Road to Adequacy: Can California Apply Under the GDPR?

Background

Earlier this year, the European Commission, the executive arm of the European Union, recognized Japan’s data protection regime as adequate under the European General Data Protection Regulation (GDPR). Japan is now treated as part of the European Economic Area (EEA) under the GDPR, and data flows from the EEA may be transferred to Japan without any additional safeguards or agreements. This is the first adequacy decision since the GDPR took effect, and it will likely provide a road map for other countries or territories seeking EU approval going forward.

At the same time that Japan’s adequacy determination was being finalized, the California attorney general began hosting seven public forums across the state to allow public comment during the California Consumer Privacy Act (CCPA) pre-rulemaking process. The CCPA, enacted July 28, 2018, and effective Jan. 1, 2020, is modeled on the GDPR, imposing new data protection requirements on certain companies and granting new rights to California residents.

Even before the CCPA was signed into law, the bill sparked speculation about whether California could apply under the GDPR for adequacy. While California has not yet expressed an intention to apply, the state has a history of forging its own path in the absence of federal action. And notably, industry stakeholders at the CCPA public forums requested that the potential CCPA regulations contain a safe harbor provision for GDPR-compliant businesses. In addition, legislation introduced this year to amend the CCPA to more closely align with the GDPR framework—coupled with last year’s stalled efforts to create a California data protection agency—indicates that some state legislators may have a broader vision of the relationship between the two privacy regimes.

But could a single state secure a GDPR adequacy determination even though the United States has not obtained a full adequacy decision? This post considers whether California could apply (based on the factors considered in the recent Japanese adequacy decision) and, importantly, whether any legal barriers exist under the GDPR.

Cross-Border Data Transfers Under the GDPR

The GDPR is the gold standard on data privacy. Considered the strictest data protection and privacy regime in the world, it applies to the transfer and processing of data originating in the EU. Noncompliance can cost companies up to 4 percent of their global annual revenues in fines and penalties by national data protection authorities. For example, earlier this year the French data protection authority fined Google approximately $57 million (the highest fine to date) for violating the GDPR.

Chapter V of the GDPR prohibits the transfer of personal data between the EEA and a third country unless the transfer falls under an enumerated legal mechanism. One such mechanism—an adequacy decision—requires the European Commission to determine that the country, or “a territory or one or more sectors within that country” has “adequate level[s] of protection.” If a country or territory receives an adequacy decision, data may flow from the EU to the country or territory without any case-by-case determination from the EU.

Adequacy decisions are not new. The 1995 Data Protection Directive, the predecessor to the GDPR, also contemplated free data flows from the EU to third countries whose domestic laws were deemed adequate. The GDPR has inherited not only the adequacy framework but also the prior adequacy decisions. Decisions made under the directive remain valid under the new regime.

The European Commission must follow a four-step process to adopt an adequacy decision. First, it must make an initial proposal finding that the third country domestic laws are adequate. Article 45(2) of the GDPR provides the framework of this proposal and the European Data Protection Board’s (EDPB’s) adequacy referential includes additional context. Further, the European Court of Justice has noted that “adequate” in the context of an adequacy decision means “essentially equivalent” but does not require a point-by-point alignment with EU privacy laws.

Second, the EDPB must provide an opinion on the draft proposal by the European Commission. Third, the EU Parliament, comprised of representatives of the EU member states, must comment on the draft proposal. And fourth, the European Commission must subsequently adopt the proposal.

Under the Data Protection Directive, the European Commission has found that the following entities’ privacy laws are “adequate”: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, United States, and Uruguay. However, the U.S. and Canada have “partial” adequacy decisions—meaning the decision is limited to one specific category or sector. In Canada, the decision applies only to private entities subject to a domestic privacy law, while the United States decision applies only to companies that participate in the EU-U.S. Privacy Shield agreement.

The European Commission can reevaluate these decisions at any time. For example, after the European Court of Justice in 2015 invalidated the Privacy Shield predecessor (the EU-U.S. Safe Harbor Framework), the Commission reevaluated all 12 adequacy decisions in 2017.

The Japanese Adequacy Road Map

The EU began negotiations with Japan over a potential adequacy decision in January 2017. The talks concluded successfully in July 2017, and both sides agreed to “reciprocal” adequacy—meaning both sides would launch their own domestic processes necessary to adopt an adequacy finding.

