2020 is shaping up to be another eventful and demanding year for CPOs. In fact, the job of the CPO will continue to grow in significance and evolve in complexity as more privacy laws are enacted, organizations focus on compliance with new requirements and media attention on privacy issues continues to increase public awareness.
Looking back, it seems like GDPR, effective as of 2018, was the starting gun for a race in the evolving privacy landscape. In 2019, CCPA kept privacy professionals working at a rapid pace, interpreting new privacy requirements along with how to apply rules from various jurisdictions to business operations. Now, with several recently announced federal privacy bills, numerous state legislatures debating various forms of privacy laws, and a collection of new privacy laws taking shape around the world, the responsibilities of CPOs will continue to expand in the years ahead. This may be a privacy marathon.
In the States, we’ve seen a new level of consensus on the need for a federal privacy law. With a substantial number of notable business executives, government leaders, tech companies and legal experts speaking out about the importance of addressing privacy issues and the need for a uniform standard in the U.S., the debate over whether the U.S. should enact a federal law has evaporated.
Fueled by this momentum and greater public awareness of these issues, several recent draft privacy bills have been introduced in Congress. However, reaching agreement on several key details will likely cause the momentum to slow. Specifically, obtaining compromise on the preemption of state laws, a private right of action, civil fines or executive privacy certifications will be challenging.
However, there is already a privacy relay going on within the states. California and Nevada passed privacy laws in 2019, but numerous other states are introducing a variety of legislative proposals this year. For example, Virginia introduced the Virginia Privacy Act in January, which would require a broader use of privacy risk assessments than current laws. Illinois also introduced the Data Transparency and Privacy Act, which includes opt-out rights for consumers. In addition, Washington recently reintroduced privacy legislation from 2019, the Washington Privacy Act, with the strong backing of Microsoft, which now includes standards for the use of facial recognition tools.
Around the world, privacy developments also continue. Many privacy supporters are eagerly awaiting the conclusion of several investigations involving GDPR compliance by Ireland’s Data Protection Commission. In addition, the UK’s separation process from the EU will generate changes, even though GDPR will continue to apply in the UK until the end of 2020. Whether the UK will receive an adequacy decision from the EU during the transition period will be an interesting issue. Furthermore, there are already questions about what kind of approach the UK might eventually take toward e-Privacy topics, like tracking and consent, as the EU continues to grapple with its own unresolved situation.
Outside of Europe, the Australian government announced it will review its Privacy Act this year, with an intent to increase penalties for breaches of the Act and potentially regulate the activities of the biggest tech companies. The timing of any changes will likely take a year or more though, given the consultations and inevitable negotiations over proposed reforms. However, New Zealand will likely pass its new Privacy Bill this year, which will impact foreign companies doing business there. India is also on the move with privacy, now considered a fundamental right, through a new data protection law expected to be finalized and passed this summer. And in South America, the Brazilian General Data Protection Law is scheduled to become effective in August, although a recent bill calls for a delay, as a national data protection agency still remains to be established.
On a global scale, people and governments are more focused on privacy than ever before. A string of massive data breaches, the Cambridge Analytica scandal, and an outpouring of public appeals for standard rules all brought privacy issues squarely into the spotlight while raising public awareness to a new level. The understanding and appreciation around privacy is energizing.
However, these changes provide CPOs with an abundance of new (and often complicated) projects. As new laws are enacted, they must be analyzed against current products, data inventories and business practices. Decisions on how broadly to apply new requirements across global operations must be made. And new requirements often mean new compliance measures need to be incorporated into current operations and employees need to be trained on these changes. In addition, privacy by design becomes much more complex given the increasing number of requirements to consider for new and evolving products that process personal data.
Many company executives now recognize the need for integration of privacy into the greater corporate picture. As a result, leadership is more focused and invested in privacy compliance and will rely on CPOs for recommendations and risk analyses. The stakes are higher than they’ve ever been, given the penalties at stake under some privacy laws and the reputational damage that can result from privacy missteps. The responsibilities of those of us working in privacy are growing at a time when just keeping current on global privacy developments can feel like a full-time job. It’s an exciting and eventful time to be in privacy… as the race continues.