Many of the key policy debates that we expected to happen in 2020 seemed to be essentially frozen for the year as we all responded to the horrors of COVID and the seismic political shifts across the globe. So what does this new year hold for us? We hope for a return to normalcy as vaccinations spread across the globe, a new Administration takes the reins in DC, and the UK continues to negotiate the terms of a new relationship with the EU. Here are some of key areas in privacy and data protection where we anticipate potential developments in 2021.
- Federal Privacy Bills
Federal privacy laws have been anticipated for many years. State law developments, particularly in California, had led to a renewed focus on federal legislation, before COVID dominated the national stage. With the change in Administration, the prospects for national privacy legislation has likely increased, although the shape of these bills may well reflect the control of the Senate at issue in the Georgia run-offs, particularly as regards private rights of action and preemption.
- Privacy Law California-Style
The California Consumer Privacy Act took effect January 1, 2020, but questions still remain about many requirements. The California AG “finalized” its regulations in August 2020, but we now face a fourth round of amendments. In addition, the newly passed California Privacy Rights Act (“CPRA”) ballot initiative will create a new agency focused on data protection, the California Privacy Protection Agency (“CPPA”), and will further expand the privacy rights of Californians. As CPPA comes online, with board member appointments as early as the end of this month, we expect the state to consider reviewing and revising its regulatory guidance once again in the lead up to the operational date of most of the CPRA’s provisions in 2023.
- New York State of Mind
The New York State Department of Financial Services Regulation, launched in 2017, completed the final phase of implementation last March. Enforcement started in 2020, and NYDFS will likely pick up enforcement of the Regulation in the upcoming year.
The NY Shield Act has likewise updated the New York approach to cybersecurity, while privacy bills pending in the New York state legislature may bring the notion of information fiduciaries into the mainstream.
- Online Behavioral Advertising
Cross-context online behavioral advertising will face its greatest challenges to date in 2021. The once-untouchable field could face antitrust and consumer protection challenges as the industry continues to address ways to keep the Internet free, promise wealth to its pioneers, and not have consumers feel like they are consumed.
- U.S. Biometrics Legislation
The use of biometric data by government, corporations, and employers is likely to continue to be an active area. No federal law specifically governs the use of biometrics. Illinois, Washington, and Texas have biometric privacy laws on the books, and other states may follow in 2021. Of the three state biometric laws, the Illinois Biometric Information Privacy Act (“BIPA”) is the only state statute that provides a private right of action for consumers, making it the most actively litigated to date, with the question of standing being at the forefront of current BIPA litigation.
Several other states have added biometric data to their definitions of personal information, including in state breach notification laws, the CCPA, and the New York SHIELD Act. Other states, notably Massachusetts, New York, Delaware, Alaska, and Michigan, have considered legislation that closely follows BIPA, including a private right of action, and could see proposed legislation come to a vote in 2021.
- Children’s Advertising
In 2019, the FTC reached notable settlements for alleged violations of the Children’s Online Privacy Act (“COPPA”). The trend of the FTC cracking down on social media platforms violating COPPA may continue in 2021.
- TCPA Litigation
Telephone Communication Protection Act (“TCPA”) litigation is only expected to remain an active area for plaintiffs’ attorneys going forward. This past year saw an uptick in litigation involving the TCPA, which governs the conduct of telemarketers and regulates the tools telemarketers use to contact consumers.
- The FTC’s Enforcement and Regulatory Powers
The FTC is expected to flex its regulatory muscle in 2021. In 2019, the FTC issued record fines, including a $5 billion fine against Facebook, Inc. for alleged deceptive third-party data sharing to organizations like Cambridge Analytica, and a $575 million settlement with Equifax for its data breach. A key dissenter from the decision was Commissioner Slaughter, who would have pursued Facebook executives personally; Commissioner Slaughter, however, could well become the FTC Chair in 2021.
- Still Going Dark After All These Years: Encryption and Law Enforcement Access
Law enforcement access to encrypted devices is likely to continue to be an active question in 2021. An area of interest and discussion in recent years is the ability of law enforcement to access encrypted devices as part of investigations. End-to-end encryption may well prevent government officials from obtaining electronic evidence and intelligence that they have requested in the course of the investigation or prosecution of legal threats, even with a warrant or court order—an issue that the law-enforcement community sees as increasing the risk of things like terrorist attacks.
- The Return of the FCC?
Remember net-neutrality and how the FCC enforcement bureau once vied with the FTC for authority over the privacy of data on the Internet? Expect this debate to be reborn in 2021 with the new Administration.
- Health Privacy
Telehealth and telemedicine have soared as people sheltered in place over the past year. Watch for new regulatory initiatives to address HIPAA in the era of digital health.
- Supply-Chain Security
Do companies really know the security posture of all of their vendors? Vendor security—and the diligence conducted by businesses regarding it—is an expanding area of focus for regulators. Like many privacy and cybersecurity issues, the area continues to be particularly compliance based, because no clear ex ante standard of care has yet to emerge, while post hoc judgments abound.
- Brexit & the ICO
With the UK’s new government firmly in control of the Brexit end game in 2021, continuing negotiations over the fate of data transfer and the EU granting the UK adequacy will no doubt be important issues in the coming months. UK data protection law, including the Data Protection Act 2018, which references and supplements the GDPR, is now in sole effect in the UK, but it appears that it will continue to mirror the GDPR at least for some years.