The European Commission released a draft adequacy decision in September 2018, which provided a comprehensive analysis of the Japanese domestic privacy regime along with the five supplementary rules negotiated by the Japanese government and the EU to address the gaps in the Japanese domestic privacy laws. The decision ultimately concluded that the level of protection provided by the domestic privacy regime, when combined with the supplementary rules, is adequate.

In December 2018, the EDPB released its opinion and the EU Parliament subsequently adopted a resolution that raised concerns regarding the draft decision. Among other concerns, the parliament noted worries about continued enforceability of the supplementary rules and potential difficulty of EU citizens seeking to obtain legal remedies in Japan’s legal system. The European Commission adopted the final adequacy decision in January 2019, and today data from Europe may flow to Japan without additional requirements.

The California Consumer Privacy Act of 2018

Unlike the GDPR, the California Consumer Privacy Act (CCPA) of 2018 was a rush job. Introduced and passed within one week, the measure was a compromise between tech business groups and Californians for Consumer Privacy, which spent nearly $3.5 million qualifying a stricter version of the CCPA on the 2018 ballot. A legislative compromise was brokered only one week before the deadline to withdraw Californians for Consumer Privacy’s proposition from the ballot—resulting in a race to get a bill to the governor’s desk. Clean-up amendments were passed two months later. The first public forum on the scope of potential regulations took place on Jan. 11. While the act will take effect on Jan. 1, 2020, there is a high likelihood that the CCPA may be amended again before it takes effect.

The new law defines a laundry list of phrases and terms, including phrases such as “business purpose,” “commercial purpose,” and “infer.” Most importantly, “personal information” includes not only traditional identifiers such as a Social Security or driver’s license number but also any information that could identify a consumer or household, including IP addresses, account names and email addresses. The “business” definition requires that the entity must fall into one of three buckets: (1) have annual revenues in excess of $25 million; (2) annually obtain or sell the personal information of over 50,000 consumers; or (3) derive 50 percent or more of its annual revenues from the sale of consumers’ personal information. And “consumers” are defined as natural California residents—and, importantly, employees are not exempted from the definition.

The CCPA also establishes new legal rights for consumers to access and control their personal information online. Starting in 2020, consumers will have the right to know the personal information collected about them by businesses that collect the information and businesses that sell or disclose the information. Consumers will also have the right to request that businesses delete personal information collected from the consumer. Businesses have nine enumerated categories for refusing this request, including compliance with federal and state laws and First Amendment rights. Additionally, consumers can opt-out from the sale of their personal information, including the sale of personal information that the business has collected about the consumer.

Further, prior to any collection of personal information, businesses must notify consumers of both the types of categories of personal information the business collects and how this information will be used. The business shall not collect additional information or use the already collected information for additional purposes without notifying the consumer. The CCPA does not apply to several types of personal information subject to federal laws, such as the Health Insurance Portability and Accountability Act, to avoid conflicts with federal law.

There is no private right of action to enforce these new consumer rights. The California attorney general may bring suit for violations of the CCPA after providing the business 30 days to cure the violation. Statutory penalties range from $2,500 to $7,500 per violation.

The CCPA does provide a private right of action for consumers to bring suit for data breaches with statutory damages ranging between $100 and $750 per consumer. But there is a similar 30-day cure provision.

Is the CCPA “Adequate” Under EU Law?

The GDPR authorizes nonnations like California to apply for adequacy. Article 45 expressly contemplates subnational adequacy decisions, and the EU has found several subnational entities privacy regimes adequate under the directive. However, these entities were small in size and population. If California were to apply, it would be the largest subnational entity, and the first outside of Europe, to do so.

The CCPA has many of the basic criteria that the EDPB’s adequacy guidance document notes must be present in the legal system to meet the adequacy standard. For example, the CCPA employs a similarly expansive definition of “personal information” as the GDPR (defined as “personal data”), provides a similar right of access/knowledge to the consumers as the GDPR does to individuals in the EU, and appears to imply the necessity of a legal basis for data collection/processing.

But, the CCPA differs from the GDPR on several key issues. If California does decide to apply, the state will likely need to negotiate with the EU to address these differences. Read together, the EDPB adequacy guidance document and the new Japanese adequacy opinion suggest how a high-level hypothetical adequacy analysis could identify the gaps between the two privacy regimes.

