra-group management and international business activities. The Chinese authorities are committed to further clarifying the rules and providing flexible arrangements for data transfers. As relevant guidelines and standards continue to be issued, “no clear rules” will no longer be a reasonable excuse. For companies that have not yet taken steps to address cross-border data transfers, we recommend that they plan and begin this work as soon as possible.

By Era Anagnosti, Brent Bernell, Daniel Caprio, Steven Phillips, Andrew Serwin, and John Gevertz

On February 18, 2025, President Donald J. Trump signed an Executive Order (EO), entitled, “Restoring Democracy and Accountability in Government,” which asserts greater authority over all federal agencies, including those established by Congress as independent from direct presidential control. The EO specifically lists the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), the National Labor Relations Board (NLRB), and the Federal Reserve Board as relevant agencies.  

The EO could lead to delays, if not cancellations, of pending and proposed regulations at those agencies. At a minimum, it introduces uncertainty as it newly subjects all of their “significant regulatory actions” to White House review. Moreover, the EO reflects an intent (or represents an effort) to fundamentally change the current regulatory environment.

Specifically:

• The EO asserts that Article II of the US Constitution vests all executive power in the President, meaning that all executive branch officials and employees are subject to the President’s supervision and control.
• The EO declares that all agencies must submit draft regulations for White House review – with no carve-out for so-called independent agencies, except for the monetary policy functions of the Federal Reserve.
• The EO further provides that agencies must consult with the White House on their priorities and strategic plans, and that the White House will set their performance standards, with the Office of Management and Budget adjusting the agencies’ funding apportionments to ensure tax dollars are spent in a manner that is consistent with White House priorities.
• The President and the Attorney General (subject to the President’s supervision and control) will interpret all applicable law for the executive branch, meaning that, instead of allowing separate agencies to interpret their own enabling legislation, they must accept the Justice Department’s and White House’s interpretation as binding.

The EO follows the firing of the leaders of some of the independent agencies – in apparent contravention of the statutes that bar their dismissal without cause before the expiration of their terms. A number of those dismissals are currently being challenged in various federal courts.

While the EO purports to limit the independence of the agencies even in their areas of expertise, the effect of the Loper Bright decision last year already had resulted in the courts no longer deferring to the agencies’ expertise. In a 6-3 decision in Loper Bright, the Supreme Court overruled the Chevron doctrine, which held that where a statute was ambiguous or had not addressed the precise question at issue, courts would defer to a reasonable interpretation by the agency charged with implementing the statute. Instead, the Supreme Court held the “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.”  It remains to be seen whether the courts will accept the EO’s assertion that the White House and the Attorney General are the sole and final arbiters of the meaning of laws passed by Congress.

The patina of independence at the FTC, FCC, and SEC has been blurred over the past two decades by various EOs and executive branch actions.  For example, the Biden Administration’s EO 14036 in 2021, titled “Promoting Competition in the American Economy” served to establish a “whole-of-government effort to promote competition in the American economy” by encouraging stronger enforcement of antitrust law.The Biden EO directed over a dozen federal agencies, including the FTC, to take action on 72 separate initiatives identified by the Biden Administration as beneficial for curbing anti-competitive practices. The order additionally established the White House Competition Council, a fifteen-member committee led by the National Economic Council. Also, in 2015, President Barack Obama called upon the FCC to take up the strongest possible rules to protect net neutrality, the principle that says internet service providers (ISPs) should treat all internet traffic equally. The FCC voted along party lines in favor of strong net neutrality rules to keep the internet open and free.

Still, the 2025 EO marks an unprecedented shift with its explicit assertion of control over executive branch agencies – which may increase the likelihood of legal challenges and the potential for a Congressional response, given that agencies such as the FTC, FCC, and SEC were created as independent agencies by Congress.

In recent years, rulings from the Supreme Court have cabined agency authority-.  Notably, the Court’s ruling in Loper Bright Enterprises v. Raimondo, 603 US 369 (2024), overruled the Chevron deference doctrine, which required courts to defer to an agency’s reasonable interpretation of an ambiguous provision it is charged with implementing.  The Supreme Court held that “courts, not agencies, will decide all relevant questions of law arising on review of agency action” and expressly stated that there was to be “no deferential standard for courts to employ in answering those legal questions.” Loper Bright applies equally to all agencies – including agencies like the SEC, FTC, and FCC that are charged with interpreting particularly technical statutes in policy-laden areas of regulatory law. 

In combination, Loper Bright and the EO, which challenges their independence, usher in a new era of regulation of American businesses at a time when technology and the economy are rapidly growing more complex. In this new era, uncertainty for businesses may increase as the authority to interpret governing law shifts away from the institutions with the highest levels of technical expertise. At the same time, businesses have more opportunities than before to challenge proposed rules and final regulations that are averse to their interests – by bringing their concerns to the attention of the White House and, if promulgated, challenging them in court. 

It remains to be seen how this EO will be implemented and how either the courts or Congress will respond. However, at minimum, absent a court order barring its implementation, it is likely that the EO will delay pending rulemakings, including the FTC’s privacy “surveillance rule” launched during the Biden Administration.

There are many unanswered questions as to the impact of this EO, and DLA Piper is prepared to advise companies as they navigate through this uncharted territory.

1. What is the primary goal of the proposed legislation?

The proposed legislation, as set out in the paper submitted by the Hong Kong Government to the Legislative Council Panel on Security on 25 June 2024, aims to enhance the security of Hong Kong’s CIs that are necessary to maintain  “normal functioning” of Hong Kong society and people’s lives, by minimising the chance of disruption to, or compromise of, essential services by cyberattacks.

2. Who and what will be captured by the proposed legislation?

The proposed legislation would regulate only CI operators (“CIOs”) in respect of their critical computer systems (“CCSs”). Similar to the helpful approach in Mainland China, both CIOs and CCSs will be expressly designated by a new Commissioner’s Office to be set up (or, as explained in Question 6 below, the Designated Authorities for certain groups of organisations). This will ultimately remove uncertainty around whether or not a given organisation is a CIIO, and which of their systems will fall within the CCS framework. However, until such designations are made by the relevant authorities, it does leave significant uncertainty for organisations that may not obviously fall within the definition, especially technology companies.

Designation of CIOs

Under the proposed legislation, an organisation would be designated as a CIO if it were deemed responsible for operating an infrastructure that the Commissioner’s Office determines to be a CI, taking into account the organization’s level of control over the infrastructure. It is proposed that CIs cover the following two categories:

• infrastructures for delivering essential services in Hong Kong, i.e. infrastructures of the following eight sectors: energy, information technology, banking and financial services, land transport, air transport, maritime, healthcare services, and communications and broadcasting (“Essential Service Sectors”); and
• other infrastructures for maintaining important societal and economic activities, e.g., major sports and performance venues, research and development parks, etc.

