The first months of 2022 began slowly for privacy, but by the end of the first quarter we had our marching orders for the rest of the year. In the U.S., we saw an explosion of state privacy bills being put forward (again), the Senate utilized a seldom used maneuver to push President Biden’s Federal Trade Commission nominee through to confirmation, and Utah became the fourth state to enact comprehensive privacy legislation. In the EU, we witnessed developments with the Data Markets Act and Data Services Act, pushing the region’s digital strategy forward, and a last push between the EU and U.S. proved negotiations on a transatlantic data flow has finally found traction.
Looking at the U.S
Similar to what has come before (but different enough to make compliance challenging), Utah delivered its Consumer Privacy Act on March 5. With close to 30 states considering privacy this year, it has become quite clear that until privacy moves on a federal level, states will take it upon themselves to create a patchwork of privacy across the U.S. Keeping in line with Virginia’s business-friendly approach to privacy requirements, Utah extends most (but not all) standard data subject rights, introduces obligations on controllers and processors, and follows Virginia’s lead with numerous exemptions and conditions.
While 2021 saw a real organizational boost for the Federal Trade Commission, this year has been fraught with gridlock. After months of waiting for confirmation of its final member, Alvaro Bedoya, the Senate issued a discharge petition and voted on March 30 (51-50) to bypass the Commerce Committee. Now moving to a floor vote, Bedoya’s confirmation is expected to be swift. In addition to simply filling out the membership of the FTC, confirming Bedoya will give FTC Chair Lina Khan the partisan majority she needs to advance on multiple fronts, including consumer privacy.
Transatlantic Data Flow
Another late quarter announcement came on March 25 when counterparts from the EU and U.S. declared a political agreement had been reached on a transatlantic data transfer mechanism. While the details around this agreement have left those in the privacy community to speculate, Didier Reynders, European Commissioner for Justice, offered insight at a March 30 press conference where he said the agreement marks “huge progress” in comparison to the EU-U.S. Privacy Shield, and described it as a “significant improvement.”
Reynders explained two elements, in particular, that will support this third attempt’s longevity. First, he described that the future arrangement would provide a set of rules granting Europeans whose personal data is transferred to the U.S. binding safeguards limiting access to their data by American intelligence authorities to what is necessary and proportionate to protect national security. In his words, “The protection needs to fly with the data.”
The second, he said, was a redress mechanism for Europeans. To this end, he announced a newly created data protection review court that would provide multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. government who would have full authority to adjudicate claims and direct remedial measures as needed
While the agreement is only a first step, the next move will have to come from the U.S. via an executive order or other text that EU officials could then use to discuss adequacy. While there is no precise timeline, a decision could be reached before the end of the year.
Privacy on the move
In general, Europe continues to advance and discuss proposals that focus on privacy, platform regulation and competition. In the final days of the quarter, lawmakers announced progress on two legislative initiatives stemming from a February 2020 European strategy for data, which aims to institute the EU as a trusted leader in the digital space. Lawmakers reached an agreement on the EU’s Digital Markets Act and the fourth trialogue discussion on the Digital Services Act concluded. Combined, the two aim to curb illegal and harmful content and ensure a competitive marketplace.
Lastly, the privacy community continues to watch the U.K’s post-Brexit positioning via the proposed changes seen in its data strategy, Data: New Direction. Providing a real-time opportunity to monitor how a regime approaches privacy and data protection through business-friendly initiatives, the U.K. seems to be searching for an alternative to the existing European model. Now analyzing the feedback received on it, an official response is expected to be published this spring, with a white paper to follow later this year.
What we are looking forward to in the second quarter:
- Next steps for the EU-U.S. data sharing agreement
- Will the U.S. see more state privacy laws?
- With a full committee, will the FTC begin exercising its rule-making authority?
- How will the UK navigate its privacy reforms?
About the Authors:
Molly Hulefeld is a Privacy Content Analyst with Ethos Privacy. Molly entered the world of privacy through the International Association of Privacy Professionals (IAPP), where she worked as Associate Editor for the publications team. Now she works to develop Sentinel’s privacy program management technology, Ethos, making it easier for businesses to meet their obligations and develop a culture of privacy.
Emily Leach is the privacy content director at Ethos Privacy, overseeing framework analysis and creation for the company’s privacy program management technology. Emily has been working in data privacy for 14 years, spending 11 years at the IAPP as manager of its online resource center and editor of the Privacy Tracker, among other responsibilities. Emily holds both CIPP/US and CIPP/E certifications from the IAPP.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.