COVID-19 wasn’t the only thing to sweep the globe in 2020 — the year also brought a wave of privacy legislation. Major players, including Brazil, Canada and China, all introduced privacy legislation that closely aligns with the EU General Data Protection Regulation. And in the U.S., California debuted the highly anticipated California Consumer Privacy Act (CCPA) and quickly followed up by approving the California Privacy Rights Act of 2020 (CPRA), which modifies the existing CCPA obligations and introduces new ones. So, what’s in store for 2021?
Challenges for international data transfers
In July 2020, the Court of Justice of the European Union delivered a long awaited ruling in “Shrems II” and with it, invalidated the EU-U.S. Privacy Shield framework – an international data transfer mechanism with more than 5,000 participants relying on its existence for data transfers from the EU to the U.S. As it stands, the decision gave EU regulators direction to cease transferring data outside of the EU if protections can't be guaranteed. The court’s finding means major challenge for U.S.-based businesses that target the EU. To soften the blow to the transatlantic relationship, U.S. Secretary of Commerce Wilbur Ross entered into discussions with EU counterparts to determine if an enhanced EU-U.S. Privacy Shield framework could comply with the CJEU decision, however there’s no solution in sight.
The “Schrems II” decision also serves to highlight the European perspective that national intelligence access to personal information is a deal-breaker for transferring EU personal information into any non-EU country that hasn’t been deemed adequate. All of this helps to spark a sense of urgency in establishing comprehensive privacy and data protection laws, not only in the U.S., but worldwide.
Another development shaking up international data flows is Brexit. After failing to come to an agreement on data transfers, the U.K. now finds itself out of the European Union without having an international data transfer mechanism in place. The EU has provided the country with a six-month grace period, wherein the GDPR will continue to be the data protection law of the land, which many see as a good sign that the U.K. will meet EU data protection adequacy requirements. But with the country’s extensive surveillance regime and the failures of previous Brexit deal-making efforts, it’s anyone’s guess how this will turn out.
One thing is clear – in 2021 the world will need to pivot to manage cross-border data flows.
Consumer expectations will drive change
One unmistakable result of the continued spread of privacy legislation is consumer empowerment. As consumers all over the world get more privacy rights and have an improved understanding of how companies use personal information, businesses can expect to see an increase in customers’ expectations of control over their personal data — whether or not they actually have data privacy rights. While the amount of people who have data privacy rights has grown substantially this year, many — including most of the US — still have little to no control over what companies do with their data.
Three U.S. states (California, Nevada, and Maine) now have rights-based consumer privacy legislation, 16 more have introduced similar legislation, and six states have enlisted task forces to probe privacy prospects. The U.S. is well on its way to a patchwork of state privacy regimes, making it chaotic and burdensome for businesses to operationalize their privacy requirements. Despite federal law providing protections for specific types and uses of data, no overarching framework creates a unified approach to data requirements in the country.
In the absence of federal action, California has taken it upon itself to regulate how companies maintain and protect its citizens’ personal information with CCPA, an extraterritorial law that puts businesses across the globe within its grasp. Being the fifth largest global economy, its laws have a huge impact on businesses’ compliance efforts — and a huge impact on consumer expectations overall. Laws like the GDPR and CCPA have changed consumers’ data privacy expectations, and these expectations will put pressure on companies and legislatures to fall in line in 2021.
An opportunity for bipartisanship in the U.S.
While federal privacy in the U.S. seems like a natural progression, some still question if meaningful legislation will be on the docket for 2021. Aside from being a pressing issue, privacy has proven itself to be a popular idea among voters and enjoys political support from both sides of the aisle. With Washington desperate for bipartisan action, Congress my take up the cause. And with Democrats controlling both houses of Congress, there’s a better chance we’ll be able to move past the major historical blockers to comprehensive privacy legislation — private right of action and state preemption.
Regardless, California has moved the conversation along — entitling a large swath of the American population to privacy protections and requiring big businesses to adhere to tough requirements will certainly make an impact. Until privacy happens on a federal level, the U.S. will get by the way it has — with an overburdened FTC and an uptick in privacy lawsuits.
There’s a lot riding on 2021. While the focus of the incoming administration will undoubtedly be on getting the pandemic to ebb and picking up the pieces, there’s good reason to think that the incoming administration, with its privacy and tech savvy team, is a good signal for federal privacy legislation to finally take hold in the U.S. And it’s about time. But while the U.S. awaits Congressional action, the rest of the world moves on.