When deciding whether an infrastructure within the scope of the two categories above constitutes a CI, the Commissioner’s Office would take into account:

• the implications on essential services and important societal and economic activities in Hong Kong in case of damage, loss of functionality, or data leakage in the infrastructure concerned;
• the level of dependence on information technology of the infrastructure concerned; and
• the importance of the data controlled by the infrastructure concerned. 

The Government also emphasized that CIOs will mostly be large organisations, and the legislation will not affect small and medium enterprises and the general public. 

The list of the designated CIOs will not be made public to prevent the CIs from becoming targets of cyberattack.

Designation of CCSs

The proposed legislation would only require CIOs to take responsibility for securing the expressly designated CCSs. Systems operated by CIOs but not designated as CCSs would not be regulated by the proposed legislation.

The Commissioner’s Office would only designate as CCSs the computer systems which:

• are relevant to the provision of essential service or the core functions of computer systems; or
• will seriously impact the normal functioning of the CIs if interrupted or damaged.

Importantly, computer systems physically located outside of Hong Kong may also be designated as CCSs.

3. Would organisations have opportunities to object to CIO or CCS designations?

Yes. Under the proposed legislation, before making CIO or CCS designations, the Commissioner’s Office will communicate with organisations that are likely to be designated, with a view to reaching a consensus on the designations. This is helpful, but adds to the recommendation that those potentially caught as a CIO should start planning now to be ready to put forward a clear, reasoned view on whether or not they – and/or all of their systems – should be designated.

After a CIO or CCS designation is made, any operator who disagrees with such designation can appeal before a board comprising computer and information security professionals and legal professionals, etc.

4. What are the obligations of CIOs?

Statutory obligations proposed to be imposed on CIOs under the proposed legislation are classified into three categories:

• Organisational:
  
  • provide and maintain address and office in Hong Kong (and report any subsequent changes);
  • report any changes in the ownership and operatorship of their CIs to the Commissioner’s Office;
  • set up a computer system security management unit, supervised by a dedicated supervisor of the CIO;
    

• Preventive:
  
  • inform the Commissioner’s Office of material changes to their CCSs, including those changes to design, configuration, security, operation, etc.;
  • formulate and implement a computer system security management plan and submit the plan to the Commissioner’s Office;
  • conduct a computer system security risk assessment at least once every year and submit the report;
  • conduct a computer system security audit at least once every two years and submit the report;
  • adopt measures to ensure that their CCSs still comply with the relevant statutory obligations even when third party services providers are employed;
    

• Incident reporting and response:
  
  • participate in a computer system security drill organised by the Commissioner’s Office at least once every two years;
  • formulate an emergency response plan and submit the plan; and
  • notify the Commissioner’s Office of the occurrence of computer system security incidents in respect of CCSs within (a) 2 hours after becoming aware of serious incidents and (b) 24 hours after becoming aware of other incidents.
    

5. What would be the offences and penalties under the proposed legislation?

The offences under the proposed legislation include CIOs’ non-compliance with:

• statutory obligations;
• written directions issued by the Commissioner’s Office;
• investigative requests of the Commissioner’s Office; and
• requests of the Commissioner’s Office for relevant information relating to a CI.

The penalties for these offences would consist exclusively of fines. The level of fines would be determined by court trials, with maximum fines ranging from HK$500,000 to HK$5 million. For certain offences, persistent non-compliance would result in additional daily fines of HK$50,000 or HK$100,000 per day.

It is noteworthy that a CIO will still be held liable for the non-compliance with its statutory obligations if the non-compliance is caused by a third-party service provider. As such, service providers should also start planning now as to whether or not their customer base may be designated CIOs and, if so, what consequences this may have on contractual service obligations, incident notification obligations, security standards/specifications, SLAs, powers of investigation/inspection (including by regulators) and liability/indemnity provisions (including financial caps and exclusions). We anticipate CIOs will expect higher standards from their service providers in advance of the new regulations being introduced.

6. Which authorities would enforce the proposed legislation, and what would their powers be?

Commissioner’s Office

A Commissioner’s Office is proposed to be set up under the Security Bureau to implement the proposed legislation, headed by a Commissioner appointed by the Chief Executive. Its powers would include:

• designating CIOs and CCSs;
• establishing Code of Practice for CIOs;
• monitoring computer system security threats against CCSs;
• assisting CIOs in responding to computer system security incidents;
• investigating and following up on non-compliance of CIOs;
• issuing written instructions to CIOs to plug potential security loopholes; and
• coordinating with various government departments in formulating policies and guidelines and handling incidents.

Among these powers, the most significant might be the investigative powers granted to the Commissioner’s Office. Specifically, in respect of investigations on security incidents, the Commissioner’s Office would have, among others, the powers to:

• question and request information from CIOs;
• direct CIOs to take remedial actions; and
• check the CCSs owned or controlled by CIOs with their consent or with a magistrate’s warrant.

In respect of investigations on offences, it would have the powers to:

• question and request information from any person who is believed to have relevant information in his or her custody; and
• enter premises and take possession of any relevant documents with a magistrate’s warrant.

From a service provider perspective, these powers will likely extend – either directly or more likely via contractual flow down – from CIOs to their service providers. As such, again service providers may need to revisit their customer contracts in this regard.

Designated Authorities

Existing regulators of certain Essential Service Sectors which already have a comprehensive regulatory framework, such as a licensing regime in the financial services and telecoms sectors, may be designated as designated authorities (“Designated Authorities”) under the proposed legislation. The Designated Authorities would be responsible for designating CIOs (and CCSs) among the groups of organisations under their supervision and for monitoring such CIOs’ compliance with the organisational and preventive obligations. It is currently proposed to designate the Monetary Authority and the Communications Authority as the Designated Authorities for the banking and financial services sector and the communications and broadcasting sector respectively. The Commissioner’s Office, on the other hand, would remain responsible for overseeing the incident reporting and response obligations of, and retain the power to issue written directions to, such CIOs. It is hoped that the interaction between the Designated Authorities and the Commissioner’s Officer will be clearly defined when it comes to practicalities before the new framework is finalised.

