Data Privacy: What Nonprofits Need to Know in the United States, EU and UK, and China

U.S. Privacy Laws: Developments from State to State

The U.S. privacy regulatory framework is complex, with a patchwork of laws and regulations at both the federal and state levels. Unlike other countries, the United States does not have a comprehensive federal law that governs all aspects of privacy. Instead, privacy in the United States is primarily addressed through sector-specific laws and regulations that focus on specific industries or types of personal information, such as health care data (HIPAA) or financial information (GLBA). Additionally, individual states have taken steps to enact their own privacy laws, with the California Consumer Privacy Act (CCPA) being the most notable example. Over the past year, the most significant state level privacy law developments include:

• California Privacy Rights Act (CPRA). The California Privacy Regulatory Act (CPRA), known as Proposition 24, was passed by California voters in November 2020, and took effect on January 1, 2023. The CPRA builds upon the California Consumer Privacy Act (CCPA) and introduces new provisions and changes to the privacy regulatory landscape in California.

Nonprofit associations are potentially subject to regulation under the California CPRA. The CPRA expands the organizations that fall under its regulatory purview compared to the CCPA. It applies to businesses that meet specific criteria, including those that collect or share personal information of California residents and either have an annual gross revenue of $25 million or more, handle personal information of 100,000 or more California consumers, or derive 50% or more of their annual revenue from selling personal information. In addition, the CPRA introduces a new category of “sharing” personal information, alongside the existing categories of “selling” and “collecting.”

One key difference between the CCPA and the CPRA is the introduction of the category of “sensitive personal information” (SPI) under the CPRA. SPI includes information such as social security numbers, financial account information, precise geolocation data, racial or ethnic origin, religious beliefs, genetic data and more. The CPRA grants consumers the right to restrict the use of SPI and imposes additional obligations on businesses regarding its handling and protection.

The CPRA also establishes the California Privacy Protection Agency (CPPA), an independent regulatory body, which will have rulemaking, enforcement and administrative powers. The CPPA will be responsible for implementing and enforcing the CPRA, taking over some of the enforcement duties currently held by the California Attorney General.

• Virginia Consumer Data Protection Act (VCDPA). The Virginia Consumer Data Protection Act (VCDPA), effective on January 1, 2023, grants Virginia residents certain rights related to the collection and use of their personal data and imposes obligations on businesses that process or control such data. Under the VCDPA, covered businesses must provide consumers with transparency regarding their data processing activities, including the purposes for which data is collected and shared. It gives consumers the right to access, correct, delete and obtain a copy of their personal data. The VCDPA also requires businesses to implement reasonable security practices to protect personal data.

Unlike other privacy laws, the VCDPA does not require businesses to obtain explicit consent for data processing, but it gives consumers the right to opt-out of the sale of their personal data. The law applies to businesses that meet certain criteria, such as those that control or process the personal data of at least 100,000 consumers or derive a significant portion of their revenue from selling personal data. Nonprofit organizations and certain other entities may be exempt from certain provisions of the VCDPA.

• Connecticut Data Privacy Act (CTDPA). The Connecticut Data Privacy Act (CTDPA) will take effect on July 1, 2023. It gives Connecticut residents certain rights over their personal data including establishing standards for organizations that process personal data, similar to the other state laws that have recently taken effect. CTDPA applies to businesses in Connecticut that produce products or services targeted to Connecticut residents and that during the preceding calendar year, either (i) processed the personal data of at least 100,000 consumers, or (ii) processed the personal data of at least 25,000 consumers and derived over 25% of gross revenue from the sale of personal data. Absent from the Connecticut law is an annual revenue threshold.
• Colorado Privacy Act (CPA). The Colorado Privacy Act (CPA), due to take effect on July 1, 2023, introduces privacy regulations aimed at enhancing consumer rights and imposing obligations on businesses that collect and process personal data. Under the CPA, consumers have the right to access, correct, delete and opt out of the sale of their personal data. Covered businesses must provide transparent privacy notices and establish reasonable security measures to protect personal data.

Texas, Tennessee, Montana, Iowa and Indiana are anticipated to be implementing similar data privacy laws in 2024. There also continues to be ongoing discussion and proposals for comprehensive federal privacy legislation. Several recent bills have been introduced in the U.S. Congress to address privacy concerns at a federal level, including:

• The Information Transparency and Personal Data Control Act, which aims to establish comprehensive privacy protections for individuals and enhance transparency and control over personal data;
• The Online Privacy Act, which seeks to establish individual privacy rights, increase accountability for data breaches and establish a data protection agency;
• The SAFE DATA Act, which aims to protect consumer data privacy and establish a national standard for data breach notification; and
• The Consumer Online Privacy Rights Act, which seeks to enhance consumer privacy rights and establish a comprehensive framework for data protection and privacy.

