Photo of Michelle Mayfield

Michelle Mayfield is an associate in Dykema's Detroit office. She focuses her practice on business litigation matters.

Takeaways

  • Increased federal deregulation and related actions are further destabilizing the already tenuous foundation of the Data Privacy Framework (DPF). European privacy regulators have been issuing guidance indicating that they expect a European pull-back from the DPF.
  • Businesses that rely on the DPF should maintain their certification, but should move now to prepare to activate alternative data transfer mechanisms, such as the standard contractual clauses, and update lapsed transfer and data privacy impact assessments.
  • Review current cloud-storage arrangements and consider regionalizing European data storage to avoid EU-to-U.S. data transfers, especially if your cloud provider is relying on DPF certification to legitimize GDPR data transfers.

After years of litigation, false starts, and invalidated frameworks, the U.S. had finally achieved a simplified path for GDPR compliant transfers of personal data from Europe. However, European reaction to the recent changes on the U.S. side of the pond indicates a wavering in the support of the EU-U.S. Data Privacy Framework (DPF) and threatens to send the U.S. back into the data transfer dark ages.Continue Reading Status Check: Support Is Quickly Eroding for the EU-U.S. Data Privacy Framework

On February 1, 2023, the California Privacy Protection Agency (CPPA) released a final draft of the regulations for enforcing the California Privacy Rights Act (CPRA). These regulations provide stricter restrictions on the collection of personal information. Of note is that collection practices must be “consistent with the reasonable expectations of the consumers.” According to 11 C.C.R. § 7002(b), expected to become final this year, “reasonable expectations” hinge on factors such as the relationship between the business and its consumers, the source of personal information, and the methods employed by the business collecting the data, and the involvement of other entities and third parties. If CPPA takes an expansive enforcement position on Section 7002, several types of automotive businesses could be impacted by this “consumer expectation” test.Continue Reading CPRA Regulation 7002: Detour for Automotive Businesses?