The CCPA and GDPR are inconsistent in scope. While the CCPA applies to for-profit entities that must meet specific thresholds to meet the statutory definition of a “business,” the GDPR applies to “controllers” and “processors” of data—a much larger set of entities that includes private for-profit and nonprofit entities as well as public agencies. Thus, if California were to obtain an adequacy decision, it would likely be similar to the Canadian partial-adequacy decision, which is limited in scope only to “commercial organizations” that are regulated by the Canadian Personal Information Protection and Electronic Documents Act.

Likewise, while the CCPA provides certain privacy rights to California residents, the overlap is not complete between the rights provided by the CCPA and the core privacy concepts of the GDPR. For example, the CCPA does not provide a right to correct inaccurate personal information, and the right to delete is limited to information the business has obtained from the consumer. Conversely, the GDPR allows individuals to request that personal information be corrected or deleted even if it was not collected directly from the individual, with limited enumerated exceptions. Further, the GDPR does not exempt publicly available information from the definition of personal information, whereas the CCPA does.

The right to opt out is also limited in the CCPA. While the GDPR provides the individual the right to opt out of data processing by several means such as withdrawal of consent, the CCPA limits the right to opt out to information that is sold to third parties.

Lastly, the GDPR requires a legal basis, such as affirmative consent, for data processing. The CCPA does not explicitly mention affirmative consent or any legal basis requirement, instead focusing on enumerating the rights of the consumer and the duties of business. California can arguably make a case that requiring the business to notify consumers prior to any data collection implies a legal basis requirement—the reasoning would be similar to that of the federal courts that have found implied consent in online “browsewrap” agreements in the U.S. Under the CCPA, the consumer must be notified of the categories of personal information that will be collected either prior to or at the point of collection, along with the collection purpose. In addition, the CCPA contains a purpose limitation analogous to the GDPR, which limits the business’s ability to collect new information or use the original information for a different purpose without first notifying consumers. If at that point consumers do not want this personal information used, they can request that the business delete it.

While this does not exactly match up with the GDPR’s requirement for an explicit legal basis to process data, it may be substantially similar enough that the potential gaps may be filled through regulations by the California attorney general rather than legislative amendment.

The thorn in California’s side for any potential adequacy decision will likely be the lack of an independent oversight agency. Both Article 45 and the EDPB guidance document note that when assessing the adequacy of the third county, the European Commission must consider whether there is an independent supervisory authority that ensures accountability and compliance with the domestic data protection laws and provides assistance and advice to those seeking help.

The CCPA grants the California attorney general’s office (CAG) broad regulatory and enforcement authority with the ability to seek judicial remedy for noncompliance and potential penalties of $2,500-$7,500 for each violation. The California attorney general is an elected position, with fixed-year terms, which provides some measure of independence from the governor. In addition, the CAG already has an existing Privacy Enforcement and Protection Unit. This unit has been in existence since 2012, after the independent Office of Privacy Protection was disbanded due to budget cuts and its director transferred to the CAG privacy unit. The office still exists in statute but would not meet the GDPR independent agency requirements. It has no enforcement authority and can promulgate regulations only to further its educational/outreach responsibilities.

The lack of an independent data protection authority may not be immediately fatal, however. When Argentina faced a similar difficulty in 2003, the prior iteration of the EDPB (the Article 29 Working Party) raised two independence concerns about the Argentinian supervisory authority being housed within the Ministry of Justice. But the European Commission approved the adequacy decision without mention of any independence concerns. Argentina eventually modified the structure of its supervisory authority in 2016 to address the original independence concerns.

Thus, California could demonstrate that there is sufficient enforcement and procedural oversight by the CAG, functionally meeting the goals of the GDPR, and then negotiate further with the EU on how best to develop an independent agency. The state can also point to its initial efforts in 2018 to establish a California Data Protection Authority as evidence that the legislature is interested in aligning California closer to the GDPR framework.

***

The current version of the CCPA, while an important start, is unlikely to result in an adequacy determination if California decides to apply. But the existing framework is only the start—at least eight bills are moving through the current legislative session to amend the CCPA. Two in particular are noteworthy. California Senate Bill 561, sponsored by the California attorney general, amends the CCPA to include a private right of action for any violation of the CCPA and deletes the 30-day “cure” requirement. Assembly Bill 1760, cosponsored by the ACLU, would require businesses to obtain affirmative consent from the consumer prior to sharing any personal information—shifting from the current “opt-out” framework to an “opt-in” requirement. While most of the bills introduced are unlikely to survive, in sum they provide strong evidence that the legislature does not view the current statutes as the final iteration of the CCPA.