- EU International Data Transfer Mechanisms
The European Court of Justice (“ECJ”), having sowed confusion regarding Standard Contractual Clauses while erasing the EU-U.S. Privacy Shield, has created a new opportunity for the U.S. and EU to try once again to negotiate an agreement that will satisfy the ECJ or perhaps finally sign a treaty and resolve the issue (because treaties are not subject to ECJ review). In the meantime, organizations transferring personal data from the UK to the United States and other jurisdictions will have to address the numerous legal uncertainties about their ability to transfer data arising from the ECJ’s decision. Are data transfers to the United States permissible in light of the ECJ’s concerns about U.S. surveillance laws articulated in invalidating Privacy Shield? Organizations will need to grapple with these questions and find solutions in 2021.
- The ePrivacy Regulation?
Will the EU complete the GDPR project and finally agree on an ePrivacy Regulation to stand alongside the GDPR? The GDPR architects assumed that we would have a new ePrivacy Regulation at the same time as the GDPR. As the beloved Giovanni Buttarelli once commented, one without the other is “Mission Impossible.” And yet here we are, without Giovanni and without the ePrivacy Regulation having made meaningful progress as it has passed from EU Presidency to Presidency. Nonetheless, the CNIL appears intent on enforcement even in the face of the mass confusion created by having an EU-wide GDPR with Member State-specific ePrivacy rules.
- Data Laws in China
China has been actively developing its privacy and data protection authority in recent years and has now released its own draft adaptation of something that looks similar to the GDPR. The main laws currently comprising China’s data regulatory framework include the Cyber Security Law, effective since 2017, the Personal Information (PI) Security Standard, effective since May 2018, and the e-Commerce Law, effective since 2019, all of which continue to grow as they are elaborated through the regulatory process.
- Data Sovereignty
Data sovereignty, which refers to the requirement that data generated in a country or collected by an operator in a country be stored on servers within that country’s borders, is expected to continue to be a topic of active development in 2021. China and Russia have both implemented strict data sovereignty requirements. Federal law in Russia requires that all databases containing personal data of Russian citizens be located in Russia. China’s law goes further, requiring that “important data” as well as personal data be located in China. These requirements pose hurdles for companies operating in or with Russia and China.
Similarly, however, the U.S. has promoted a series of measures that directly seek to push Chinese companies out of the U.S. supply chain over cyber security concerns. Will 2021 bring more international norms or further retreat into nation states?
- Japanese EU Adequacy and the Future of APEC
In 2019, the European Commission and the Personal Information Protection Commission (PPC) of Japan adopted mutual adequacy decisions allowing the transfer of personal data between the EEA and Japan. The GDPR generally prohibits the transfer of personal data outside the EEA absent adequate safeguards. Japan’s data protection law, the Act on Protection of Personal Information, contains a similar prohibition. As a result of the adequacy decisions, however, no additional data transfer safeguards are required for the transfer of personal data between Japan and the EEA. After largely freezing during 2020, it remains to be seen how the law will evolve in 2021.
- Brazil Privacy Law
Enforcement of Brazil’s new data protection law—Lei Geral de Proteção de Dados (“LGDP”) formally went into effect in 2020, but it remains to be seen if the LGDP will be enforced vigorously enough to garner international compliance. The LGDP is largely modeled on the GDPR, following the trend of a greater legal emphasis of implementing appropriate data security protocols rather than just dictating breach notice procedures. The law applies broadly, to any processing activity, regardless of where the entity collecting information is located, if:
- the processing operation took place in Brazil,
- the purpose of processing is related to individuals located in Brazil, or
- the personal data was collected in Brazil.
The LGDP also includes other familiar provisions like disclosure of data processed and implementation of technical safeguards to protect the personal information collected. If found non-compliant, an entity could be fined up to 2% of its total Brazilian revenue or R$50 million per infraction. Showing a good faith effort to comply with the regulation could mitigate fines.
- India Privacy Laws
We will continue to monitor for developments in Indian privacy laws in 2021. Although not yet passed by the Indian Parliament, the Personal Data Protection Bill (“PDPB”) may pass in 2021. The PDPB is an effort to codify consumer privacy after the 2018 Supreme Court of India decision that declared privacy a fundamental right under the Indian Constitution. The PDPB seeks to regulate both the sharing of personal information and the processing of “sensitive” and “critical” personal data. It also establishes a Data Protection Authority of India (“DPAI”) to enforce privacy regulations. The bill is significant in its reservation of data access for the central government and its watered down version of a data localization requirement. In some ways, the PDPB looks similar to the GDPR and CCPA, in that it attempts to promote consumer consent in data sharing and seeks to minimize unnecessary data collection and processing. But it also deviates from previous privacy legislation in that it grants India’s central government the power to bypass all privacy protections if it provides a written order detailing a reason for the breach and specifying the manner forthcoming in the regulations.
And of course COVID will remain a factor throughout the year, as the line between home and office continues to erode, employers attempt to force workers to get vaccines, and countries require people to disclose personal medical information as the price of entry. 2021 will no doubt bring a further raft of COVID-related privacy issues.
These are only a few of the issues that we will be exploring in this blog over the year to come, so check back regularly for new posts.