2020 was dominated by news of the pandemic and anchored by reality that we all found ourselves in – entire families logging in remotely, trying to keep school and work feeling “normal.” While we tested the limits of what a home office could sustain, the privacy and security of a fully remote world was put front and center. In this piece, we take a look at a few privacy highlights that will likely impact your business and look ahead to see what’s in store for 2021.
Across the globe, countries – including Brazil, Canada, and China — introduced privacy legislation in line with the EU General Data Protection Regulation. In the United States, California debuted the highly anticipated California Consumer Privacy Act, and we saw privacy weave itself into COVID-19 related legislation in Congress – including the COVID-19 Consumer Data Protection Act of 2020 in the Senate and the Public Health Emergency Privacy Act in the House. While the United States continued to evade federal privacy legislation in 2020, a clear takeaway from the past few years is that privacy has demonstrated itself to be both a bipartisan and pressing issue.
2020: The summer of privacy
Much like everything else in 2020, things only started moving along in the summer.
July 2020 marked the official start date for enforcement of the California Consumer Privacy Act. As the fifth largest global economy, California’s legislative reach went far beyond its borders, introducing data protection requirements for the global companies based within its borders and privacy protections for the 39+ million residents. Taking it a step further, California voters approved California Proposition 24 (CPRA) in November. Effective January 1, 2023, CPRA modifies aspects of CCPA and establishes an independent watchdog, the California Privacy Protection Agency.
With a projected budget of $10 million for the 2021 fiscal year, the agency will be responsible for enforcement of CCPA to start and CPRA to follow. To fully appreciate this, it’s crucial to recognize that California will become the first state in the United States with a enforcement body solely devoted to privacy. Expected to house between 40 and 50 employees, it is expected to maintain a capacity that's on par with the U.S. Federal Trade Commission, which has 40 employees dedicated to privacy. While much will shake out in the coming months, California is sending a clear signal to companies: Take privacy seriously.
Also in July, the Court of Justice of the European Union delivered its long-awaited ruling in “Shrems II” and in the process invalidated the EU-U.S. Privacy Shield framework. With more than 5,300 participants relying on its existence for data transfers, U.S. Secretary of Commerce Wilbur Ross entered into discussions in August to determine if an enhanced EU-U.S. Privacy Shield framework could comply with the CJEU decision. Ensuring that the mechanisms for transferring data from the EU to the United States are adequate will certainly be a top priority going forward, especially when one considers the transatlantic economic relationship is valued at $7.1 trillion.
Keeping with the summer of privacy, Brazil’s congress passed the Brazilian General Data Protection Law (LGPD) in August. With an existing patchwork of data protection requirements, LGPD provides a comprehensive framework for the country and draws upon principles from the GDPR. The story of the LGPD is something of a drama series — it was passed, then postponed, then had its postponement reversed. Ultimately, it took effect immediately following the Senate’s passing of Conversion Bill (PLV) 34/2020 in September. Administrative sanctions for violations of the LGDP will go into effect August 1, 2021.
In October, China revealed a draft of its Personal Data Protection Law. Offering a breadth of protections and long-awaited clarity, the draft draws heavily from principles of the GDPR. Under the proposed bill, violations of the law may be met with a fine of up to RMB 50,000,000 ($7.4 million) or 5% of revenue.
In November, Canada proposed Bill C-11. Again, we see a modeling of GDPR principles. Not only would the proposed Digital Charter Implementation Act, 2020 levy heavy fines for noncompliance — this time up to C$25 million ($19.4 million) or 5% of revenue – but it would also place greater control in the hands of the Canadian consumer to exercise data subject rights.
Then, in December, India’s Union IT and Communications Minister Ravi Shankar Prasad said the country would be finalizing its data protection law “very soon.” With countries across the globe working towards tough requirements for data protection, one can imagine there might be a desire to catch up on privacy in the United States — particularly if the incoming administration is eager to take advantage of a rare and feasible opportunity to demonstrate bipartisan action.
2021: Watching the wave of GDPR-esque frameworks
While 2021 will likely see the rollout of 2020’s backlog, there are sure to be a slew of new privacy requirements coming our way. The CJEU’s findings in “Shrems II” is likely to spark a sense of urgency to establish comprehensive privacy and data protection laws, not only in the United States but also worldwide. While we watch the continuation of draft legislation in Canada, China and India, there are developments in the United States that could impact the reality of a federal privacy law, as well.
Having fallen behind the global community in developing regulatory measures to address data protection and privacy, the United States is well on its way to a patchwork of state privacy regimes. Three states (California, Nevada, and Maine) have now enacted consumer privacy legislation, 16 more have introduced similar legislation and six states haveenlisted task forces to probe privacy prospects. Despite federal law providing protections for specific types and uses of data, no overarching framework creates a unified approach to data requirements in the country.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