As the United States continues to explore a federal-level privacy framework, the EU and UK are guided by centralized, established legislation to manage privacy issues.

EU and UK: The General Data Protection Regulation (GDPR)

The law governing the collection and use of personal data in the EU and UK is largely contained in the GDPR, which came into force on May 25, 2018. Although the UK has now left the EU, the GDPR continues to apply in the UK subject only to minor amendments at this point (although this could change over time).

The potential consequences of breaching data protection laws in the EU/UK are significant. For example, in serious cases, GDPR fines can be up to approximately $20 million or 4%—whichever is higher—of an organization’s total annual worldwide turnover per breach.

The GDPR sets out key principles that govern the processing of personal data where the GDPR applies, including that personal data shall be processed fairly and lawfully; obtained only for a specified and lawful purpose and not be further processed in a manner that is incompatible with the original purpose; be adequate, relevant and not excessive in relation to the purpose for which it is being processed; be accurate and, where necessary, kept up to date; when processed for any purpose shall not be kept for longer than is necessary for that particular purpose; and appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of the personal data. Importantly, the GDPR also requires organizations to be able to demonstrate compliance with the principles (e.g., by reference to policies, procedures, internal records, etc.).

Who the GDPR Applies To
The GDPR applies to the processing of personal data by organizations established in the EU or UK. The definitions of “controllers” and “processors” (i.e., who have obligations under the GDPR) refer to “natural or legal persons, public authorities, agencies or other bodies” and may therefore apply to associations, irrespective of their incorporation status.

The GDPR also applies to non-EU/UK organizations that offer goods and services to the EU/UK market or who monitor the activities of individuals based in the EU/UK, as far as their behavior takes place within these jurisdictions. Where an association offers services into the EU/UK market (such as via providing information, hosting events, undertaking surveys, offering accreditations, etc.) then the GDPR may apply, therefore. Any monitoring of members within the EU/UK could also bring processing of personal data within scope (e.g., via the use of tracking technologies on websites). Those conducting business in the EU and/or UK are required to look closely at the requirements of the GDPR to ensure their systems, policies and contractual arrangements are compliant.

GDPR Compliance
Key requirements under the GDPR include the following:

• Legal Basis for Processing. Personal data can only be processed where there is a legal basis for the processing (e.g., consent, legitimate interests, contractual necessity, etc.). Organizations need to identify (and record) their legal bases.
• Privacy Notices. Organizations are required to provide certain information to data subjects when personal data is collected. This information is often contained in a privacy notice (i.e., setting out the identity of “data controller,” how the personal data is used, etc.). Privacy notices should be reviewed regularly to ensure they are accurate and up to date.
• Mandatory Documentation. Those caught by the GDPR are required to demonstrate compliance through certain internal documents, maintaining written records of all data handling activities and by carrying out data protection impact assessments, where required.
• Data Subject Rights. Organizations must comply (in most circumstances) with data subject rights (e.g., right of access, right of rectification, right to be forgotten, right to restrict processing, right to data portability, right to object and right not to be subject to automated processing, etc.). The GDPR gives data subjects control over their personal data and how it is handled. Requests by data subjects to exercise their rights must ordinarily be complied with within one month (although this can be extended), so having policies and processes in place to identify and respond to requests efficiently is important.
• Breach Notification. Organizations, generally, must report data breaches to the relevant supervisory authority within 72 hours of their becoming aware of the breach unless the breach is unlikely to result in a risk to the data subjects. Where there is a high degree of risk to data subjects, the organization must also notify the affected data subjects without undue delay.
• Contracts with Vendors. Where an organization appoints a third party to handle personal data on its behalf (e.g., cloud storage, outsourced payroll, customer relationship management software or other software-as-a-service (SaaS) providers), certain mandatory provisions must be included in the contract with the third party (which will act as a “processor” on behalf of the “controller” organization).
• Consent for Marketing. While technically dealt with under another law, the ePrivacy Directive (rather than the GDPR), organizations must ensure that they have appropriate consent before sending direct marketing (such as newsletters, invitations to events, etc.) to individuals based in the EU/UK.
• Website Compliance. Also part of the ePrivacy Directive, organizations with websites that are accessible in the EU/UK should ensure their websites comply with rules on “cookie” placement (which require a cookie banner obtaining express consent to be in place).
• Registration. Certain jurisdictions (such as the UK) require organizations who collect data from that jurisdiction to register their local subsidiaries with the relevant supervisory authority. This may involve the payment of a nominal fee.
• Data Protection Officers (DPOs). In some circumstances, organizations caught by the GDPR will need to appoint a DPO, in which case thought will need to be given as to whether this applies and, if so, who that person or persons might be.
• Appointment of Representatives. Where the GDPR applies to an organization established outside the EU/UK, it may need to appoint a representative in the relevant jurisdiction (depending on the extent of its processing of personal data that is covered by the GDPR). Since Brexit, if an organization is subject to both the EU and UK GDPR, it may need to appoint representatives in the EU and UK.
• Data Protection “By Design” and “By Default.” Organizations must ensure that, in the planning phase of processing activities and implementation phase of any new product or service, data protection principles and appropriate safeguards are addressed/implemented.

