It's one thing to volunteer, but it's another to make the most of the experience. Kilpatrick Townsend & Stockton Partner Amanda Witt, CIPP/E, CIPP/US, did just that as co-chair for the IAPP's KnowledgeNet chapter in Atlanta, Georgia, from 2016 to 2019. Witt began her service as preparations for EU General Data Protection Regulation were ramping up and took part in Atlanta meetings through the law's implementation. She helped bring fellow privacy professionals together and work through the logistics of the EU General Data Protection Regulation, which proved to yield valuable insights and considerations for her own work advising clients on compliance.
In this Volunteer Spotlight, Witt discusses a range of topics she's focused on, including the California Privacy Rights Act, EU-U.S. data transfers and more.
The Privacy Advisor: There is a lot going on in privacy right now. We’ve got the CPRA, learning to navigate data transfers post-:Schrems II," and proposed laws in China, India, Canada and other countries. We know privacy has been gaining steam, but why do you think it has reached what equates to a boiling point?
Witt: When I was teaching privacy law as an adjunct professor at Georgia State's College of Law, I saw a significant increase in interest and awareness of privacy law after several high-profile privacy breaches that potentially impacted elections in the U.S. and U.K. As technology has come to dominate our lives, especially in the last year with most people working from home and attending school remotely, people have become more aware of how companies and governments are using their data. The EU has also set a "gold standard" of sorts when it comes to privacy laws and many countries, and U.S. states, such as California, have sought to enact similar protections in response to public pressure and a desire to achieve EU adequacy for the purpose of data transfers. Privacy rights are becoming a globally recognized fundamental right, and I expect the adoption of comprehensive privacy laws to continue on a global basis.
The Privacy Advisor: The CPRA presents plenty of information to digest, but what provision are you laser-focused on and advising your clients on most?
Witt: There is a lot to focus on the CPRA, but one of the areas to focus on initially, until we have more regulatory guidance, is determining whether a business will have to offer an option for consumers to opt out of sharing. Some businesses, interpreting "sale" broadly, already offer an opt-out of sharing through an existing “Do Not Sell” button. Other businesses must figure out if, or to what extent, the definition of cross-contextual advertising applies to the business's digital marketing practices. For other businesses, coming up with ways to verify the accuracy of correction requests is going to be an operational challenge. Lastly, the limitations relating to sensitive data will also require careful planning.
The Privacy Advisor: I want to dig in a bit on the new California privacy regulator created by the CPRA. How do you think that office will shape up in terms of its approach to enforcement? Do you think it will run like the attorney general’s office, or will there be differences?
Witt: Given the additional resources that it will have, it could end up being a more powerful regulator than the U.S Federal Trade Commission, especially given the current limitations on FTC enforcement. It’s hard to predict whether it will be run like the attorney general's office, but it's possible that they could model their operations after Europe's supervisory authorities given its more focused mission to protect privacy.
The Privacy Advisor: What's your best guess on how the EU and U.S. might solve their data transfer conundrum?
Witt: Hopefully, an incoming Biden administration will be able to make changes in some of the national security and surveillance laws that will provide the Europeans with additional comfort. There is always hope that a Safe Harbor 3.0 or Privacy Shield 2.0 could be agreed upon, but it will need to address some of the fundamental issues highlighted by "Schrems II." However, that can only be done with changes to U.S. law. I was intrigued by what Microsoft recently proposed in terms of "supplementary measures," including providing monetary compensation to data subjects. Companies are coming up with creative solutions, but it seems that the real changes need to come from changes in law. I hope we can find an acceptable compromise because it’s essential for both economies to ensure the free flow of information between the U.S. and EU.
The Privacy Advisor: Which privacy law proposal out of the three big ones I mentioned intrigues you the most, and why?
Witt: I’m most intrigued by the CPRA given that I wonder if it will transform and mature U.S. privacy law in the same manner that the GDPR transformed the privacy programs of companies that implemented the GDPR. Given how most U.S. businesses have California consumers, the CPRA could become our de facto federal standard. I will also be curious to see if other states follow California's lead and adopt GDPR-like privacy laws.
The Privacy Advisor: The U.S. Senate just passed the IoT Cybersecurity Improvement Act of 2020 this week. Can you provide your take on the positives that will stem from the law as far as privacy and infosecurity go?
Witt: I believe that the passage of this law is a positive first step in having federal minimum information security requirements for managing the cybersecurity risks posed by (Internet-of-Things) devices. Although it will only directly impact devices supplied to the federal government, it will likely establish what will be considered to be industry-standard minimum security requirements. Given that these devices are becoming pervasive in our homes, it's important to address critical security vulnerabilities. It will also be interesting to see what companies develop in the vulnerability disclosure policies that they’re required to provide to federal officials.
Photo by Keagan Henman on Unsplash