New Rules for Data Transfers Out of the United Kingdom

New rules for personal data transfers to countries outside the United Kingdom enter into force on March 21, 2022. Businesses transferring personal data from the U.K. to countries outside the European Economic Area (EEA) need to analyze their international data flows and potentially update their transfer mechanisms to reflect these new provisions.

Under the U.K. General Data Protection Regulation (GDPR) and the U.K. Data Protection Act 2018 (collectively the “U.K. Data Protection Laws”), companies are required to, among other things, implement valid data transfer mechanisms when transferring personal data outside the U.K. to countries without an adequate level of data protection. Standard contractual clauses (SCCs) are a commonly used mechanism to validate these transfers. Once the Brexit transition period ended on December 31, 2020, the EU-GDPR no longer applied to the U.K. but rather the UK-GDPR. Therefore, when the European Union published revised SCCs in June 2021, they did not automatically apply in the U.K., and U.K. companies continued to rely on the old EU-SCCs to validate data transfers.  

To sort out this complexity, the U.K.’s Information Commissioner’s Office (ICO) recently issued a new toolkit of standardized clauses in the form of two documents. The first is the International Data Transfer Agreement (IDTA). The IDTA may be executed as a standalone agreement to accompany a main contract to ensure compliance with U.K. Data Protection Laws. The second is an addendum to the EU’s 2021 standard contractual clauses (UK Addendum). As noted above, many companies operating internationally already have the EU SCCs in place. The U.K. Addendum to the EU SCCs allows companies subject to both the U.K. Data Protection Laws and the EU-GDPR to secure international data transfers without the need to execute a completely new, separate mechanism such as the IDTA.

For some U.S.-based companies, the new U.K. SCCs could create more complexity in contract negotiations and data transfer activities generally. Companies importing data will need to ensure their internal processes align with both the EU SCCs and U.K. SCCs, including which contract modules apply to each unique relationship. This added complexity may require companies to reassess and potentially revise their methods for executing contracts requiring cross border data transfers.

If the U.K. Parliament makes no further changes, the U.K. SCCs will be effective March 21, 2022. U.K. companies must fully implement the U.K. SCCs by March 21, 2024 and have up to this deadline to update existing contracts with these new clauses. In the meantime, for existing contracts, companies have three options: (1) continue using the older EU SCCs (2) implement the new IDTA, or (3) implement the new U.K. Addendum along with the EU SCCs. These same options exist for contracts executed between March 21, 2022 and September 21, 2022. For contracts entered into on or after September 21, 2022, companies must use the new U.K. SCCs. This means (1) executing the IDTA in full, or (2) executing the U.K. Addendum with the EU SCCs.

While these new clauses create more legal certainty in the area of data transfers out of the U.K., the numerous contracting options available create additional complexity for U.K. companies and data importers in countries deemed inadequate, such as the U.S. We expect the ICO to issue further guidance on specific IDTA and U.K. Addendum clauses in the coming months.


Featuring a high concentration of CIPP-certified privacy professionals, Varnum attorneys guide businesses through all aspects of data privacy and cybersecurity, from compliance and policy issues to breach preparedness and response.

Utah Likely Next State to Pass Consumer Privacy Law

Featuring a high concentration of CIPP-certified privacy professionals, Varnum attorneys guide businesses through all aspects of data privacy and cybersecurity, from compliance and policy issues to breach preparedness and response.

The Utah Consumer Privacy Act unanimously passed the Utah Senate on February 25 and, with a few minor wording changes, passed unanimously in the Utah House on March 2. The final version is awaiting Governor Spencer Cox’s signature. If signed by the March 24 deadline, the law will take effect December 31, 2023, and make Utah the fourth state with a comprehensive consumer privacy law.