7. How does the proposed legislation compare to critical infrastructure cybersecurity laws in other jurisdictions?

In formulating the proposed legislation, the government made reference to the legislation of other jurisdictions on critical infrastructure protection, including the United Kingdom, Australia, the United States, the European Union, Singapore, Mainland China and Macao SAR. For instance, the designation-based framework envisaged by the legislation mirrors Australia’s regulatory approach to systems of national significance under the Security of Critical Infrastructure Act 2018. Moreover, many obligations of the CIOs, such as those in respect of security risk assessments, audits and drills, have corresponding counterparts in the cybersecurity legislation of jurisdictions like Mainland China and Singapore. The investigative powers of the regulator to request information, access documents and enter premises can also be found in foreign legislation, including the UK’s Network and Information Systems Regulations 2018 and Singapore’s Cybersecurity Act 2018.

There are, however, technical nuances between similar mechanisms under the proposed legislation and existing laws in other jurisdictions. For instance, the proposed legislation requires organisations to report non-serious security incidents within 24 hours of becoming aware of them, providing greater flexibility compared to Singapore’s requirement of reporting all security incidents affecting critical information infrastructure within two hours of awareness.  

8. What are the next steps for the proposed legislation?

The proposed legislation is expected to be tabled in the Legislative Council by the end of 2024. Once passed, the Commissioner’s Office will be established within a year, and the law will come into effect around six months thereafter. This, therefore, gives a critical planning period until mid-2026 for organisations which may be designated CIOs and their services providers.

9. What must organisations do in light of the proposed legislation?

It is hopes that the uncertainty around some critical issues, including the scope of the Essential Service Sectors (particularly the information technology sector), the specific criteria to distinguish CIs among the Essential Service Sectors, and the threshold for “serious” security incidents, will be resolved as the proposed legislation passes through the public consultation and the usual legislative process. 

Organisations should closely monitor the development of the proposed legislation, develop an internal position on their designation (or their customers’ designation, in the case of service providers, as a CIIO and systems as CCS, and prepare to advocate/lobby for their position once the designation communications commence, and monitor and update their cybersecurity measures and procedures and contracts.

Summary of draft regulatory technical standards and implementing technical standards

1. Final draft RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats

DORA requires a financial entity to report major ICT-related incidents to the relevant competent authority. In addition, financial entities may, on a voluntary basis, notify significant cyber threats.

In summary these RTS cover:

• the content of the reports to be submitted for major ICT-related incidents, as well as the standard forms and templates for the reports
• the time limits for reporting these incidents to the competent authority, and
• the form and content of the notification for significant cyber threats.

The RTS setting out the criteria for classifying major ICT-related incidents and significant cyber threats came into effect earlier this week.

2. Final draft RTS on threat-led penetration testing (“TLPT”)

DORA sets out requirements for the security of network and information systems of financial entities and of the critical third parties providing ICT services to them. This includes an obligation on in-scope financial entities to conduct advanced testing by means of TLPT at least every 3 years.

In summary these RTS include:

• the criteria used for identifying those financial entities required to perform TLPT
• the requirements and standards governing the use of internal testers
• the requirements in relation to the scope of TLPT, testing methodology and approach for each phase of the testing process, and
• the type of supervisory and other relevant cooperation needed for the implementation of TLPT and for the facilitation of mutual recognition of that testing.

3. Final draft RTS on the harmonisation of conditions enabling the conduct of the oversight activities

Under DORA, each critical ICT third-party service provider (“CTPP“) will have a designated ‘Lead Overseer’, who will be one of the three European Supervisory Authorities. DORA grants powers to the Lead Overseer in exercising oversight of CTPPs.

In summary these RTS include:

• the content and format of the information to be submitted by CTPPs that is necessary for the Lead Overseer to carry out its duties (including the template for providing information on subcontracting arrangements), and

• the information to be provided by an ICT third-party service provider in the application for a voluntary request to be designated as critical.

4. Final draft RTS specifying the criteria for determining the composition of the joint examination team  

The Lead Overseer mentioned above will be assisted in its oversight activities by the ‘joint examination team’ or “JET”. These RTS set out the criteria for determining the composition of the JET and specify its tasks and working arrangements. The JET will be comprised of staff members from the ESAs and competent authorities who have expertise in ICT matters and operational risks – these RTS are intended to ensure a balanced participation of staff members from those different organisations.

Summary of Guidelines

In addition to the above, the ESAs have issued two sets of Guidelines:

1. Joint Guidelines on the estimation of aggregated costs and losses caused by major ICT-related incidents

If requested by a competent authority, a financial entity will have to report an estimation of aggregated annual costs and losses caused by major ICT-related incidents. These Guidelines propose how a financial entity should estimate the annual costs and losses, and which figures to use for the estimation. The ESAs have previously stated that they will apply the same approach as that adopted for assessing costs and losses under other DORA RTS.

2. Joint Guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities

The ESAs and competent authorities have received new roles and responsibilities as part of DORA’s pan-European oversight framework. These Guidelines are intended to ensure a consistent supervisory approach, including a coordinated approach to the oversight of CTPPs.

The Guidelines cover cooperation and information-sharing between the ESAs and competent authorities, including how they will allocate tasks between them and what information competent authorities will need in order to follow up on any recommendations addressed to CTPPs in their territory.

Next steps

The final draft RTS and ITS have been submitted to the European Commission for review and adoption, subject to any changes the Commission may choose to make. The Joint Guidelines have been adopted already by the Board of Supervisors of the three ESAs.

A notable omission are the RTS on subcontracting which specify what a financial entity must take account of when allowing the subcontracting of ICT services that support critical or important functions. The ESAs have stated that those RTS will be published ‘in due course‘.

For further information or if you have any questions, please get in touch with your usual DLA contact.

Background

The Investigatory Powers (Amendment) Act 2024 (“IP(A)A”) amends the IPA, which governs the use and oversight of investigatory powers by law enforcement and the security and intelligence agencies. The IPA impacts private sector technology companies who provide electronic communications services which can be subject to surveillance using the powers granted under the IPA.

The IP(A)A was one of the final pieces of legislation to be passed by the Conservative government prior to the dissolution of parliament for the 4July general election, receiving royal assent on 25 April 2024. It is the product of a government review into the effectiveness of the IPA, which entered into force in 2016. That review concluded that changes to the IPA were needed in order to “modernise and update the legal framework surrounding investigatory powers to ensure the security and intelligence agencies, and law enforcement can continue to exercise the capabilities they need to maintain public safety and protect the public from terrorism, and serious crime”.[1] 

Key changes

The following is a summary of the key changes brought in by the IP(A)A, with a focus on those likely to be of relevance to the private sector:

Companies now required to notify the Government of planned changes in functionality.

The IP(A)A introduces a new power for the Secretary of State to require companies providing communications products or services to notify the government in advance of any planned changes to those services or their functionality[2].

The purpose of this amendment is to prevent technological changes – such as the introduction of end-to-end encryption – from having a negative effect on the powers and capabilities of the police and intelligence services such as preventing them from accessing the capabilities and communications related data needed to prevent crime and protect national security. The requirement of notification is focused on changes that will impact the police and intelligence services from lawfully accessing data where this outcome can be “reasonably anticipated by the operator, even if this is not the primary motivation.”[3]

The government will use secondary legislation to specify the changes in functionality caught by the requirement[4], as well as the threshold that will be used by the Secretary of State to define the specific factors that must be considered before issuing a notice[5]. Security patches will remain out of scope.

Notably, the amendment does not give the Secretary of State any specific powers to intervene regarding any changes or provide their consent to the change[6].

Nevertheless, companies may have concerns about the need to share commercially sensitive information with the government (taking into account, amongst other factors, freedom of information rights in the UK), as well as longer term impacts on the ability to protect user privacy through the planned technological changes.

Retention of low sensitivity data.

Intelligence agencies routinely utilise ‘bulk personal datasets’ as part of their investigations. These are databases of personal information about large numbers of people, for example an electoral register, telephone directories or travel-related data[7].

The IP(A)A creates a new, light-touch regime for the retention and examination of bulk personal datasets where “the individuals to whom the personal data related to could have no, or only a low, reasonable expectation of privacy in relation to this data.”[8] Going forward, intelligence agencies will no longer be required to obtain a warrant prior to retaining such data. Instead, only the approval of a Judicial Commissioner (a serving or retired judge) will be required[9]. In determining whether the data is low sensitivity, the factors to be considered under the IP(A)A are[10]:

• The nature of the data;
• The extent to which the data has been made public by the individuals or whether the individuals have consented to the data being made public;
• If the data has been published, the extent to which it was published subject to editorial control or by a person acting in accordance with professional standards;
• If the data has been published or is otherwise in the public domain, the extent to which the data is widely known about;
• The extent to which the data has already been used in the public domain.

The Home Office states that, regarding their objectives, the “intelligence services are not interested in examining data that is not operationally relevant, but in finding ways to identify the specific threat in vast quantities of data.”[11]

A ‘reasonable expectation of privacy’ is a turn of phrase that readers may be familiar with from UK privacy law, and specifically the tort of misuse of private information, which has developed over the last 20 years out of the UK’s commitment to the right for a private and family life under the European Convention on Human Rights (ECHR). A similar set of factors has been quoted by the courts in misuse of private information cases.

Impact on data protection adequacy

Under the EU GDPR, the European Commission uses an adequacy decision to determine whether another country provides an equivalent level of data protection to the EU. Where an adequacy decision is granted, personal data may flow freely to that country without any legal restrictions.

In June 2021, the EU Commission published two decisions regarding the UK’s adequacy (one under the EU GDPR, and one under the Law Enforcement Directive in respect of the processing of law enforcement data). As these decisions expire in June 2025, the Commission will work later in 2024 to assess whether to extend the adequacy decisions[12].

The IP(A)A is likely to be scrutinised closely by the Commission as part of this review. The IPA was a relatively new framework at the time of the original adequacy decisions and largely received a positive assessment from the Commission. However, as some of the changes under the IP(A)A – including those highlighted above – can be interpreted as reducing privacy protections, there is a risk that the Commission will view the amended framework in a different light.

[1] Annex A, IPA 2016 impact assessment (publishing.service.gov.uk)

[2] Investigatory Powers (Amendment) Act 2024, s.258A(1).

[3] Investigatory Powers (Amendment) Bill: Notification Requirement (26/04/24)- GOV.UK (www.gov.uk)

[4] Changes to the UK investigatory powers regime receive royal assent | Inside Global Tech

[5] Investigatory Powers (Amendment) Bill: Notification Requirement (26/04/24)- GOV.UK (www.gov.uk)

[6] Investigatory Powers (Amendment) Bill: Notification Requirement (26/04/24)- GOV.UK (www.gov.uk)

[7] Bulk data | MI5 – The Security Service

[8] Investigatory Powers (Amendment) Act 2024, s.226A(1).

[9] Investigatory Powers (Amendment) Act 2024, s.226B(5).

[10] Investigatory Powers (Amendment) Act 2024, s.226A(3).

[11] Investigatory Powers (Amendment) Bill: Bulk Personal Datasets and Third-Party Bulk Personal Datasets (26/04/2024) – GOV.UK (www.gov.uk)

[12] Adequacy | ICO

• On April 2, 2024, the CPPA Enforcement Division issued its inaugural advisory, emphasizing the importance of data minimization.  (Read more about the enforcement advisory below.)
• In March 2024, the CPPA’s March Board Meeting included several notable developments, including:
  • Draft proposed regulations on risk assessments and automated decision-making technology. Draft updates to existing CCPA Regulations, including updates to the definition of sensitive personal information and requirements relating to verifying and denying consumer requests. A summary of the CPPA’s enforcement priorities for 2024, which include privacy notices, right to delete issues, and the processing of consumer requests.
  • A report on the number of complaints received by the CPPA since July 2023.

(Read more about the March 2024 Board Meeting below.)

• On February 9, 2024, the CPPA won its appeal of a lower court ruling that delayed for one year the enforcement of the updated CCPA Regulations, implemented pursuant to the California Privacy Rights Act of 2020.   
• In January 2024, the CPPA launched https://privacy.ca.gov, a new online resource on California privacy rights for consumers.

In 2024, the CPPA has also weighed in on proposed federal and state privacy legislation, issuing a statement heavily critical of the federal American Privacy Rights Act legislation, and strongly supporting California’s AB 3048, which would expand business requirements regarding privacy preference and opt out signals.

CPPA Enforcement Advisory on Data Minimization

On April 2, 2024, the CPPA issued its inaugural enforcement advisory under the California Consumer Privacy Act (“CCPA”) which focused on the need to apply data minimization principles across its processing activities and its processing of consumer privacy requests, emphasizing:

Data minimization is a foundational principle in the CCPA. Businesses should apply this principle to every purpose for which they collect, use, retain, and share consumers’ personal information.

The CPPA also observed that:

[C]ertain businesses are asking consumers to provide excessive and unnecessary personal information in response to requests that consumers make under the CCPA.

