GDPR a ‘Learning Curve’ According to CNIL Head Falque-Pierrotin
• Speaking at the Global Privacy Summit of the International Association of Privacy Professionals (IAPP), Commission Nationale de l’Informatique et des Libertés (CNIL) president Isabelle Falque-Pierrotin described GDPR compliance as a “learning curve” for everyone involved, including the regulators.
• Stating that the role of the GDPR regulators was to be “pragmatic and proportionate, Falque-Pierrotin indicated that it’s important to have begun preparing for GDPR and that the regulators would recognize that not everyone will have all of their GDPR compliance programs complete by the GDPR’s go-live date.
• In an added wrinkle, another panel at IAPP focused on managing so-called GDPR derogations, or areas in which GDPR explicitly permits member states to pass laws supplementing GDPR, making compliance exponentially more difficult for companies with operations across the E.U.
Oregon Updates Data Breach Notification Law
- Oregon Governor Kate Brown recently signed a bill amending the State’s data breach notification law.
- Under SB 1551, any entity that is required to provide notification of a data breach must notify consumers “not later than 45 days after discovering or receiving notification of the breach of security,” rather than the current “without unreasonable delay” standard. The new law also will prevent consumer credit reporting agencies from charging a fee for placing, temporarily lifting or removing a security freeze on a consumer’s credit report.
- SB 1551 takes effect on June 2, 2018.
State AGs Oppose Federal Data Breach Notification Bill
- In a letter authored by Illinois Attorney General Lisa Madigan, 32 AGs opposed the Federal Data Acquisition and Technology and Accountability and Security Act (the Act).
- According to the AGs, the Act would allow entities that suffer data breaches to determine based on their own judgment whether to notify consumers of the breach and would “totally preempt all state data breach and data security laws, including laws that require notice to consumers and state attorneys general of data breaches.”
- Stating that there is a place for both state and federal agencies in the protection of personal information, the AGs urged Congress not to preempt state laws in this area.
Senate Staffer Says That Federal Data Breach Notification Law Will Struggle to Pass Senate
- In addition to the opposition of most state AGs, disagreements over preemption and the scope of the bill may impede passage of federal data breach notification laws, according to Cort Bush, senior staffer on the Senate Commerce, Science and Transportation Committee.
- Also speaking at the IAPP’s Global Privacy Summit, Bush described federal preemption of state data breach notification laws as the “carrot” that brought the business community to the table, but indicated that the preemption carrot “doesn’t get the ball over the finish line,” requiring discussions about penalty caps and other ways to provide assurances to the corporate world about liability exposure.
- In addition to opposition from State AGs and consumer groups, Bush cited other challenges to passage, including the congressional calendar and the fact that 2018 is an election year.