The law applies to controllers or processors that do business in the state or produce a product or service targeted to consumers who are Utah residents, have annual revenue of $25 million or more; and either a) control or process personal data of 100,000 or more consumers during a calendar year; or b) derive over 50 percent of the entity’s gross revenue from the sale of personal data and control or process the personal data of 25,000 or more consumers.

Under the new law, consumers have the right to confirm whether a controller is processing their personal data, obtain a copy of their personal data in a format that is portable and readily usable, and request deletion. Utah’s law most closely resembles Virginia’s Consumer Data Protection Act and does not include a private right of action. This means consumers won’t be able to sue for alleged violations, as the law is only enforceable by the Utah Attorney General (including a 30-day cure period). The law includes broad exemptions for entities regulated under certain federal laws, covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA), information governed by HIPAA, financial institutions and information governed by the Gramm-Leach-Bliley Act (GLBA), and personal data regulated by the Family Educational Rights and Privacy Act (FERPA). Unlike California, the law does not provide rulemaking authority for the Utah Attorney General’s Office.

Companies are required to publish privacy notices, providing:

  • the categories or personal data processed;
  • the purpose for the processing;
  • how consumers may exercise a right;
  • the categories of personal data the controller shares with third parties; and
  • the categories of third parties with whom the controller shares personal data.

The Utah Consumer Privacy Act also creates requirements for the processing of “sensitive data,” including requiring that controllers first present consumers with clear notice and an opportunity to opt out of the processing.

It is unlikely the addition of a privacy law in Utah will tip the balance in favor of a federal data privacy law during the current legislative session. We are monitoring state legislative activity and could see at least two more states pass similarly comprehensive consumer privacy laws this session.

U.S. Supreme Court to Review Constitutionality of ICWA

The Indian Child Welfare Act of 1978 (ICWA) was enacted to address the high rates of Indian children being separated from their Indian families and Indian communities. The stated intent of Congress under ICWA was to “protect the best interests of Indian children and to promote stability and security of Indian tribes and families” (25 USC § 1902). Recent years have seen an increased number of challenges to various provisions of ICWA and parallel state statutes in both Federal and state court lawsuits, with opponents alleging the statutory provisions are unconstitutionally race-based.

Today, February 28, 2022, the U.S. Supreme Court agreed to review four petitions arising from an en banc decision of the U.S. Fifth Circuit Court of Appeals from April 6, 2021, in Haaland v Brackeen. In that case, a Federal district judge in Northern Texas invalidated ICWA. The decision was then overruled by a three-member Fifth Circuit panel before consideration by the entire Fifth Circuit bench ultimately upheld key provisions of ICWA.  

The Supreme Court’s decision to review Brackeen is not surprising considering the ongoing dispute impacts not only ICWA and related rules promulgated by the Bureau of Indian Affairs, but also impacts similar statutory mechanisms and procedural standards in a number of states such as the Michigan Indian Family Preservation Act (MIFPA). A date for argument before the Supreme Court has not yet been set.

Don’t Forget About Early Retirement Benefits in DRO Drafting

The ongoing COVID-19 pandemic has and continues to contribute to a spike in early retirements. Related benefits must be considered when domestic relations orders (DROs) are prepared to complete division of divorcing parties’ retirement benefits. Benefits related to early retirement include the following:

  • Buy-outs are typically one-time benefit enhancements offered by an employer. An example is an increased employee service period for purposes of calculating pension payments. They are generally considered to be a marital asset.
  • An early retirement supplement is usually an additional pension payment paid from the employee’s date of retirement until the employee reaches age 62 and becomes eligible for social security. Care must be given to address such supplements to avoid an unintended penalty on the employee party.
  • An early retirement subsidy is a benefit intended to induce early retirement for employees meeting certain requirements, such as a specified number of years of service. If the alternate payee takes early payment of his/her share of the pension, he or she may miss a significant benefit if the DRO does not allocate such a subsidy and the employee retires early.