As one of many core principles of the CCPA, data minimization requires businesses to restrict the processing of personal information to that which is “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”[1]

Regulations issued pursuant to the CCPA expand on this principle, stating the necessary and proportionate assessment should be based on the following:

1. The minimum personal information that is necessary to achieve the purpose identified, as disclosed to the consumer;
2. The possible negative impacts on consumers posed by the business’s collection or processing of personal information; and
3. Additional safeguards used by the business to address the possible negative impacts on consumers.[2]

Data Minimization in Verifying Consumer Requests. When responding to consumer requests, the CCPA requires businesses to verify that the person making a request to delete, correct, or know is the consumer about whom the business has collected personal information.

The CCPA prohibits businesses from requiring a consumer to verify their identity to make a request to opt-out of the sale/sharing of personal information or to limit use and disclosure of sensitive personal information; however, the business may ask the consumer for information necessary to complete the request.

The CCPA regulations provide businesses with guidance in determining the method by which the business will verify the consumer’s identity:

1. Whenever feasible, match the identifying information provided by the consumer to the consumer’s personal information the business already maintains, or use a third-party identity verification service;
2. Avoid collecting certain types of personal information (such as Social Security number, driver’s license number, financial account numbers, or unique biometric data), unless necessary for the purpose of verifying the consumer; and
3. Consider the following factors, including (i) the type, sensitivity, and value of the personal information collected and maintained about the consumer; (ii) the risk of harm to the consumer; (iii) the likelihood that fraudulent or malicious actors would seek the personal information; (iv) whether the personal information to be provided by the consumer to verify their identity is sufficiently robust to protect against fraudulent requests or being spoofed or fabricated; (v) the manner in which the business interacts with the consumer, and (vi) available technology for verification.[3]

Businesses must generally avoid requesting additional information from the consumer for verification purposes; however, to the extent the business cannot verify the consumer’s identity, the business may request additional information which must only be used for verifying the consumer’s identity, security, or fraud-prevention. The business must delete any new personal information collected for verification purposes as soon as practical after processing the consumer’s request, subject to the CCPA’s record-keeping requirements.

Questions to Consider When Responding to Consumer Requests. The advisory includes illustrative scenarios on the application of the data minimization principle to CCPA requests to opt-out of the sale/sharing of personal information and requests to delete personal information.  The advisory also provides a list of questions for businesses to consider when processing consumer requests:

1. What is the minimum personal information that is necessary to achieve this purpose?
2. We already have certain personal information from this consumer. Do we need to ask for more personal information than we already have?
3. What are the possible negative impacts posed if we collect or use the personal information in this manner?
4. Are there additional safeguards we could put in place to address the possible negative impacts?

Businesses should keep the above questions in mind when determining how to verify and process consumer requests.

For more information about these developments, contact the authors of this blog post, your DLA relationship Partner, or any member of DLA’s Data, Privacy and Cybersecurity team.

Takeaways from CPPA March 2024 Board Meeting: Enforcement Priorities and Revised Regulations on the Horizon

On March 8, 2024, the CPPA held a public meeting to discuss, among other things, its enforcement priorities and proposed regulations on risk assessments and automated decisionmaking technology (“ADMT”). This article summaries the key takeaways from the meeting and highlights from the new regulations on the horizon in California.

Enforcement Priorities. During the meeting, Michael Macko the Deputy Director for the Enforcement Division presented on enforcement updates and priorities. The presentation reported the CPPA received 1,208 complaints between July 6, 2023, and February 22, 2024. It may come as no surprise to privacy officers and compliance managers that the most common categories of complaints include right to delete and right to opt-out of sale issues. 

The CPPA reported that its upcoming enforcement priorities will be privacy notices, right to delete issues, and implementation of consumer requests.[4]

ADMT and Risk Assessment Regulations. As we recently reported, in late 2023, the CPPA released its initial draft regulations for ADMT and risk assessments. During the March 8, 2023 meeting, the Board was presented with an updated draft of the ADMT and risk assessment regulations and voted to progress these proposed regulations to formal rulemaking. It is important to note that the regulations are discussion drafts that are still in the preliminary rulemaking phase. Staff will begin preparing the required paperwork to initiate formal rulemaking based on the Board’s vote. During the meeting, CPPA General Counsel, Philip Laird, clarified that the Agency intends to do more public engagement this spring and summer for additional feedback on the draft ADMT and risk assessment regulations. On April 24, 2024, the CPPA announced three stakeholder sessions to take place this May. More information about the sessions and how you can attend is available on the CPPA website. Additional modifications may be made to the draft regulations based on feedback from the Board and the public throughout this process.

The following are notable updates to draft ADMT and risk assessment requirements in these new proposed draft regulations:

• Revised Definition of ADMT. The CPPA has revised the definition of AMDT to mean “any technology that processes personal information and uses computation to execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking.” For purposes of this definition, the CPPA clarified that to “substantially facilitate human decisionmaking” means using the output of the technology as a key factor in a human’s decisionmaking. This includes, for example, using AMDT to generate a score about a consumer that the human reviewer uses as a primary factor to make a significant decision about them.
• ADMT Exclusions. The CPPA has clarified that ADMT does not include the following technologies, provided these technologies do not execute a decision, replace human decisionmaking, or substantially facilitate human decisionmaking: web hosting, domain registration, networking, caching, website-loading, data storage, firewalls, anti-virus, anti-malware, spam and robocall-filtering, spellchecking, calculators, databases, spreadsheets, or similar technologies.
• Revised Definition of Profiling. The CPPA has expanded the definition of profiling to include automated processing of personal information to analyze or predict an individual’s intelligence, ability, aptitude, mental health and predispositions.
• New Trigger for Notice, Opt-Out and Access. The CPPA has revised the triggers for pre-use notice, opt-out, and access requirements by adding the use of ADMT for “profiling a consumer for behavioral advertising” as a trigger.
• Updated Pre-Use Notice Requirements for ADMT. The CPPA has updated the pre-use notice requirements to streamline the information that a business must provide, and to allow for greater flexibility in how the business presents the information. The proposed revisions also include tailoring pre-notice requirements to specific uses of ADMT and requiring that the business disclose that they cannot retaliate against consumers.
• Opt-Out Exceptions for ADMT. Under the proposed regulations, businesses would not be required to provide a consumer with the ability to opt-out of a business’s use of ADMT for a significant decision concerning the consumer if the business provides consumers with the ability to appeal to a human decisionmaker (the “human appeal exception”). To qualify for the human appeal exception, the business must satisfy certain requirements, including but not limited to, designating a qualified human reviewer who must consider relevant information, clearly describing how consumers can submit an appeal, and enabling the consumer to provide information for the human reviewer to consider. The proposed regulations also include an “evaluation exception” where a business does not need to provide a consumer with the ability to opt-out (subject to certain conditions) for purposes of admission, acceptance, or hiring decisions, allocation/assignment of work and compensation decisions, and work or educational profiling. Businesses would also not be required to provide a consumer with the ability to opt-out if the business’s use of the ADMT is necessary for security, fraud prevention, or safety purposes.
• Revised Risk Assessment Thresholds. The CPPA has revised the risk assessment thresholds to clarify that risk assessments are required when the business (1) sells or shares personal information; (2) processes sensitive personal information (including the personal information of consumers that the business has actual knowledge are less than 16 years of age); (3) uses ADMT for a significant decision or “extensive profiling” (i.e., work or educational profiling, public profiling, or profiling a consumer for behavioral advertising); or (4) processes personal information to train ADMT or artificial intelligence that is capable of being used for a significant decision, to establish identity, for physical or biological profiling, for generating deepfakes, or for operating generative models.
• Revised Risk Assessment Requirements. The CPPA’s proposed revisions include clarifying which operational elements must be identified in a risk assessment, which negative impacts to a consumers’ privacy a business may consider, and which safeguards a business must identify for ADMT to ensure the ADMT works as intended and does not discriminate.
• Revised Risk Assessment Submission Requirements. The CPPA has streamlined what must be included in an abridged risk assessment and further clarified exemptions to the risk assessment submission requirements. For example, a business is not required to submit a risk assessment if the business has previously conducted and submitted to the CPPA an abridged risk assessment for a given processing activity, and there were no material changes to that processing during a subsequent submission period (however, the business must still submit a certification of compliance to the Agency).

