Technology and business
Cybersecurity, data and regulatory risk
2019 saw major developments in the enforcement of privacy and cybersecurity laws worldwide, and 2020 promises much the same. Companies should expect to see more enforcement activity relating chiefly to cybersecurity and transparency about privacy practices – particularly in Europe – together with a sharp intersection between privacy and competition law. They should also anticipate more jurisdictions adopting privacy laws inspired by – though not necessarily following – the EU's General Data Protection Regulation (GDPR).
Enforcement trends: fines rise as authorities flex their muscles
Last year saw the UK Information Commissioner’s Office (ICO) propose major fines against an airline and a hospitality chain arising out of cyber security incidents related to customer data. These were among the first fines put forward under the GDPR and provided important indications as to how European data protection authorities would approach the calculation of penalties. The fines were also some of the first examples of the GDPR’s “one stop shop” enforcement mechanism, through which a data protection authority in one EU country can act, in all intents and purposes, on behalf of the entire bloc.
One of these cases also raises the prospect of data protection authorities more closely scrutinizing the level of cybersecurity and data privacy due diligence carried out on transactions, including as part of post-acquisition integration. We also see European fines continuing to be levied directly on the US HQs of multinational businesses (even where those companies have a significant footprint outside the US) which may be a good reason for corporates and financial investors to reflect on how they structure their data operations and holdings overseas.
The US, too, got in on the act, with the Federal Trade Commission (FTC) handing out several large fines relating to the protection of children’s personal data.
In 2020 these trends are set to continue, although fine calculation under the GDPR is likely to become more predictable with several data protection authorities promising to publish guidance. And we can expect further strident enforcement in both Europe and the US beyond existing focus areas such as cybersecurity, children’s data and transparency, with competition a likely nexus.
In 2020, the calculation of fines under the GDPR is likely to become more predictable, with several data protection authorities promising to publish guidance.
2019 saw antitrust regulators promising to use competition law to regulate the collection and use of personal data. This shift is potentially fundamental, as it represents an effort to block certain data collection and uses in themselves, rather than merely regulate how those practices are disclosed or how data is secured.
Major decisions: further challenges expected to EU/US data transfers
In December 2019 the EU Advocate General issued an opinion recommending that the Court of Justice of the EU uphold the validity of the “standard clauses”, key mechanisms businesses use to transfer personal data from Europe to the US. Max Schrems, a notable privacy advocate, had challenged them on the grounds that they provide inadequate protections for Europeans in light of US government surveillance programs. In doing so, Mr Schrems also questioned the validity of the EU-US Privacy Shield, another critical framework for transferring data across the Atlantic.
Mr Schrems had previously sunk the Privacy Shield’s predecessor, Privacy Safe Harbor, although this time the Advocate General avoided ruling. Nonetheless, the opinion (if confirmed) leaves open other avenues for the Privacy Shield to be challenged. In 2020 we can expect to see additional attacks on transfers of data to the US, together with an EU initiative to revamp its standard clauses in line with the GDPR. Any of these developments could fundamentally change how companies transfer European personal data outside Europe’s borders.
Legislation: is this the year we see movement on US privacy law?
There are likely to be major developments in privacy laws around the world in 2020, with more jurisdictions set to adopt regimes inspired by the GDPR model.
Brazil’s privacy legislation modelled on GDPR – the LGPD – comes into effect in August 2020. Likewise the implementing regulations and technical standards for China’s cybersecurity framework (with its onerous data localization requirements), and the associated Cybersecurity Multi-level Protection Scheme may also be finally brought in this year.
The biggest movement, however, could be in the US. The California Consumer Privacy Act (CCPA) came into force on January 1, 2020, with enforcement starting six months later. Some aspects of the law are familiar from GDPR and other privacy regimes, such as the requirement for transparency around data practices and the granting of rights to Californian data subjects to access, control and delete their personal data. But unlike previous laws, the CCPA tends to focus on the “sale” of data. Its definition of “sale” is unconventional, confusing and broad, and depending on how it comes to be interpreted by the Attorney General and the courts, may pose major headaches for business.
Even as companies work to implement the CCPA as it stands, the ground is already shifting. Alastair MacTaggart, a major mover behind what became the CCPA, is promoting a ballot measure in California’s 2020 election that would create a California Privacy Protection Agency and impose additional requirements around targeted advertising, children’s data, automated decision-making by businesses and the use of personal information by political campaigns. Meanwhile, legislators in Washington state have proposed laws falling somewhere in between the CCPA and GDPR; after early versions failed to pass the legislature, a new proposal is making the rounds that includes ad targeting and facial recognition among its focus areas.
We may also see movement at the federal level in 2020. Democratic and Republican senators in November 2019 introduced competing proposals for a new federal privacy law, both of which would adopt key elements of GDPR/CCPA including by introducing transparency requirements and providing data subjects with rights over their data. Both bills also agreed on who would enforce the law (the FTC), but where they did not agree was on whether to provide a private right of action and whether to pre-empt state laws such as the CCPA.
In December the House Energy and Commerce Committee introduced a bipartisan bill adopting the points of agreement, while avoiding the areas of divergence. Whether any of these bills make it into law remains to be seen, but the flurry of activity and apparent cross-party convergence around certain themes seem to presage faster movement on a US-wide privacy law than had previously been expected.
We may see movement on a US federal data protection law, with cross-party consensus on some aspects seeming to suggest faster progress towards a US-wide statute than previously expected.