A related pitfall can occur where the alternate payee elects to take his/her portion of a pension early based on an expected early retirement subsidy, but the employee works until full retirement age and the subsidy “ages out” or lapses, penalizing the alternate payee. Careful consideration of these issues must be given in DRO drafting.

Filing Tax Returns and Making Tax Payments: Best Practices During the Pandemic and Beyond

With staffing shortages and service center closures, it should come as no surprise that the IRS has faced a number of challenges during the pandemic. A couple of the biggest challenges have been in the opening and processing of taxpayer correspondence and in the processing of tax returns. As National Taxpayer Advocate, Erin Collins, stated in her Annual Report to Congress, “Paper is the IRS’s Kryptonite, and the IRS is buried in it.”

Going into 2022, the IRS has a significant backlog of unprocessed taxpayer correspondence and unprocessed returns. The estimates are staggering.

  • Five million pieces of unprocessed taxpayer correspondence
  • Over 11 million unprocessed tax returns, including:
    • Six million individual income tax returns
    • 2.3 million amended individual tax returns
    • 2.8 million business returns (income tax and employment tax returns)

The 2022 tax filing season, which opened on Thursday, January 24, for individual income tax returns, has the potential to create even more challenges for the IRS. Below is a list of best practices taxpayers can follow to ensure timely processing of their payments, tax returns, and claims for refund. These practices apply to individuals and required filing for businesses.

  • File returns and make payments electronically.
  • If you must file a paper return or mail in a payment to the IRS, send the return or payment to the proper address via USPS Certified Mail, Return Receipt Requested. Using this method will assist in resolving timely filing and/or timely payment penalties assessed by the IRS.
  • Properly notate your tax payment and include the form number, tax period and your social security number or employer identification number.
  • Respond to notices from the IRS in a timely manner. 

In addition to the above, the IRS has offered a few filing tips for individuals.

  • Fastest refunds by e-filing, avoiding paper returns: Filing electronically with direct deposit and avoiding a paper tax return is more important than ever to avoid refund delays. If you need a tax refund quickly, do not file on paper – use software, a trusted tax professional or IRS Free File.
  • Filing 2021 tax return with 2020 tax return still in process: For those whose tax returns from 2020 have not yet been processed, 2021 tax returns can still be filed. For those in this group filing electronically, here’s a critical point: taxpayers need their Adjusted Gross Income, or AGI, from their most recent tax return at time of filing. For those waiting on their 2020 tax return to be processed, make sure to enter $0 (zero dollars) for last year’s AGI on the 2021 tax return. Visit Validating Your Electronically Filed Tax Return for more details.

More individual filing tips from the IRS can be found here.

If you have unpaid taxes or unfiled returns, you need an experienced tax attorney to represent you in your dealings with the IRS or the Department of Justice. An accountant or enrolled agent is not protected by attorney-client privilege. Please contact Eric Nemeth of Varnum’s Tax Practice Team with any questions.

Data Privacy Day: When Was The Last Time You Had a Privacy Check?

Every year on January 28, Data Privacy Day is observed as part of an international effort to raise awareness about the importance of data privacy and security. Whether you are an individual interested in protection of your own personal data or a business trying to protect your clients, employees, or other personal information, we hope this article can serve as a reminder to review how you are protecting your valued personal data.

Here are some of our top data privacy and data protection reminders for businesses for the upcoming year.

Know What Type of Personal Data Your Business Collects

Personal data is defined by the European Commission as “any information that relates to an identified or identifiable living individual.”[1] Multiple pieces of personal information which, when put together, would identify an individual, is also personal data. Whether a country, state, or locality uses the term “personal data” or “personal information” in their laws or regulations, the general concept remains the same.

Examples of personal data include: first and last name, physical address, personal email address, location data (such as on a cell phone), IP address, driver’s license number, social security number, vehicle identification number, and even data held by a medical provider that could identify a unique individual.

Your business more than likely collects some type of personal data. Taking a first step to identify what type of personal data you collect will help your business comply with any applicable data privacy laws.

