Hello, privacy pros.

What a year we have had in privacy. This is the final Asia-Pacific Digest for 2019, and I would like to share some reflections on a few of the key events that stand out as highlights of a dynamic year for privacy, both globally and within the Asia-Pacific region. I have also provided some thoughts on what 2020 has in store for our profession.

We began the year with the announcement of the mutual adequacy decisions between the European Union and Japan, with Japan being the second Asia-Pacific country to receive such a finding from the EU Commission (the first being New Zealand). Such a finding enables the transfer of personal data between the countries without additional legitimizing measures, such as the EU's standard contractual clauses for data transfers.

Australia passed the Consumer Data Right, which may be the most prescriptive privacy legislation in the world in the areas of notice, consent, data access and data portability. Australia's four largest banks will be required to comply with the law beginning in February 2020, with other banks and industry sectors to follow in the future. The CDR may be an important test case globally to evaluate the effectiveness of such detailed regulatory requirements in areas that have historically been governed by more principles-based legislation.

This year also brought the world's largest-ever privacy fine with the U.S. Federal Trade Commission’s $5 billion USD settlement with Facebook, providing a sense of irony with the fine originating within a country that is still struggling to pass a comprehensive federal privacy law.

This was the year that privacy management software and services caught the full attention of capital markets with privacy startup OneTrust becoming our industry's first unicorn, raising $200 million USD at a valuation of $1.3 billion USD and going on to acquire data privacy and security research platform DataGuidance. Established privacy management solution provider TrustArc received an infusion of $70 million USD and went on to acquire privacy compliance software provider Nymity. These developments are indicative of the growing importance of high-quality tools and services to support the work of privacy professionals.

Court of Justice of the European Union Advocate General Henrik Saugmandsgaard Øe released his opinion regarding “Schrems II” supporting the validity of standard contractual clauses, with the final decision of the CJEU to follow in 2020. The CJEU is not required to follow the AG’s opinion, but it is common for it to do so. If found invalid by the CJEU, privacy professionals around the world will spend a significant amount of 2020 amending agreements that have thus far relied upon SCCs for transfers of personal data out of the EU/EEA.

Looking ahead to 2020, new regulations come into force in the form of the California Consumer Privacy Act and Brazil's LGPD. India may also pass its own comprehensive privacy legislation. With more pressing priorities facing the U.S. Congress, as well as the forthcoming U.S. elections, passage of a federal privacy bill is questionable for 2020, but I am still holding out hope.

I would like to hear your thoughts on the following questions for 2020. Regulators, privacy advocates and academics are increasingly challenging whether the foundational fair information practices are doing enough to protect privacy rights. Will the privacy enforcement battleground spill further into consumer protection, products liability and/or antitrust to fill the gap? With the cacophony of data and artificial intelligence ethics frameworks enacted by government and industry bodies around the world, will we see more companies implement data ethics by design into their processes, either as part of or lateral to a privacy function?

Wishing you all a wonderful holiday season and fruitful 2020!