Draft Updates to Existing CCPA Regulations. In addition to the initial draft regulations for ADMT and risk assessments, the CPPA also discussed revisions to the pre-existing CCPA regulations. Similar to the Risk Assessment and ADMT regulations discussed above, formal rulemaking proceedings are still pending for these proposed amendments, which include the following notable updates:

• Revised Definition of Sensitive Personal Information. The CPPA proposed revising the definition of sensitive personal information to include “[p]ersonal information of consumers that the business has actual knowledge are less than 16 years of age.” The proposed revisions further clarify that businesses that willfully disregard the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.
• Denying Consumer Requests. Under the revised regulations, if the business denies a consumer’s request to know, correct, delete, opt-out of the sale/sharing of personal information, or limit use and disclosure of sensitive personal information, the business must, among other things, inform the consumer that they can file a complaint with the Agency and the Attorney General and provide links to the complaint forms available on their respective websites.
• Verification of Consumer Requests. Under the revised regulations, businesses would be required to match identifying information provided by the consumer to the personal information of the consumer already maintained by the business before requesting additional information from the consumer (emphasis added).
• Service Providers and Contractors. The CPPA proposed adding a requirement that any retention, use, or disclosure of personal information by service providers or contractors pursuant to its written contract with a business must be “reasonably necessary and proportionate” for the purposes stated in the contract.

For more information about these developments, contact your DLA Piper relationship partner, the authors of this alert, or any member of our Data Protection, Privacy and Security team.

[1] Civil Code § 1798.100(c)

[2] 11 CCR § 7002(d)

[3] 11 CCR § 7060(c)

[4] See the CPPA Enforcement Update & Priorities presentation available at https://cppa.ca.gov/meetings/materials/20240308_item6_enforcement_update.pdf.

In its judgment, the CJEU not only provided clarity on the definition of “processing” but also navigated the complex balance between the right of public access to official documents and the need to protecting personal data. The CJEU determined that the fundamental rights to privacy and the protection of personal data take precedence over the public’s interest in accessing official documents.

Background

The case arose after a data subject participated in a competition organized by Endemol Shine Finland. The organisation made an oral request to the Finish District Court for information on possible ongoing or completed criminal proceedings concerning the data subject, for the purpose of clarifying their criminal record. The District Court refused the request, stating that there was no legitimate reason for processing the criminal offence data under Finnish law, implementing Article 10 of the GDPR. Endemol Shine Finland brought an appeal against the judgment before the Court of Appeal, Eastern Finland, arguing that the oral disclosure of the information would not constitute processing of personal data within the meaning of Article 4(2) of the GDPR. The Court of Appeal, Eastern Finland, referred the case to the CJEU to seek clarification on whether:

1. the oral transfer of personal data should be considered as data processing;
   
2. data relating to criminal convictions of a natural person contained in a court’s filing system can be disclosed orally to any person for the purpose of ensuring public access to official documents; and
   
3. it is relevant whether the person requesting the information is a company or a private individual?

Key findings

• In relation to the first question, the CJEU concluded that the reference to ‘any operation’ in Article 4(2) of the GDPR demonstrates that “the EU legislature intended to give the concept of processing a broad scope”. It follows that the oral disclosure of information on possible ongoing or completed criminal proceedings constitutes processing of personal data, within the meaning of Article 4(2) GDPR. The CJEU held that “the possibility of circumventing the application of the GDPR by disclosing personal data orally rather than in writing would be manifestly incompatible”  with the objective pursued by the GDPR, which seeks to ensure a high level of protection of the fundamental rights and freedoms of natural persons.
  
• The CJEU further held that it was clear from the request for a preliminary ruling that the data requested was contained in ‘a court’s register of persons’,  and that this constituted a filing system within the meaning of Article 4(6) of the GDPR. As a result, the processing comes within the material scope of the GDPR.
  
• In relation to the second and third questions, the CJEU held that whilst public access to official documents constitutes a public interest capable of justifying the disclosure of personal data, that access must be balanced with the fundamental rights to respect for private life and to the protection of personal data. Given the sensitivity of data relating to criminal convictions and of the seriousness of the interference with the fundamental rights of data subjects which is caused by the disclosure of such data, the CJEU held that “those rights prevail over the public’s interest in having access to official documents”. The CJEU confirmed that it is irrelevant whether that person is a commercial company or a private individual.

This judgment is significant, in that it confirms the broad scope of ‘processing’ under the GDPR and provides a clear indication that it is not possible to side-step GDPR obligations by simply disclosing personal data orally rather than in writing.

Furthermore, the decision stipulates that personal data pertaining to an individual’s criminal convictions, recorded in a register maintained by a court, cannot be disclosed to any individual seeking public access to official documents unless the person requesting such disclosure demonstrates a particular interest in acquiring the specified information regardless of whether that person is a commercial company or a private individual.

