Over the past year we have regularly reported on the many data protection laws that follow the example of GDPR all over the world. Brazil now has its own “GDPR legislation”, just like Japan, China, Russia and California …
In the United States, California was the first state with better data protection for its citizens. In terms of form and content, this California Consumer Privacy Act (CCPA) is clearly comparable with the European GDPR. The first state to follow the example of California is perhaps also the most important for many Belgian and European companies: New York. Many European companies have their American location or representation exactly in New York. Reason enough for us to mention the future legislation on data protection on the spot. After all, it would be a shame to handle data well-founded and prepared in Europe and to incur a fine in the US at some point …
New York companies have experienced several major data breaches in recent years, including the Equifax case in July 2017. Subsequently, the state of New York recently introduced a first data protection law. This so-called Data Shield Act must ensure stricter obligations for companies that process personal data.
The Data Shield Act is not really a comprehensive GDPR-like legislation, but rather a limited law that primarily aims to ensure that every New York company makes the necessary efforts to ensure a high level of protection of personal data to prevent data breaches. Although this is also one of the basic principles of the GDPR, the latter is of course much more comprehensive, with, for example, extensive obligations regarding internal documentation, transparency and information, data minimization, targeting and limited retention periods.
Although the Data Shield Act is a clear step forward in data protection, many New York politicians want to go one step further. This led to the first draft of a Data Privacy Act very similar to the European General Data Protection Regulation earlier this year.
Future Data Privacy Act?
At first glance, the future New York Data Protection Act (Data Privacy Act), if it is finally adopted, will be considerably more severe than California’s CCPA, which serves as inspiration. That CCPA, in turn, is less strict, especially for smaller companies, than our European GDPR, but New York seems to be closer to Europe than to California.
The future legislation still has a long way to go before it is final. A first attempt this summer to get them on the agenda for voting has already failed, but for the time being it seems that the initiators are not giving up and there may be a final Data Privacy Act on the table in some form by 2020, albeit somewhat changed under the expected pressure of all kinds of lobby groups.
Principles of the New York Privacy Act
Although, as said, changes to the New York Privacy Act are very likely to occur before the bill will ever go to the last ballot, the main principles seem to be fairly established at this point in time. Just like under the CCPA and GDPR, the new law should give New York State residents much more control over their personal information. With the New York Privacy Act, New Yorkers can find out, for example, what information about them is collected and with whom the information is shared. Residents of the state also have the right to request that personal information be corrected or deleted, and to request that companies do not share that information with third parties or sell it. Just like in Europe under GDPR, companies will have to respond to general requests for information within 30 days (but, unlike under GDPR, only for a “look-back period” of 12 months prior to the request). The reporting obligation for data breaches is also clearly inspired by our own GDPR.
Stricter than CCPA
A notable difference between the New York Privacy Act and the CCPA is the fact that New York privacy legislation does not impose a minimum size for companies to fall under the new legislation. In California, only companies that have at least $ 25 million in revenue are subject to CCPA. That exempts a lot of companies, if not most companies, from data protection rules. New York, however, draws the same card as GDPR and subjects all companies to the new rules in the same way. As a result, just like ours, small start-ups with only a few employees or, for example, the branches of foreign companies are still subject to the New York Privacy Act.
Timing and what’s important to you
At Sirius Legal, of course we will keep an eye on the further evolution and we will inform you about all final texts as soon as they are made available. In the meantime, companies doing business in New York can assume that somewhere in 2020 the final version of the New York Privacy Act will be presented. This will probably include a transition period for companies to comply with the new rules. After that, just like last year in Belgium and Europe, data controllers will need to work hard on their data protection compliance. In the meantime, they should already implement the Privacy Shield Act into their data processing activities and amongst others, be able to demonstrate adequate protection of personal data against data breaches.