Skip to main content

BOARD MEMO 2021

Privacy and cyber

Mena Kaplan

Mena
Kaplan

Partner, New York

Peter Jaffe

Peter
Jaffe

Special Counsel,
Washington, DC

The world’s most important privacy law – Europe’s GDPR – went into force more than two years ago. But 2021 may be the year its shockwaves are truly felt across the globe.

GDPR copycat laws are now taking hold in some of the most important jurisdictions. Brazil’s privacy law, modeled closely on the GDPR, finally took effect in August 2020; South Africa’s came into force a month earlier and enforcement starts in July 2021. India continues to consider its comprehensive Personal Data Protection Bill, spurred by a landmark Supreme Court judgment declaring privacy to be a fundamental right. And in late October, China began consultations on a GDPR-inspired Personal Data Protection Law. The enactment of these measures will complete the expansion of comprehensive private sector privacy laws across the BRICs. Meanwhile, the California Consumer Privacy Act went into effect at the start of 2020, and now California citizens have adopted a supplemental law (the California Privacy Rights Act) that will bring the state’s regime even closer to EU standards. The bottom line is that companies need to plan for an environment where privacy laws give individuals substantial rights over personal data that businesses previously regarded as a proprietary asset.

Alongside this, the world continues to grapple with the Schrems II decision, in which the European Court of Justice applied GDPR to invalidate a key mechanism for moving personal data from Europe to the United States. In 2021, expect the decision’s impact to be felt in two ways. First, other countries with GDPR-like laws may follow the Schrems II reasoning and similarly restrict transfers to the US. Second, EU member states may start looking at jurisdictions other than the US - in particular those with powerful surveillance authorities - and restrict cross-border transfers there, too. Meanwhile, the US government’s orders against TikTok and WeChat show how even a country without a comprehensive privacy regime can use other measures (such as sanctions) to restrict personal data flows.

Finally, expect greater activism by private individuals and organizations in the privacy space. Europe’s baby steps towards mass-claim regimes has created fertile ground for self-appointed privacy champions to bring large-scale litigation against companies for perceived privacy failings. Across the globe, these advocates have rapidly garnered a popular following that gives them real influence in the marketplace.