2020 Developments in Privacy Law Create New Obligations for Companies, Foreshadow More Changes in 2021
While Covid-19 and national and state governments’ efforts to respond to the impact of the disease took center stage in 2020 among lawmakers, the year still brought significant changes in privacy and data protection law. Companies will need to take measures to meet new obligations created by court decisions and legislation and to prepare for more changes expected in 2021.
Invalidation of Privacy Shield – On July 16, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework, an agreement between the European Commission and U.S. Department of Commerce to facilitate the legal movement of data from the EU to the U.S. Invalidation of the Privacy Shield eliminated an effective, streamlined instrument that supported lawful data transfer. While the CJEU upheld the validity of using standard contractual clauses to transfer personal data to countries not yet deemed “adequate” by the EU, the CJEU imposed considerable new obligations on organizations wishing to transfer data.
The impact of the CJEU’s decision potential impact on trans-Atlantic trade is significant. The European Commission and U.S. Department of Commerce have publicly committed to solving the problem of EU-U.S. data transfer and are in ongoing discussions to resolve key issues. In the meantime, new guidance from the European Commission requires that companies relying on standard contractual clauses conduct a complex risk analysis and implement supplemental safeguards.
California Privacy Law – In the United States perhaps one of the most important developments in privacy law occurred in California. In 2020 the new California Consumer Privacy Act came into effect, and as of July 1 could be enforced by the state’s attorney general. The law requires privacy disclosures, grants privacy rights and imposes new restrictions. It also allows for statutory damages for data breaches that involve the personal information of California residents if the breach results from a company’s failure to put in place reasonable security.
On November 3, 2020, California voters approved the California Privacy Rights Act, a consumer ballot initiative that amends and expands the CCPA. Among the changes the CPRA introduces are new criteria to determine which businesses are regulated by the Act and a new data category of “sensitive personal information.” It also grants expanded consumer privacy rights and adopts principles that underpin the EU’s General Data Protection Regulation.
Perhaps the most consequential impact of developments in California may be that they prompt other states to act. Companies, concerned about the potential complexity and financial burden of having to comply with numerous state laws, have again called for Congress to enact a comprehensive national privacy law.
Beyond the U.S. – China and Brazil – China unveiled its draft of the Personal Information Protection Law for public consultation Oct. 21, 2020. The draft PIPL contains 70 articles and introduces significant fines. Many of its provisions compare to those in the EU’s GDPR, as it relies on data protection principles such as transparency, fairness, purpose limitation, data minimization, limited retention, data accuracy and accountability. The new law will have a significant impact on companies with operations in China or that target China as a market.
This year Brazil enacted an omnibus law governing the use of personal data, The General Law for the Protection of Privacy. The new law is intended to regulate the processing of personal data, and like other emerging regulation is similar to the GDPR. It grants new rights to data subjects and establishes legal bases for processing. The law requires that companies – whether they are acting as data controllers or data processors – maintain a map of their data holdings and appoint a data protection officer.
The Year Ahead – While policymakers in the coming year will continue to address the dislocation caused by the Covid-19 pandemic, it is doubtful that developments in data protection and privacy law will slow. Data will continue to be essential to understanding the disease, the success of vaccination programs, and how best to serve communities most affected by the pandemic and its economic fallout. Companies of all sizes that have seen downturns or changes in their businesses in 2020 will turn to data to understand how best to adapt, grow again and reach new markets.
The ability to collect, move and use data in ways that respect the privacy of individuals will be essential to maintaining public trust in the digital market, in public health services and in governments’ ability to support their constituencies. In 2021 we are likely to see new guidance internationally and renewed attempts at passage of a federal privacy law in the U.S.