 Key Decisions  

• The Court of Justice of the European Union (CJEU) has issued a number of judgments in relation to the engagement of processors by a controller and the importance of having a clear and detailed contract in place. In particular, in the Nacionalinis visuomenės sveikatos centracase (C-683/21), the CJEU clarified when a controller can be liable for processing carried out by its processor.  In this case, the Lithuanian National Public Health Centre (NVSC) appointed an IT service provider (ITSS) to build a Covid-19 app. The NVSC provided ITSS with some design information and the questions to be asked within the app. The Lithuanian DPA opened an investigation into the app and the data processed by it. The Lithuanian DPA found various breaches of GDPR (including obligations relating to security) and imposed administrative fines on the NVSC and ITSS as joint controllers. NSVC challenged the fine arguing that, as ITSS built the app and NVSC had not consented to ITSS making the App available to the public, ITSS was the sole controller of the relevant processing. The Vilnius Regional Administrative Court referred a number of questions to the CJEU, including the concept of a controller’s liability under the GDPR.
  
  
• The CJEU adopted a broad interpretation of ‘controller’ and held that the fact that:
  
  “(i) NVSC did not itself process any personal data, (ii) there was no contract between the NVSC and the company ITSS, (ii) the NVSC did not acquire the mobile application at issue and (iv) the dissemination of that application through online shops was not authorised by the NVSC – does not preclude the NVSC from being classified as a ‘controller’.”  
  
  The CJEU held that although a controller can be liable for processing carried out by its processor, this does not extend to situations where the processor has processed personal data:
  
  
  • for its own purposes;
  • in a manner incompatible with the arrangements for processing as determined by the controller; or
  • in a way that it cannot reasonably be considered that that controller consented to such processing.
    
    
• In November 2023, the Belgian Data Protection Authority (Belgian DPA) issued a decision imposing a reprimand on a public authority and its processor for various infringements of the GDPR, including the lack of a timely signed data processing agreement (see our blog post for further information on the decision). The Belgian DPA concluded that it was the responsibility of both the controller and the processor to ensure a written data processing agreement was in place at the material time. This decision followed that of the French Data Protection Authority (CNIL) in 2022, which concluded that the processor alone may be held responsible for the absence of a data processing agreement between it and the controller.
  

Key Takeaways

• The above decisions demonstrate the importance of controllers documenting instructions when engaging processors (and for processors to be clear on their remit) – it is very difficult to demonstrate that a processor acted in a manner which was incompatible with the controller’s instructions, if those instructions are not clearly set out in a detailed contract.
  
  
• It is important to negotiate appropriate data protection provisions in the contract from the outset of an engagement – both for vendors and customers – retrospective arrangements will not cure historic non-compliance and regulators and courts will not hold back in enforcing GDPR requirements against both controllers and processors.

New Exemptions for Certain CBDTs

As a recap, the relevant routes to legitimise CBDTs routes are: (1) CAC Security Assessment, (2) China SCCs Filing, and (3) CAC Certification (together, “Legitimising Routes”). Under the Guidelines, certain exemptions have been now introduced meaning the following CBDTs are exempted from having to follow any one of the Legitimising Routes (“Exempted Transfers”):

1. Collection outside of Mainland China: the personal data being transferred outside of Mainland China was originally collected and generated outside of Mainland China and thereafter imported back into Mainland China, and the processing of such personal data within Mainland China does not involve any personal data or important data that is collected from or generated in Mainland China;
   
2. Cross-border HR management: the transfer is necessary for implementing cross-border human resource management in accordance with legally formulated employment policies and procedures or legally executed collective contracts. This is subject to a “necessity” test (see below);
   
3. Cross-border contract: the transfer is necessary for concluding or performing a contract between the data subject and the data controller (e.g. those contracts that relate to cross-border shipping, logistics, remittance, payments, bank account opening, flight and hotel booking, visa applications, examination services etc.). This is subject to a “necessity test” (see below); 
   
4. Emergency situation: the transfer is necessary for protecting the life, health or property security of any natural person under emergency circumstances; or
   
5. Volume threshold: the transfer falls below a specified volume threshold (see below).

Do we still need to obtain separate consent and put in place other measures for CBDTs?

Yes, the exemptions only apply to the Legitimising Routes. The other requirements for CBDTs under the Mainland China data laws must still be complied with, namely:

• clearly describe the CBDT in the privacy notice, and obtain separate, explicit data subject consent to the cross-border data transfer (as well as the general consent to data processing etc.); and

• put in place appropriate contractual and other measures (e.g. due diligence, TOMs, DPIA) to protect the data to the appropriate standard when processed outside of Mainland China.

What is the “Necessity Test”?

Exempted Transfers 2 (cross-border HR management) and 3 (cross-border contracts) above rely on a “necessity” test. This means the organisation must prove that the CBDT is necessary in order for the exemption to apply. However, it remains unclear as to what would constitute a necessary basis for the cross-border transfer of personal data. For example:

• Will overseas transfers of personal data within global companies where IT services are procured at a group level be a satisfactory reason for the CAC?
  
• When it comes to the contractual necessity exemption, the Guidelines require the data subject and data controller to be direct contracting parties, but does not provide for situations where the contracting party is an organisation rather than an individual (e.g. in corporate customer situations).

What are the Volume Thresholds?

If the above Exempted Transfers are not applicable, or are only partly applicable (after deducting the number of data subjects in which any of the above Exempted Transfers would apply):

1. CAC security assessment (i.e. full CAC approval) is required where:
   
   • important data is processed – the list of important data examples will be published by the CAC in due course; 
     
   • non-sensitive personal data of 1 million data subjects or more is transferred overseas; or
     
   • sensitive personal data of 10,000 data subjects or more is transferred overseas.
     
2. China SCCs filing is required where:
   
   • non-sensitive personal data of between 100,000 and 1 million data subjects is transferred overseas; or
     
   • sensitive personal data of fewer than 10,000 data subjects is transferred overseas.
     
3. None of the three Legitimising Routes is required – i.e. it is an Exempted Transfer (see above) – where  non-sensitive personal data of fewer than 100,000 data subjects is transferred overseas.

For the purposes of calculating the above volume thresholds, the relevant date for the calculation is a period of one year from 1 January of the year when the calculation is conducted.

For the third Legitimising Route – namely the CAC certification route – there remains uncertainty around its applicability. It was previously thought to cover largely CBDTs by non-China data controllers. However, it is not now mentioned in the Guidelines, and indeed the Guidelines seem to have covered most data processing scenarios and data volumes in any case. As such, further guidance is awaited on whether the CAC Certification is now just a voluntary compliance measure (e.g. for non-China data controllers), or an alternative to the other Legitimising Routes.