Review or Implement Your Privacy Policy

Your privacy policy is your best mechanism for communicating your data privacy practices to your customers and regulators. Besides its utility as a transparency and communication tool, several data privacy laws, including the California Consumer Privacy Act, require annual review and publishing of company privacy policies.

The annual review provides an opportunity for your business to confirm the information published in the policy is current and accurately reflects your practices. Knowing what type of personal data your business collects and why is pertinent, as you will need to disclose the type of personal data collected and scope of use for that data.

To provide the utmost transparency to customers and others interacting with your business, carve out an area of your website to house the current version of your policy, with a linked archive to versions from the past three to five years. When updating your policy, provide a summary at the top or bottom of the new document identifying what changed from the previous year.

Consider How Your Business Responds to a Data Subject Access Request

Knowing what type of personal data your business collects and being transparent about it are important steps toward compliance, but what will your business do if a data subject exercises their right of access under applicable law? What if they ask you to delete their personal data from your systems?

Jurisdictions with data privacy laws and regulations provide various rights for individuals, with an underlying right that a person can “access” the data a company holds about them. Under the EU-GDPR and CCPA, data subjects can ask a company the types of personal data collected and what specific pieces of their personal data the company holds. Both laws also provide a right of deletion: an individual can ask a company to permanently remove their personal data from their systems, and in most circumstances the company will need to comply with the request within the legal timeline.

Establishing an internal process and procedure for timely responding to these types of rights requests is vital for any business subject to a data privacy law or regulation creating these rights. The key is identifying where the distinct types of personal data are stored on your systems, understanding which individuals in your business have access to those systems in order to assist in processing these requests, and maintaining a structured workflow to ensure proper oversight and ownership of this process.

Create and Enforce a Data Retention Plan

Developing and maintaining a data retention plan for your company will help minimize the amount of personal data your business collects, facilitate internal organization to effectively respond to data subject access requests, reduce the amount of storage and personal data for which you are responsible, and overall increase your company’s strength in the area of data privacy and security.

In setting up a data retention plan, you should make sure it addresses (i) what information is covered; (ii) the timelines you are required to keep such information, which may differ under federal or state law; and (iii) how your company will destroy or remove personal data from your company’s document management system.

The timelines and requirements your data retention plan sets forth should be reasonably enforceable to ensure compliance is achieved.

Maintain Appropriate Privacy Contractual Controls

Knowing what personal data you hold and where it is stored is not enough. Your business also needs to be continuously aware of others with whom you share personal data, especially third-party sub-processors. Data sharing relationships are often spelled out in contractual provisions or addenda. If you work with entities in different countries, cross-border controls such as standard contractual clauses may also come into play. It is important for your business to understand how personal data flows through your company systems, and to keep in mind data sharing interactions throughout the course of your business functions, ensuring the proper controls are in place.

Layer Your Security Controls

An important step in ensuring your company is secure is addressing who has access to the personal data your company stores. Security controls and tools you should consider using include physical controls, digital security controls, and cloud security controls.

  • Physical security controls generally refer to traditional methods of security such as locks, guards, or access key cards that limit a person’s access to certain areas where personal data is kept, stored, or accessible.
  • Digital security controls limit a person’s access to your businesses systems through detailed password requirements, antivirus software, or multi-factor authentication (MFA). MFA is a highly-effective tool, as it has been found to prevent up to 99.9 percent of data security hacks.
  • Cloud security controls require coordination with your cloud services provider to ensure the necessary protections are in place to prevent unauthorized access to the stored data and workloads.

Educate Your Workforce

Lastly, your employees are your best defense against phishing and other cyberattacks. If you have not already done so, it should be your 2022 resolution to plan regular cybersecurity trainings for your employees. The trainings should make employees aware of what types of attacks exist and how to identify signs and risks that could expose the company to an attack.

