Editor’s Note: This is the second article in a series geared toward small and medium-sized enterprises that are building dedicated governance teams to deal with emerging data privacy laws like GDPR and CCPA. For the many organizations that have begun to grapple with the reality of data privacy laws–the challenge of compliance can seem insurmountable.…
2020 was a massive year for data privacy. New laws became effective all around the world and, in turn, organizations were forced to amp up their data privacy measures to comply. Data privacy regulations are only getting stricter, and that won’t change any time soon.
There is no reason to expect 2021 to be any less active, especially considering the recent SolarWinds breach that implicated the U.S. federal government. Here are some predictions for what to expect in the coming year.
When the new administration takes over the White House in January, Joe Biden and his cabinet will have a lot on their plate. Revitalizing the U.S. economy and getting the COVID-19 pandemic under control might take center stage. But there’s reason to think data privacy and cybersecurity will also be major priorities–especially given the weak points in our cyber infrastructure highlighted by the recent SolarWinds hack (read our analysis here).
Pressing security concerns aside, there’s also the matter of track records. Vice President-elect Kamala Harris was a long running privacy advocate during her time as California’s Attorney General. The unit that created the California Consumer Privacy Act (CCPA) was established during her tenure, and she secured the first settlement to require that a company hire a Chief Privacy Officer in California. The role of a vice president in any administration is hard to predict, but Harris’ pedigree suggests that if she’s allowed to wield influence, her agenda will likely include some form of data privacy reform or legislation.
Replacing the EU-US Privacy Shield
The invalidation of the EU-US Privacy Shield sent the message that America’s data privacy legislation is too lax to allow data transfers from the European Union, a major cause for concern for many US companies. Since then, the onus has been on companies to ensure a level of compliance that satisfies the EU’s regulations–including the General Data Privacy Regulation (GDPR. This has created a situation that is complicated and inconvenient.
By invalidating Privacy Shield, the EU pointed to inherent incompatibilities between GDPR’s regulations and legal obligations set by certain U.S. surveillance laws. The ball is now in the American government’s court to lower the legal risks associated with data transfers. It will need to do this with legislation that meets the legal standards set by GDPR–or by reaching some sort of compromise. Regardless of the details, fixing Privacy Shield will be an urgent priority for congress in the new year, and it’s likely that some sort of data transfer agreement will be reached in 2021.
Federal Privacy Legislation…Maybe?
Although the U.S. may have thus far ceded its potential as a global data privacy leader, there’s reason to believe federal legislation is coming. In September, the Committee on Commerce, Science and Transportation held a hearing on the necessity for a federal data privacy law and both Democrats and Republicans have introduced bills aimed at establishing something cohesive–meaning data privacy seems to be a bipartisan issue.
Luckily, most of the consumer privacy bills floating around in Congress follow a similar approach. Most agree that consumers are entitled to data rights and that organizations have an obligation to respect them. However, it is less clear where the federal government stands on issues such as the hierarchy between federal and state privacy laws, which federal agency will be responsible for enforcement, and whether consumers should have a private right to action.
More State Laws
Although the inevitably of a federal law is far less certain, it’s safe to assume that legislation will continue to arise on a state level. Several states, including Nevada, Maine and California signed data privacy laws into action in 2020, and at least 15 other state-level privacy laws were introduced. It’s safe to assume some of these proposed laws could become effective in 2021 or make strides toward becoming official. Maryland’s Online Consumer Protection Act is the furthest along in the process–just one step away from being passed.
Limitations on data processing are included in four of these proposed bills (New York, Minnesota, Iowa, South Carolina) while the New York Privacy Act (NYPA) goes as far as to establish a fiduciary duty between data controllers and their clients. In many cases, task forces are being substituted for comprehensive bills.
Of course, as more state legislation is passed, the national legislative landscape will only get more convoluted, making compliance more difficult. All of this is setting the scene nicely for a federal law, and in any other year without a global pandemic, it might already be on the brink of happening. While it’s optimistic to assume it will come in 2021, the path might seem clearer by the end of the year.