From prospects for a new Privacy Shield agreement between the EU and U.S., to new laws in China and India, to rising EU General Data Protection Regulation enforcement, and much, much more, there’s undoubtedly a lot happening in the field of data protection and privacy.
In recognition and celebration of all the happenings in the space, on Data Privacy Day 2022 IAPP President and CEO J. Trevor Hughes, CIPP, explored what’s to come with IAPP Ireland Country Leader Kate Colleary, CIPP/E, CIPM, Norton Rose Fulbright APAC Head of Governance, Privacy and Cybersecurity Anna Gambros, CIPP/A, CIPT, FIP, Perkins Coie Partner Dominique Shelton Leipzig, CIPP/US, and Tsaaro Co-founder and CEO Akarsh Singh, CIPP/E, CIPM, CIPT, FIP.
A new Privacy Shield agreement has certainly been top of mind for those following the transborder data flow relationship between the EU and the U.S. after the existing agreement was invalidated in July 2020 by the Court of Justice of the European Union’s decision on data transfers in “Schrems II.”
A year-and-a-half later, Shelton Leipzig said news about a compromise between the European Commission and the U.S. Department of Commerce could be coming “any day now.”
“My understanding is there’s something that very soon will be announced and is afoot,” she said. “The big issue will be whatever compromise there is whether that will withstand scrutiny by the CJEU, without our federal data protection law and without some of the other things that maybe Europe will be looking towards. We might still have trouble notwithstanding the compromise.”
Colleary questioned whether this could be an ongoing cycle in which the countries work on measures to facilitate data transfers between the EU and U.S. that address previous criticisms, while new criticisms will continue to arise.
“I think it’s going to be sort of a cycle, which becomes difficult ... in terms of operationalizing that,” she said. “It’s a tricky situation.”
Earlier this month, the Austrian Data Protection Authority issued the first ruling in 101 complaints filed across EU countries by advocacy group NOYB alleging companies using Google Analytics were not complying with the “Schrems II” decision. The DPA found the use of Google Analytics violates the GDPR. Also this month, the European Data Protection Supervisor reprimanded the European Parliament for breaching GDPR related to use of cookies on its COVID-19 test booking website launched in September 2020.
These are among enforcement actions to watch closely in Europe, as well as anticipated actions from the Irish Data Protection Commission, and others, panelists said.
GDPR came into force nearly four years ago and in that time, organizations have been busy working towards compliance, while regulators have been investigating new complaints and finding consistency in enforcement, Colleary said.
“We’re starting to see the fruit of all that hard work on behalf of regulators throughout Europe. We’re seeing increased numbers of enforcement actions, of findings, of the use of the mechanisms in GDPR, so that the regulators can work together in relation to cross border processing activities and investigations,” she said.
While there have been “headline grabbing fines,” like the 225 million euro fine the Irish DPC levied on WhatsApp, Colleary cautioned that fines “aren’t the be all, end all.”
“What we’re also seeing are orders requiring organizations to change their processing activities, and indeed, in some cases delete databases,” she said, adding that investigations are underway “all the time” that likely won’t result in large fines. “I would certainly say most organizations are used to dealing with regulators, most organizations of a certain size, and they take it really seriously and the activity of regulators is certainly increasing.”
Enforcement actions will also be beginning under China’s Personal Information Protection Law, Gamvros said, which came into force in November 2021. She said clients are concerned about fines for violations set at 5% of a company’s annual business revenue, but she added, there’s still uncertainty around exactly how that revenue will be calculated.
Chinese authorities, like the Cyberspace Administration of China and the National Information Security Standardization Technical Committee, meanwhile, have been taking enforcement actions under other regulations, particularly in the area of mobile applications.
“In general, we’re seeing more rectification notices there than penalties, but if they do fail to rectify then they can be followed with monetary penalties. So, there’s been a huge amount of activity around ... deceptive downloads, excess collection of data, lack of transparency, lack of gaining valid consent, those types of issues,” Gamvros said.
The next country to pass data protection legislation very well could be India, where the proposed Data Protection Bill is currently under consideration by Parliament. Singh said it’s possible the law may pass this year, but he cautioned not to expect immediate enforcement as the proposal has an implementation period of 24 months.
“India is a humongous country. India, being an exporter of IT to the world, we are already compliant with GDPR, CCPA, any laws in the world, because we are already exporting our technologies. If you look at those companies which are exporting, we are already compliant. The companies which are domestic and serving to Asian nations where the law is not there, I think that’s exactly where there will be a humongous task,” he said.
In the U.S., former Federal Trade Commission chief technologist Ashkan Soltani’s leadership of the California Privacy Protection Agency, which is working to create new California Privacy Rights Act implementation regulations, “heralds an era or an age where what we can expect to see is pretty intense enforcement coming out of the agency,” Shelton Leipzig said. While enforcement won’t begin until July 1, 2023, Shelton Leipzig said, “I think we are in for a time of focus on things like ad tech, digital advertising and all of the other topics that are on the table for everyone, really around the globe.”
Across the U.S., Shelton Leipzig said other states are “going to be stepping into the privacy arena.” Privacy laws have already passed in Colorado and Virginia and Shelton Leipzig said to watch for action in Washington state, Florida, New York and Texas. In part, she said state legislative activity is happening due to a lack of a federal privacy law, which she anticipates happening within the next three years.
“There is consensus on both sides of the aisle, both at the state level and at the federal level, on a lot of the privacy related points in legislation. It’s an interesting confluence of things,” she said. “From the business perspective, there is more of an interest to see something happen at the federal level so that we don’t have this patchwork of laws developing, like what we have with data breach laws, so we would actually have some uniformity.”
While there’s uncertainty around how these key privacy issues will play out in the year to come, Hughes said one thing is certain, “It really is going to be a complex year.”
Photo by Juliana Kozoski on Unsplash