Implementing clear and reasonable enforceable policies and procedures will help your employees know what their responsibilities are, how they can fulfill those responsibilities, and how to react promptly in the case of a data breach.

While cybersecurity and data privacy is sometimes focused on the technology itself to prevent data breaches, it’s important to account for the human element and ensure all employees understand their responsibilities in protecting your company’s security.

What’s New with U.S. State Legislation?

To date, three states – California, Colorado, and Virginia – have enacted consumer data privacy laws that cover many of the topics above.

  • California: Currently, the California Consumer Privacy Act of 2018 (CCPA)[2] governs consumer data privacy in California. On January 1, 2023, the California Consumer Privacy Rights Act (CPRA) will take effect, implementing additional consumer data privacy laws. The CPRA does not replace the CCPA but rather adds to it by expanding individual rights, introducing new governance measures, and creating the California Privacy Protection Agency.
  • Virginia: In Virginia, the Consumer Data Protection Act (CDPA)[3] also becomes effective at the beginning of next year on January 1, 2023. Similar to the CCPA/CPRA, the CDPA prescribes responsibility and privacy protection standards for businesses that handle or process personal data. Enforcement of Virginia’s CDPA will be by the Attorney General.
  • Colorado: In Colorado, the state legislature enacted the Colorado Consumer Protection Act (CPA)[4] which takes effect on July 1, 2023. The law addresses consumers’ rights and the responsibilities of businesses that handle or process personal data. Similar to Virginia, the Attorney General will be the enforcer for any violations.

In preparation for 2023, businesses will want to become more familiar with the additional requirements of the CPRA, the Colorado CPA, and the Virginia CDPA.

What’s Going On at the U.S. Federal Level?

The United States is lagging in producing a comprehensive data privacy law at the federal level. Dozens of privacy-related bills have been proposed over the past decade from both sides of the aisle and in both the House and Senate chambers. These bills deal with narrow data privacy-related issues such as facial recognition and artificial intelligence or access to records by law enforcement.

In the absence of a comprehensive federal privacy law, some suggest the U.S. Federal Trade Commission may promulgate and enforce an overarching, non-sector specific privacy rule, although any efforts in that direction have not yet been fully explored or finalized.

Please contact your Varnum attorney or any member of the firm’s Data Privacy and Cybersecurity practice team with questions on how you can best protect your or your business’s private information.

[1] There are multiple definitions of “personal data” or “personal information.” While worded slightly differently, they all promote the same understanding of what constitutes personal data. For the purposes of this article, we chose to use the definition provided by the European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
[2] Cal. Civ. Code §§ 1798.100 et seq. Note: the CCPA/CPRA has certain threshold requirements before its provisions apply. Generally, a business is subject to the CCPA/CPRA if: (1) it does business in the state of California, and (2) it meets one of the following criteria: (i) have an annual gross revenue of more than $25,000,000 in the preceding calendar year; (ii) buys or shares personal information of, 1000,000 or more consumers or households; or (iii) derive 50% or more of its annual revenue from selling consumers’ personal information.
[3] 2021 H.B. 2307/2021 S.B. 1392. The CDPA also has threshold requirements for its application. Generally speaking, CPDA applies to business that either conduct business in Virginia or target Virginia residents through their products or services, and (1) controls or processes data of at least 100,000 consumers or (2) controls or processes personal data of consumers and derives over 50% of gross revenue from the sale of personal data.
[4] Colo. Rev. Stat. § 6-1-1301 et seq. The CPA also has its own threshold for application requiring that the business conduct business in Colorado or produces or delivers commercial products or services to Colorado residents, and (i) control or process the personal data of at least 100,000 consumers during the calendar year, or (ii) derives revenue or receive a discount on the price of goods or services from the sale of personal data.

Separate Property Basics Part III: It’s Yours, But Could Be Mine

This is the final installment in our three-part discussion of separate property in divorce. We previously covered common categories of marital and separate property. This week, we consider how one spouse’s separate property might be “invaded” in divorce.

