Cybersecurity and Privacy Law Developments in Q3 of 2020



Practice Areas

Attorneys of the Cybersecurity and Privacy Practice Group
Robinson Bradshaw Publication
Oct. 22, 2020

Cybersecurity and privacy law is evolving rapidly as lawmakers, government agencies and plaintiffs respond to the growth of new technologies, privacy concerns and cyberattacks. Businesses are facing new compliance obligations, greater legal uncertainty, and expanding liability risk from data breaches and privacy scandals. This trend will only increase as social-distancing measures in response to the COVID-19 public health emergency drive people and businesses to greater reliance on digital and telecommunications services. Keeping track of the many legal developments can be challenging, but Robinson Bradshaw attorneys are here to help. We publish quarterly updates to highlight noteworthy developments of cybersecurity and privacy law from the previous quarter. Click here to subscribe to our Cybersecurity and Privacy list and receive future updates via email, and click here to view all of our quarterly updates.

The third quarter of 2020 began with the landmark Schrems II decision by the Court of Justice for the European Union, which invalidated the EU-U.S. Privacy Shield as a basis for transferring personal data from the EU to the United States under the General Data Protection Regulation (GDPR). Some guidance on next steps was issued by European regulators, and the U.S. Commerce Department quickly began negotiating a new “enhanced” Privacy Shield, but plenty of new challenges remain for U.S. businesses needing to transfer personal data from Europe. Indeed, adding yet another challenge the following month, Brazil’s new GDPR-like privacy law went into effect earlier than expected. Meanwhile, back in the United States, the California Consumer Privacy Act (CCPA) remained top of mind as the California attorney general began enforcement, the implementing regulations were finalized, and exceptions for employee and business-to-business records were extended to Jan. 1, 2021. Of course, the next quarter may bring yet more change as Californians prepare to vote on the California Privacy Rights Act ballot initiative. Another major development came from the New York Department of Financial Services, which announced their first ever enforcement action under its Cybersecurity Regulation 23 NYCRR Part 500. Also, new cybersecurity and breach notification laws took effect in Vermont, Virginia and Indiana. In case we needed reminding, the third quarter of 2020 shows how state governments remain a driving force in cybersecurity and privacy law for the United States.

If you have questions about any of the legal developments highlighted in this quarterly update, please contact any member of our Cybersecurity and Privacy Practice Group for assistance.

State Law Developments

[1] The California attorney general’s statement at the outset of CCPA enforcement can be found here:

[2] The text of Indiana’s H.B. 1372 can be found here:

[3] The text of Virginia’s H.B. 1334 can be found here:

[4] Vermont’s Office of the Attorney General issued a letter explaining the amended breach notification law which may be found here:

[5] The text of New York’s A06787-D/S05140-B is available here:

[6] The text of the finalized CCPA regulations is available here:

[7] The third set of modifications to the CCPA regulations is available here:

[8] The text of the Portland ordinance is available here:

[9] The text of California’s AB 1281 is available here:

Federal Law Developments

[10] The FCC’s new rule can be found here:

[11] The text of the SAFE DATA Act is available here:

[12] The DOD’s interim rule can be found here: More details about the CMMC framework can be found here:

Foreign Law Developments

[13] The CJEU’s press release about Schrems II, with a link to the full decision, can be found here:

[14] The EDPB’s FAQs about Schrems II can be found here: The announcement of the EDPB taskforce can be found here: Finally, the Baden-Württemberg guidance (in German) can be found here:

[15] The EDPB’s controller-processor guidelines can be found here:

[16] The announcement of the Senate action (in Portuguese) to effectuate the LGPD can be found here:

Litigation and Enforcement

[17] The U.S. Supreme Court opinion for this case can be found at William P. Barr et al. v. American Association of Political Consultants Inc. et al., 140 S.Ct. 2335, 2020 WL 3633780 (2020).

[18] The North Carolina federal court’s decision may be found at United States v. Walker, Case No. 2:18-CR-37-FL-1, 2020 WL 4065980 (E.D.N.C. Jul. 21, 2020). 

[19] NYDFS’s announcement of the First American enforcement action may be found here:

[20] A copy of the final order can be found here:

[21] The OCR’s announcement of the settlements and copies of the corrective action plans can be found here:

[22] The Department of Justice press release and links to the indictments may be found at

[23] A copy of the Anthem data breach settlement can be found here:

Main Menu