Can you guess how many countries in the world have data privacy laws? According to the United Nations, 107 countries currently have these laws in place, and an additional 10% of countries have draft data privacy legislation, meaning there will likely be another 20 or so countries being added to the list in the coming year(s). And the United States? If you are unfortunate enough to have a data breach, you’ll need to look up the law from Alaska to Maine, as there is no single law governing all of the states.
On one hand, this can be a nightmare for those in compliance that are handling privacy. On the other – job security. Trends in data privacy are challenging right now, leading to more complexity and difficulty for companies. Here are three trends to watch, and recommendations about how to deal with them.
Trend One: More and More US States trying to be “Tough” in their own way
January 1st marked the day the California Consumer Privacy Act (CCPA) came into force. While companies grapple with the requirements of the CCPA, other state legislatures are waiting in the wings with laws that have bigger teeth. According to the IAPP, 18 states have proposed or are in the process of proposing data protection laws.[i] Many of these proposed laws include GDPR-like mandates.
The much-heralded New York Privacy Act failed to pass through the legislature last year, but may come back with a vengeance this year. According to one journalist, “the bill would have introduced a regulatory framework that rivaled or potentially even surpassed that of the California Consumer Privacy Act.”[ii] This law was especially notable because it contained a private right of action – meaning citizens could sue companies individually under certain circumstances. Most data privacy laws require a data protection authority, attorney general, or government agency to sue a company for violations of the law. New York’s legislation would likely have unleashed a torrent of tort claims and lawsuits. Watch this space in case the bill comes back.
In California, the “California Privacy Rights and Enforcement Act 2020,” may come into law via the initiative process. If enough California citizens vote for the law in November’s election, a stricter, more GDPR-like law will come into force in the State.[iii] The initiative process allows individuals who receive enough signatures on a petition to put a measure to the people to vote into law. While it’s hard to know which way the tide will turn, it is certain that individuals are laser-focused on privacy rights, especially in the Silicon Valley state.
Trend Two: More Challenges to Data Transfer Mechanisms from Europe to the US and Other Countries
The GDPR allows data to transfer freely within the European Union and to any country to which the European Commission has deemed to have “adequate protections” for data. The US is notably not one of those countries. There are several transfer mechanisms available to companies that wish to transfer data across the pond or to other countries without adequate protections, such as enrolment in the Privacy Shield Program or the signing of EU standard contract clauses, but these types of mechanisms are under serious threat and legal challenge.
In 2020 we will see the Court of Justice of the European Union rule on the validity of two common data transfer mechanisms – Privacy Shield and the use of EU standard contract clauses. If the decision of the Court invalidates either, companies will panic in the way they did when the Court invalidated the Safe Harbor provision, which allowed US companies to transfer data to and from the EU to the US if they signed up to the program.
The challenges to transfer mechanisms are not likely to abate soon. Some Europeans are concerned that companies sign up for Privacy Shield or put contract clauses in place and then disregard their obligations entirely. It is impossible for any data protection authority to police all data transfers, so the legal challenges aimed at stopping the flow of data from Europe to other countries will likely continue.
Trend Three: Data Localization Laws
Some countries are going even farther than making it difficult to transfer personal data across borders– they’re trying to make sure it doesn’t happen at all. The Information Technology and Innovation Foundation notes that “data localization can be explicitly required by law or is the de facto result of a culmination of other restrictive policies that make it unfeasible to transfer data, such as requiring companies to store a copy of the data locally, requiring companies to process data locally, and mandating individual or government consent for data transfers.”[iv]
China and Russia have particularly stringent laws about data localization, which have resulted in many companies keeping servers and data in China and Russia when the rest of their global data operations occur in the Cloud.
Data localization laws are typically meant to protect citizens (or the government) of a country. More data localization laws are likely coming as governments realize that once data is out of the country, it is out of their control.
What to Do in Response
Ultimately, most data privacy laws are based on the same principles. These include transparency about the types of data collected, how it is used, requirements to keep data secure, requirements to notify individuals of significant data breaches, and the right to cease data processing if the individual wants it to stop. With this in mind, many companies have extended their GDPR privacy program globally. This is logical, as the GDPR remains the gold standard, and many other countries and US states are modeling their laws after the GDPR.
When it comes to training, try creating a general course for data privacy focusing on the commonly-found principles of data privacy law. Amend the end of the course as required for the specific audience. For example, IT people in Europe probably need to be trained on the specifics of GDPR, while individuals in the US may not.
Next, keep up-to-date with new laws and guidance. There are many law firms that release client alerts when a law changes (personal favorites include DLA Piper and Hunton and Williams). You can also sign up for services like Data Guidance that offer up-to-the-minute advice on nearly all countries and their laws.
Be sure to pay careful attention to the US election in 2020 with respect to the privacy laws and initiatives that pass.
You may even consider getting a privacy-related certification, like the CIPP certification. No matter what, be sure to attend events, webin
ars, or conference sessions related to privacy to keep up-to-date.
Lastly, try not to be too overwhelmed. No one person can ever know everything, especially about the complex matters of data privacy. Remember that there are still relatively few enforcement actions and that a good-faith, properly documented program can protect your company from the worst of the fines. Data privacy compliance is here for the long-haul. By knowing the trends, you can prepare yourself for a great and ongoing career – now and in the future.
[ii] [ii] https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx