Privacy law has propagated impressively around the globe since the United States enacted the world’s seminal statutes, namely the Fair Credit Reporting Act in 1970 and federal Privacy Act of 1974. While growth of the field has been steady, it has also been amazingly dynamic, both internationally and domestically. Even more significant, perhaps, is the fact “privacy” is commonly invoked to serve as the governance framework for digital issues and emerging technologies beyond just data protection. “Privacy” is not only growing in scope, importance and geographic footprint, but it is also the subject of increasing head-of-state focus and multilateral interest in finding common ground.
The top leaders of the free world recently signaled the essentiality of “privacy” in the communiqué they issued at the conclusion of the June 2021 G7 meeting in Carbis Bay, U.K. Specifically, they committed to “championing data free flow with trust, to better leverage the potential of valuable data-driven technologies while continuing to address challenges related to data protection.”
The presidents and prime ministers of the world’s most prosperous democracies, alongside the presidents of the European Commission and Council, emphasized their strongly held, shared values on privacy and data protection. They expressed a mutual desire to enhance coordination, promote innovative technology, develop global norms and standards, and harmonize principles of data collection. These leaders said they would work together “towards a trusted, values-driven digital ecosystem for the common good that enhances prosperity in a way that is sustainable, inclusive, transparent and human-centric … (and) strengthen coordination on and support for the implementation and development of global norms and standards … (and) development of harmonised principles of data collection ….”
Moreover, the G7 Digital Ministers expressed a commitment “to identify commonalities in regulatory approaches.” They tasked the U.K.’s information commissioner to spearhead multilateral initiatives (in 2021) in support of “regulatory cooperation with a potential focus on innovative approaches” and by exploring “commonalities in regulatory approaches and promot(ing) interoperability between members.”
In addition to this promising G7 activity, the president of the United States and leaders of the European Union also committed to regulatory cooperation on data governance, cybersecurity and privacy at their June 2021 bilateral summit. They committed to work together “to ensure safe, secure, and trusted cross-border data flows that protect consumers and enhance privacy protections, while enabling Transatlantic commerce.” The leaders also resolved to boost cybersecurity information sharing as well as cybersecurity certifications for products and software.
The joint summit statement provided numerous, encouraging signals regarding a strongly shared desire to ameliorate U.S.–EU tensions on privacy and data protection and “strengthen legal certainty in transatlantic flows of personal data.” The leaders committed to:
avoid new unnecessary technical barriers to trade; to coordinate, seek common ground, and strengthen global cooperation on technology, digital issues, and supply chains; … to cooperate on compatible and international standards development; to facilitate regulatory policy and enforcement cooperation and, where possible, convergence; to promote innovation and leadership by U.S. and European firms.
The two jurisdictions kicked off cooperation on technology matters by establishing a high-level U.S.–EU Trade and Technology Council. The new TTC is intended to promote convergence and innovation on digital issues, and will focus initially on technology standards cooperation for artificial intelligence, the Internet of Things, other emerging technologies, data governance and technology platforms.
Given these commitments from heads of state and ministers, privacy and digital governance are unmistakably ensconced among the top objectives of the free world. Moreover, the world’s democracies are manifestly inclined to cooperate on finding commonalities and convergence, "strengthen(ing) legal certainty," and promoting both privacy and innovation for their citizens.
In what may be among the year’s most surprising twists, the People’s Republic of China also adopted a comprehensive privacy law this year. The Wall Street Journal’s headline of Aug. 20, 2021 described this shocking development as follows: "China passes one of the world’s strictest data-privacy laws: China’s once-freewheeling internet faces new rules protecting personal data, as the world’s largest online population awakens to privacy concerns."
China’s new Personal Information Protection Law, which takes effect on Nov. 1, 2021, is said to be patterned after the EU General Data Protection Regulation insofar as it entails requirements for prior consent to and minimization regarding the collection of personal data. Based on press reports, the law apparently also requires prominent notice of public facial recognition cameras, and transparency and fairness regarding automated decision-making. Supposedly it will require the ability to opt out of personalized marketing and it addresses the issue of “algorithmic discrimination.” Like the GDPR, the new Chinese law provides for potentially enormous fines for privacy violations, which apparently may go as high as 5% of a company’s business income for the prior year.
Time and actual experience will tell whether the privacy law enacted by perhaps one the world’s more intrusive surveillance states can be taken at face value and if it will live up to The Wall Street Journal’s advance billing. But the very fact that China passed a major law to protect personal data demonstrates there is no stopping the international movement toward privacy.
The U.S. has also been a hot bed of privacy developments. Indeed, privacy law has been a moving and growing target among the 50 states and federal government.
It was California, of course, that first imported the GDPR into American law. It started with the California Consumer Privacy Act in 2018, which was almost immediately substantially overhauled and tightened two years later by the California Privacy Rights Act.
In 2021, Virginia and Colorado adopted comprehensive privacy laws based on the California and GDPR models. All of these laws entail similar individual, i.e., "data subject," rights to access, delete, correct, port out their personal data, and to varying degrees, to opt out or limit the sale of personal data, targeted advertising, and legally or materially significant profiling.
These new state laws will go into effect in 2023. Nevada also expanded its privacy law in 2021. Though Nevada’s privacy law does not qualify as comprehensive, the amendments broaden consumers’ right to block the sale of their personal information to third parties, and like in California and Vermont, Nevada’s new law will regulate data brokers, namely "persons whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship … and making sales of such covered information."
Significantly, only California has created a new enforcement agency with jurisdiction over data protection, the California Privacy Protection Agency. And only California has granted individuals a private right of action to sue companies for violations of the state’s privacy law. Even then, California only provides a private right of action limited to suing over personal data breaches that result from a company’s failure to implement reasonable data security practices. The other states with new privacy laws will continue to rely on enforcement by existing officials such as attorneys general or, in the case of Colorado, local district attorneys in addition to the state attorney general.
It should also be noted that in 2021 the Uniform Law Commission in the U.S. finalized its version of model legislation, i.e., a consensus template, that could be adopted in full by any state that chooses to do so. The Commission’s Uniform Personal Data Protection Act is generally comparable to the laws of California, Virginia and Colorado, but is considered to offer a somewhat lower compliance burden and, thus, may be more business- and innovation-friendly. The UPDPA is modeled to some extent on the federal Privacy Act of 1974, and only applies its data protection regulatory requirements to personal data a company maintains in a “system of records” that it uses to retrieve data about individuals for purposes of making individualized communications or decisions.
Interestingly, the UPDPA stipulates specific data practices that are prohibited. Providing a list of prohibited practices is useful because it could focus the regulator’s mind on data-related risks that are truly injurious or actually unfair. Targeting regulation and enforcement at well characterized injuries, rather than at illusory or hyper-technical ones, helps avoid the risk of over-regulation. As the U.S. Supreme Court confirmed again in 2021, in TransUnion v. Ramirez, some data practice failures — like inaccurate information that is never communicated outside of an internal database and never affects anyone — may not give rise to legally actionable harm.
The Commission’s effort could be significant. It is a highly respected body that previously drafted, for example, the Uniform Commercial Code and the Uniform Fiduciary Access to Digital Assets Act, both of which have been adopted in nearly every state.
In any event, with all this state-by-state and model-law drafting activity, the one thing that can be stated with confidence is Congress will continue to cogitate over federal, comprehensive legislation.
During the next year we will see whether the federal government can catch up with states and deliver comprehensive legislation, whether the U.K.’s information commissioner and the U.S.–EU TTC will deliver on their respective mandates to harmonize global standards and norms for privacy, and whether China will deliver on the potential of its strict new privacy law — or whether it will merely deliver more domestic surveillance and dominion over foreign and domestic technology companies.
As always, in the year ahead there will be both promise and peril for the future of privacy. But the increasing focus on commonality, convergence, harmonization and innovation is certainly a good sign.
(Editor's note: This article is adapted from Mr. Raul’s Global Overview in the forthcoming 8th Edition of the Privacy, Data Protection and Cybersecurity Law Review published by Law Business Research Ltd.)
Photo by Scott Webb on Unsplash