With two new U.S. State privacy laws, new Standard Contractual Clauses out of the EU, more GDPR-style laws passed around the globe, and record data protection fines, 2021 provided plenty of fodder for an end-of-year review.
U.S. Domestic: A Summary
Despite a growing consensus on the need for comprehensive privacy in the United States, lawmakers once again failed to make meaningful headway on the matter. While this might have been expected given the Biden administration’s continued attention on navigating the pandemic and its aftermath, many professionals had high hopes. 2021 seemed like it could be the year everything finally aligned to lead to a federal law. Broad public support...informed legislators...and an international call for the United States to act on privacy and data protection. That wasn’t the case.
However, while it wasn’t the year for privacy in the United States, considerable steps were taken. Most notably, Colorado and Virginia passed comprehensive privacy laws; the Federal Trade Commission (FTC) initiated the rule-making process to "curb lax security practices, limit abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination"; and Congress held hearings on how to move forward with privacy and data security.
Perhaps the most significant takeaway from 2021 is the perspective we gained as various States became real-life testing grounds to uncover what elements of privacy law are palatable — or insurmountable. Successful legislation in the United States seems to offer some rights and protections for data subjects but remain business-friendly when compared with global counterparts. Above all else, legislation proposed across the States in 2021 proved how volatile four little words were for consensus: "private right to action."
With little to no movement on the federal level, spectators of the privacy legislation theater are left to speculate that in order to provoke federal legislation, States will have to push forward more challenging legislation, increasing the already burdensome patchwork of privacy that has developed across sectors, States, and even municipalities. In essence, we’re not likely to see a federal privacy law until State privacy laws make doing business even more laborious. If 2022 sees more laws like Virginia’s loophole-ridden approach, it’s doubtful, but looking to the growing list of 2022 state proposals, it may just come.
Privacy Updates around the Rest of the World
As the United States trudged forward, the global community surged further ahead. Countries across the globe worked to introduce new legislation or revamp existing frameworks. Privacy has seen increasing commitment. At the 2021 G7 summit, leaders from Andorra to Rwanda to the United Arab Emirates called for a commitment to “championing data free flow with trust, to better leverage the potential of valuable data-driven technologies while continuing to address challenges related to data protection.” Even authoritarian governments are seeing the benefit in answering the growing call for international collaboration on data protection.
The EU added more acronyms to the alphabet soup of privacy in its efforts toward reigning in big tech. This December, the EU Parliament gave the green light to the Digital Service Act (DSA). Discussions with member States are expected to follow in early 2022. Parliament’s Internal Market and Consumer Protection Committee also voted in favor of DSA’s counterpart, the Digital Market Act (DMA), putting it one step closer towards completion. Separately, the European Commission announced a provisional agreement with the European Parliament and the Council of the European Union to move forward with the EU Data Governance Act (DGA).
We also saw enforcement of GDPR hitting its stride this year as Europe issued a one-two punch with fines against Amazon ($888 million) and WhatsApp ($270 million). And yet, despite a productive year for data protection authorities, the EU has signaled a review of its enforcement regime. Towards the end of the year, discussions on adopting a centralized approach emerged as EDPS chief Wojciech Wiewiórowski announced a conference planned for June 2022 to discuss alternative models of enforcement of GDPR.
The U.K. continues to navigate life in a post-Brexit world, most recently with the confirmation of former New Zealand privacy commissioner John Edwards as the new U.K. Information Commissioner. Edwards officially began his five-year term on January 3, 2022. What comes of the United Kingdom's consultation period on reviewing the country’s data protection laws will certainly remain an item to watch in the coming months.
China passed groundbreaking legislation, the Personal Information Protection Law (PIPL). Effective November 1, 2021, PIPL introduces comprehensive privacy protections similar to that of GDPR, with provisions mandating data minimization and user consent. It provides for damaging noncompliance fines as well as a limited private right of action. With its passing, PIPL proved that privacy truly is a tidal wave for governments worldwide.
2021 has revealed the broad and diverse approaches to comprehensive privacy legislation that exist. As we look to 2022, here a few things to watch:
- U.S. states’ privacy proposals — Are they meaningful enough to prompt federal action?
- Proposed changes to the U.K. Data Protection Act — How far will the end product stray from GDPR?
- How will the FTC navigate rule-making?
- Will greater collaboration between competition and privacy authorities reign in big tech?
About the Authors:
Emily Leach is the privacy content director at Ethos Privacy, overseeing framework analysis and creation for the company’s privacy program management technology. Emily has been working in data privacy for 14 years, spending 11 years at the IAPP as manager of its online resource center and editor of the Privacy Tracker, among other responsibilities. Emily holds both CIPP/US and CIPP/E certifications from the IAPP.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.