Invasion of Separate Property

In general, each party will receive their own separate property, without any part going to the other party, and the Court will then seek to make an equitable division of all that remains in the marital estate. But there are two important exceptions wherein the Court may “invade” one spouse’s separate property and divide it up anyway: upon a showing of “substantial need,” or “contribution.”

The “substantial need” exception derives from Michigan statute MCL 552.23(1), which provides that separate property may be invaded if, after division of the marital assets “the estate and effects awarded to either party are insufficient for the suitable support and maintenance of either party….” As interpreted by Michigan courts, this means that invasion is allowed when one party demonstrates additional need, such that invading one party’s separate property is necessary to ensure that the other party has sufficient resources to support themselves.[1] 

The “contribution” exception derives from Michigan statute MCL 552.401, which provides that the court may invade separate property when the other spouse “contributed to the acquisition, improvement, or accumulation of the property.” Thus, “[w]hen one significantly assists in the acquisition or growth of a spouse’s separate asset, the court may consider the contribution as having a distinct value deserving of compensation.”[2] A common example of this is a home purchased prior to the marriage but which becomes the marital home after the couple marries. The longer the parties live in the home, the more marital the home becomes. There is no definitive rule as to timing but the theory is that the non-purchasing spouse is contributing to mortgage reduction and upkeep and maintenance.

Another example is closely held company stock that increases in value as a result of both parties’ efforts during in the marriage. In a recent case, the trial court found that certain private stock the husband acquired before marriage was the husband’s separate property and that his efforts working for the company during the marriage contributed to the increase in the value of the stock. The court noted that while the husband worked long hours for the company (as much as seven days a week and 12-hour days), the wife also worked for the company and was fully responsible for the children while the husband worked long hours. The trial court ruled (and the Court of Appeals affirmed) that the wife was entitled to 1/3 of the value of the stock because she contributed to its appreciation not only as an employee of the company, but also by managing “the household and childcare for the couple’s children.”[3]

Separating Expectations from Reality

Anyone contemplating divorce should resist the urge to rely on their gut instinct for determining what property may or may not be subject to division. While the law in this area is relatively clear and often well-reasoned, it may not coincide exactly with what seems fair on a surface level. Things like separate bank accounts or each spouse’s respective earnings may seem like they should be separate, but they are not. In addition, the application of the law will always depend on a judge’s view of the facts: how extensively were funds commingled? Is there substantial need for invasion? How significant was one spouse’s contribution to the other’s separate property? What did the parties really intend to keep separate? Understanding the analysis courts go through is certainly necessary for arguing your case to a judge, but it is also helpful in negotiating a property settlement outside of court. By knowing your legal rights, you know when it makes sense to concede and when it makes sense to push for a better deal.

[1] See Reeves, 226 Mich. App. at 494.
[2] Id.
[3] Sutariya v. Sutariya, No. 345115, 2021 WL 5019330, at *3 (Mich. Ct. App. Oct. 28, 2021)

Registration for H-1B Cap-Subject Petitions Opens in March

The electronic registration process for H-1B cap-subject petitions will open on March 1, 2022 and end on March 20, 2022. U.S. Citizenship and Immigration Services (USCIS) will utilize a random lottery process to select 85,000 petitions for the H-1B cap (65,000 for the general category and 20,000 for the U.S. advanced degree category). Applicants selected in the random lottery will be notified by March 31 and will have until June 30 to submit the H-1B petition for the beneficiary named in the registration. In previous years, USCIS has conducted second and third rounds of the lottery to meet the H-1B cap.

Varnum immigration attorneys have begun to collect information to be prepared for the March registration period. Employers with employees on F-1 Optional Practical Training (OPT) or candidates needing cap-subject H-1Bs should contact us by mid-February for assistance with registration.