International Data Transfers
Personal data subject to the GDPR must not be transferred to another country unless it is ensured that the data will be afforded the same level of protection as it is under the GDPR. Certain countries (such as the UK, EEA, Canada and Japan) have been determined to provide an adequate level of protection of personal data from an EU/UK perspective. Data can be transferred to the countries that are subject to an “adequacy decision” without further authorization. For other countries, an alternative “appropriate safeguard” must be employed as follows:

• Standard Contractual Clauses (SCCs) are the most commonly used appropriate safeguard. There are two sets of SCCs (one for EU data and one for UK data). In addition to incorporating SCCs into the contract, the parties must also undertake a “Transfer Impact Assessment” (TIA) to determine whether the data will be afforded the same level of protection following the transfer. The TIA must be retained as part of the accountability requirement under the GDPR.
• Binding Corporate Rules (BCRs) are intended for use by multinational corporate groups or groups of enterprises engaged in a single economic activity. The rules are approved by a supervisory authority and data can be transferred freely between the parties that have signed up to adhere to them.
• Transfer frameworks (such as the now defunct EU-US Privacy Shield) are self-certification schemes that parties in certain jurisdictions can sign up to. Participants in these schemes can then receive data from the EU/UK without requiring further authorization. Note that there is currently no active scheme in place for EU/UK to U.S. transfers (although work is being undertaken on a new framework).

There are certain limited derogations to the transfer requirements of the GDPR, but these are generally interpreted restrictively by regulators and care/legal advice should be taken before seeking to rely on them.

Like Europe and the UK, China also abides by national-level privacy and cybersecurity laws, some of which have been in place since 2017.

China: Detailed Privacy and Cyber Security Requirements

In recent years, China has published several laws and regulations on cybersecurity and data privacy. Foreign associations and nonprofits may need to collect data and personal information from China when they handle membership applications, event registrations or conduct membership surveys, etc. The following laws are the backbone of China’s data privacy and cybersecurity legal framework:

• China Cybersecurity Law (CSL). Effective on June 1, 2017, the CSL applies to the construction, operation, maintenance and use of IT networks as well as the supervision and administration of cybersecurity within the Peoples’ Republic of China (PRC). The CSL covers almost all business operators in China using or relying on IT networks. Personal Information (PI), which is equivalent to the GDPR’s “personal data,” and Important Data collected and generated by critical information infrastructure operators (CIIO) in China must be stored in China. (“Important Data” as used in the Security Assessment Measures and Guidance refers to data that, once tampered with, destroyed, leaked, illegally obtained or used, could endanger national security, economic operation, social stability, public health and safety, etc. If foreign associations conduct any survey among members in China, foreign associations need to be careful about data provided by members.) Transfer of such PI and Important Data outside of the PRC will be subject to security assessment. If a foreign association has established any presence in China (e.g., a foreign NGO representative office), such local presences must comply with the CSL.
• Data Security Law (DSL). Effective since September 1, 2021, the DSL applies to data processing activities and data security supervision within China. Processing activities include collection, storage, use, processing, transfer, supply and disclosure. If a foreign association has established any presence in China (e.g., a foreign NGO representative office), such local presences must comply with the DSL.
• Personal Information Protection Law (PIPL). Effective on November 1, 2021, the PIPL applies to PI processing within the PRC and to the processing of PI of natural persons located within the PRC, where such processing is undertaken outside of China (for providing products or services to natural persons located within the PRC, analyzing or evaluating the behavior of natural persons located within China, or other circumstances provided by laws and regulations). For a foreign PI Handler (similar to a “controller” under the GDPR) whose processing activities are undertaken outside the PRC with respect to PI of natural persons located within the PRC, the PIPL requires it to establish a presence or to appoint a representative in mainland China to be responsible for PI protection matters and to file the name of such presence or the name and contact information of the representative with the authority in charge of PI protection.

If a foreign association has established any presence in China (e.g., a foreign NGO representative office) and they process PI in China, the organization must comply with the PIPL. If a foreign association does not have any established local presence in China, the PIPL will also apply to it due to the extraterritorial effect of the PIPL. For example, foreign associations may collect PI from the PRC for membership applications, events registrations, etc., and this is likely to fall within the scope of the PIPL.

