Over the past few years, we’ve witnessed some defining moments for protecting the privacy of customer data around the globe:
The EU General Data Protection Regulation (GDPR) took effect in May 2018.
The California Consumer Privacy Act (CCPA), which became a law in June 2018, had additional amendments passed in October 2019, and took full effect on January 1, 2020.
Data privacy legislation was a focus for many state governments throughout 2019, including New York, Massachusetts, Texas and Washington.
The National Institute of Standards and Technology (NIST) is developing a Privacy Framework for businesses to use in assessing their privacy programs.
On both the House and Senate side, the US Congress has released discussion drafts of broad federal privacy legislation.
Adding to these developments, we even saw two more states (Maine and Nevada) pass their own privacy laws. And with more states looking at privacy legislation in 2020, it is clear the focus on privacy won’t be slowing down any time soon.
In fact, we will continue to see a marked increase in the activities related to privacy conversations, legislation and actions—both nationally in the U.S. and globally beyond the 50 states. Based on this trend, below you’ll find 10 of my privacy predictions for 2020.
International privacy insights
#1 – International data transfers to the U.S. will remain an area of focus
We received a preview of the most important privacy issue of 2020 as the Advocate General to the Court of Justice of the European Union (CJEU) released an opinion on the Schrems II case, which involves the legitimacy of Standard Contractual Clauses (SCCs) for international personal data transfers. The Advocate recommended that the CJEU uphold the validity of the clauses as a mechanism for transferring personal data outside of the EU. This court opinion is non-binding, but the analysis of issues is more often than not reflected in subsequent CJEU rulings. While this is a relief for many, the fine print in the opinion should not be overlooked. The Advocate suggests that SCCs should be reviewed on a case-by-case basis, and transfers should be suspended where protection is not adequate. With a particular focus on privacy protections in the U.S., the opinion raises the question: Can you comply with the GDPR and transfer information outside of the EU? I also would not bet against a Schrems III being filed in the near future.
#2 – Expect major GDPR fines
We will see substantial action on GDPR, including big fines, before 2020 ends. We have seen GDPR investigations take time in the past, but over the next year, the results of some of the big investigations going through the GDPR One Stop Shop process will be finalized and released. We will not only get a better sense of how regulators interpret the GDPR, but also how international cooperation on enforcement will work.
#3 – Privacy laws expand across the globe
Laws throughout the world will continue to be updated and implemented, based in part to seek adequacy from the EU. These include Australia, which will look at potentially updating its privacy law, and the Office of the Privacy Commissioner of Canada, which will continue pushing for changes to its privacy law. In addition, India is set to pass its Personal Data Protection law, and other countries will pass or at least consider GDPR-influenced bills on data protection. For example, the Brazilian General Data Protection law goes into effect in February 2020, and according to Gartner, half of our planet’s population will have its personal information covered by 2022 under local privacy regulations in line with the GDPR.
#4 – Companies push back on data localization requirements
More countries are looking at adding or enforcing data localization requirements, which require companies to keep either all, or a copy of, any personal data in the country of residence of an individual with which a company does business. The impact this will have on large companies with lots of resources may be minimal, but it will strongly influence the role certain countries will have in the global data economy, especially with respect to smaller businesses and the promotion or hinderance of new players in the market.
#5 – Brexit has minor impact on data sharing
Brexit will be much ado about nothing with respect to personal data sharing. Some sort of deal will get done now that the UK elections are over, which means there will be a transition period covering data exchanges. Despite any bad blood over Brexit itself, the EU will prioritize reviewing an adequacy determination with respect to the UK as soon as possible. No one wants the data flow to be impacted in what is now the European Single Market.
National privacy insights
#1 – Public becomes more informed on the use of data
The investigations by the FTC, DOJ and state AGs on the interplay between antitrust issues and data will push much of the news on how big technology companies use consumer data. While privacy and security experts will sadly be unsurprised by the information coming out, headlines galore will better inform the public on how data is being used, shared and stored. This will be supported by the results of any investigations performed by the California AG under the CCPA.
#2 – States to pass comprehensive privacy laws
Consumers will continue to learn more ways in which their data is used, which will move more states to consider comprehensive privacy laws. While there is some bipartisan agreement on privacy and numerous discussion drafts percolating in Congress, I do not believe we will see a federal law passed within the next year; there is still too much distance between the parties on key issues, particularly private right to action and state law preemption. The states will therefore be left to pick up the slack. State bills will thus likely have similar but also inherently conflicting language, which will further confuse consumers about what protections they actually have and perplex businesses about how to comply with the various standards.
#3 – HIPAA conversations get louder
Conversations about HIPAA, what it does and does not protect, and the need for broader protection of health information will continue getting louder. Google’s use of patient data is coming under Congressional scrutiny, and while I do not know all the specifics, it is quite likely that this was done in accordance with HIPAA. Also, Amazon is now selling de-identified patient information, including rather detailed medication information. It is unclear if this is HIPAA covered data—it depends on where it came from. But Amazon does now own PillPack, and it will still surprise many consumers that Amazon has and is selling this type of data. While the de-identification may have been done properly, there are valid questions about whether something open for sale to so many—potentially including data brokers—can really be de-identified.
#4 – Privacy protection turns into a competitive differentiator
Smaller companies will start focusing more on differentiating themselves on privacy since the day of free apps and similar services is over. Some app developers will see the opportunities to offer better privacy protection and explain why their fees are in some ways beneficial to consumers, as their customers are no longer the product being monetized. Small companies will also see the advantage to their own potential growth of complying with more international privacy standards that go far beyond what is required or even considered a basic practice in the U.S.
#5 – Expect large CCPA fines
We will see a very large CCPA fine before 2020 ends. While investigations into data protection breaches and practices take time, the California AG will likely enforce the CCPA with a large fine against at least one big tech company in 2020. This will show that the CCPA does indeed have teeth.
Preparing to protect customer privacy
So, what should your business do to prepare for these data privacy trends? Embrace them as an opportunity to take an in-depth look at your privacy program or to develop a program if you don’t have one already. You can also use the increased worldwide emphasis on protecting privacy as a means to secure a sufficient data protection budget in order to address the needs to meet the legislative requirements.
Perhaps employ a proven model for scoping out the required controls necessary to operationalize your privacy program and to address needs across all of the laws and standards you must adhere to. This will enable you to give privacy the attention it deserves, but not in isolation from other risk-mitigation and security-management activities going on within your organization.
And remember to look beyond your own internal systems to that of your third-party ecosystem of customers, business partners and vendors. Breaches occurring to any single component of your supply chain can impact the entire ecosystem, including your systems and data. While you should lead the charge, this makes privacy a shared responsibility among every entity you do business with.