What about CIIOs?

The Exempted Transfers do not apply to organisations dedicated as a Critical Information Infrastructure Operator (“CIIOs”). CIIOs must in any case undergo a CAC Security Assessment to transfer or access data outside of Mainland China – regardless of the data category, data volume or data processing activity to be undertaken.

What if the Exempted Transfers do not Apply to My Organisation?

Along with the Guidelines, the CAC has also updated its template assessment and filing documents for the CAC security assessment and SCCs filing routes. In particular, these new templates reflect very specific requirements that the CAC expect in terms of drafting and formatting applications and filings. As such, any organisations that have drafted but not yet submitted their assessment application or PIIA or SCCs filing PIIA must now use the new templates.

In addition, a central submission platform has been set up. It is anticipated that only new submissions would need to submit via the platform. Organisations that have already submitted assessments or filings may continue to contact their designated case officer.

Practical Next Steps

1. Reconsider your Legitimising Route or whether an Exempted Transfer applies, by:
   
   • Checking internally whether your organisation has been informed by any authorities that it is designated as a CIIO, or if it processes important data (per the official list to be released in due course).
     
   • Identifying any provincial (e.g. Greater Bay Area Standard Contract, or Free Trade Zone rules that may be published etc.) nuances or exceptions to the CBDT requirements that may apply to your organisation.
     
   • Identifying whether your organisation’s CBDTs qualify as an Exempted Transfer. If so, this volume of data may be carved out from the overall volume calculation.
     
   • Classify your data to map out the categories of non-sensitive personal data and sensitive personal data.
     
   • Calculating in parallel the relevant volume of non-sensitive personal data and sensitive personal data being transferred overseas, and thereafter, identify the applicable Legitimising Route.
     
2. Organisations which have yet to make any submissions to the CAC should now consider internally whether they fall within any of the Exempted Transfers and those that cannot, or can only partially rely on the Exempted Transfers should determine whether it is transferring sensitive personal data, and if so, the necessity of doing so as this would impact the route chosen for legitmising CBDTs.
   
3. For organisations whose submission (whether CAC security assessment or SCCs filings) is already with the CAC for review, it is recommended to consider getting in touch with your relevant designated case officer to understand the status of the assessment or filing and whether it may be withdrawn if the Exempted Transfers conditions are met.

Please contact Carolyn Bigg (Carolyn.Bigg@dlapiper.com), Amanda Ge (Amanda.Ge@dlapiper.com), or Venus Cheung (Venus.Cheung@dlapiper.com) if you would like to discuss what these latest developments mean for your organisation.

On February 21, 2024, the California Attorney General (CA AG) announced that it had reached a settlement with DoorDash over allegations that the company failed to comply with “sale” requirements under the California Consumer Privacy Act (CCPA) and disclosure requirements under the California Online Privacy Protection Act (CalOPPA). The settlement requires DoorDash to pay a $375,000 civil penalty and comply with specific injunctive terms.

The CA AG’s complaint alleges that DoorDash participated in marketing co-operatives (“co-ops”) that involved the company providing its customers’ personal information (such as names, addresses, and transaction histories) to the co-op without providing its customers with notice or an opportunity to opt-out of the sale. Upon receiving DoorDash’s customer personal information, the co-op would combine DoorDash’s customer data with the customer data of other third-party co-op members, analyze the data, and allow members to send mailed advertisements to potential leads. The CA AG considered such data disclosure a “sale” of personal information under the CCPA’s broad definition of that term. Specifically, DoorDash received “valuable consideration” in exchange for disclosing its customer data to the co-op, namely the “opportunity to advertise its services directly to the customers of the other participating companies.”

The CA AG’s second cause of action invoked CalOPPA, a 20-year-old California privacy law that imposes transparency obligations on companies that operate websites for commercial purposes and collect personally identifiable information from Californians. The complaint alleged violations of CalOPPA by DoorDash due to the company’s failure to disclose in its privacy policy that it would share its customers’ personally identifiable information with other third-party businesses (e.g., marketing co-op members) for those businesses to contact DoorDash customers with ads.

Key Takeaways

This settlement serves as a critical reminder of the importance of compliance with current and emerging state privacy laws, emphasizing the broad definition of “sale” under the CCPA and the strict requirements for transparency and consumer choice. Additionally, we expect the California Privacy Protection Agency, another California privacy regulator (vested with full administrative power, authority, and jurisdiction to implement and enforce the CCPA) to ramp up its own investigative and enforcement efforts this year. Thus, businesses should consider the following:

• “Selling” is Broader than Cookies – companies should re-assess how their data disclosure activities may be considered “selling” under the CCPA. Many companies focus on the use of third-party ad and analytics cookies on their websites as the main trigger for “sale” compliance obligations under the law. This settlement makes clear that companies should broaden their review and assessment of their marketing department’s use of personal information to consider non-cookie related data disclosures.
• Review and Update Privacy Policies – an outdated, unfair and deceptive, or misleading privacy policy serves as an online billboard announcing a company’s non-compliance with state privacy laws as well as state unfair competition laws (such as for example California’s Unfair Competition Law (UCL)). As this settlement demonstrates, this can be a magnet for consumer complaints and regulatory scrutiny (including at the federal level under Section 5 of the Federal Trade Commission Act). Companies should continually review and update their privacy policies if they materially change how they handle personal information. Under the CCPA, privacy policies must be updated at least annually.
• Opt-Out Mechanisms. Companies should ensure that compliant opt-out mechanisms, including an interactive webform and a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link, are in place. Opt-out mechanisms must also recognize and respond to universal opt-out preferences signals, such as the Global Privacy Control (GPC) signal.   
• Don’t Forget the Apps – the complaint noted that both the DoorDash website and mobile application (App) failed to inform consumers about the sale of their personal information and their right to opt-out. Companies that collect personal information via an App and engage in “backend” selling of personal information should ensure that the App includes sufficient CCPA disclosures and a mechanism for users to easily opt-out of the sale of their personal information (see here for the CA AG’s previous announcements of an investigative sweep focused on violations of CCPA in the App context).
• Marketing Co-Ops – this enforcement action makes clear the California regulators consider a company’s participation in a marketing co-operative to be a “sale” under the CCPA. Companies participating in marketing co-ops and other third-party data sharing engagements should carefully review their agreements with the data recipients to ensure they restrict the recipients’ ability to further disclose or sell consumer personal information.

For more information about these developments and the CCPA in general, contact your DLA relationship Partner, the authors of this blog post, or any member of DLA’s Data, Privacy and Cybersecurity team.