Cross-Border Transfer Under the PIPL
Article 38 of the PIPL (effective November 1, 2021) provides three transfer mechanisms for PI Handlers to transfer PI outside the mainland China (“Cross-Border Transfer Mechanisms”):

• To pass a security assessment organized by the Cyberspace Administration of China (CAC) prior to any cross-border transfer of PI if certain threshold is triggered;
• To obtain PI security certification by professional body(or bodies) designated by the CAC; or
• To enter a contract with the overseas recipient to set forth rights and obligations of the parties based on the China standard contractual clauses (China SCCs) to be released by the CAC.

Chinese authorities further published compliance guidance for PI Handlers on each of the Cross-Border Transfer Mechanisms, including:

• Security Assessment Measures and Guidance. Published by the CAC and effective as of September 1, 2022, this law provides a number of “Triggering Thresholds” under which a PI Handler must apply for a Security Assessment. The handler cannot use either Certification or China SCCs to fulfill legal requirements for the cross-border PI transfer. However, the Security Assessment Measures and Guidance do not indicate how the quantity is calculated (e.g., is it per-entity volume or group volume). If foreign associations have presences in China, assuming such China presences are not CIIO, and they will not send any Important Data outside of China, such China presences need to check carefully if they meet Triggering Thresholds for Security Assessment. A PI Handler must conduct self-assessment associated with the PI transfer before the export of any PI.
• Certification Specifications v2.0. Published by the National Information Security Standardization Technical Committee in December 2022, Certification is voluntary under the PIPL. The Certification can be used for all cross-border transfer of PI unless one of the Triggering Thresholds for Security Assessment is met. In respect of intra-group cross-border transfers of PI, the PRC entity (i.e., an affiliate located within mainland China) can apply for the Certification and undertake legal liabilities. For cross-border PI transfers by foreign PI Handlers, their established presences in mainland China or designated representatives in mainland China can apply for the Certification and undertake legal liabilities. The Certification Specifications also require the applicant must be a legal person. Foreign NGOs’ representative offices in China are not independent legal persons. Thus, it remains to be seen whether foreign NGOs’ representative offices in China can apply for Certification, and if not, who can be the designated representatives for foreign NGOs. As of the date of this summary, the China Cybersecurity Review Technology and Certification Center (CCRC) is the only professional body designated by the CAC to provide the Certification in China.
• Measures on SCCs, Including Template China SCCs. Published by the CAC and effective from June 1, 2023, participants may use SCCs for PI cross-border transfer if they do not meet Triggering Thresholds for mandatory Security Assessment. China SCCs must be filed with the competent CAC. Unlike the EU, China SCC is a complete template contract rather than a set of clauses which the parties can incorporate into their own contracts. In the China SCC, the parties can include additional clauses as an appendix which should not be in conflict with the main body of the China SCC. It remains to be seen whether foreign NGOs’ representative offices in China, as non-independent legal persons in China, can file the China SCCs.

General Requirements
In addition to satisfying one of the Cross-Border Transfer Mechanisms, a PI Handler must also fulfill additional requirements prior to transferring PI outside of mainland China, including:

• Notice and Separate Consent. PI Handler’s must notify data subjects of overseas data recipient’s contact information, processing purpose and methods, categories of PI, and procedures to exercise their rights with respect to PI over the overseas data recipient and obtaining their separate consent for the cross-border transfer (and for collecting and transferring Sensitive PI, if relevant); and
• PIA: PI Handlers must conduct PIA (i.e., security self-assessment) prior to any cross-border transfer and the report must be kept for at least three years. Based on our review of the Certification Specifications, Draft Rules on SCCs, and Security Assessment Measures and Guidance, it may be best practice to include the following factors in a PIA report:

 -  The legality, legitimacy and necessity of the purpose, scope and means of the PI cross-border transfer and PI data processing by the overseas data recipient;

 -  The quantity, scope, categories and sensitivity of the PI to be transferred, and the risks that such PI transfer may bring to the national security, public interest or lawful rights and interests of natural persons or organizations;

 -  Responsibilities and obligations undertaken by the overseas recipient, as well as whether the management and technical measures adopted by the overseas recipient are adequate to ensure the security of the exported PI;

 -  The risks of PI being tampered with, damaged, leaked, lost, transferred, illegally obtained or used during or after the transfer, and whether data subjects are able to exercise their rights smoothly;

 -  Whether legal documents signed with the overseas data recipient include sufficient obligations to ensure PI security; and

 -  Other matters that may affect the security of the cross-border PI transfer.

As each of the above regions continues to enhance privacy regulations and maintain enforcement of existing framework, nonprofits operating in these areas should seek legal advice on careful handling of data. All regions will require a cautious approach to the transfer of personal information as well as record-keeping of such transactions. It will be key to have systems in place to efficiently address any legal questions that may arise.