Written by Stephen Ragan, Principal Privacy Consultant at Wrangu
Finally, 2020 has come and gone. It was a year in which Covid 19 transformed the way we work, where we go to school, and how we interact, with many shifting to online solutions like Zoom or Microsoft Teams. This will continue in 2021 and potentially beyond as we continue to deal with the epidemic, while giving children early exposure to new technologies ensuring the “new way of working” is streamlined into the future.
This transformation has forced organisations to adopt new tools that raise new security challenges while the issues of surveillance, privacy, and data protection are not going anywhere as more countries debate and adopt legislation throughout the world.
2020 alone saw the adoption of new privacy legislation in California (CPRA), Brazil’s General Data Protection Law (LGPD) went into force, and Turkey (LPPD) implemented new legislation, with many others debating their own form of legislation.
Not only do new regulations create compliance challenges for organisations, but they also create opportunities for those willing to embrace this shifting landscape and make privacy and data protection an integral part of their brand.
Here are some privacy trends to watch and prepare for in 2021.
- New Privacy Regulations Will Continue To Emerge
A study by Gartner predicts that by 2023, 65% of people will be covered and protected by some form of privacy regulation compared to just 10% in 2020.
“With more countries introducing modern privacy laws in the same vein as the General Data Protection Regulation (GDPR), the world has reached a threshold where the European baseline for handling personal information is now the de facto global standard, “said Nader Henein, research vice president at Gartner.
In October, China published a first draft of its own Personal Information Protection Law aimed at protecting the personal data of residents in mainland China.
In November, California voted to enact the California Privacy Regulation Act (CPRA) that will amend and bolster the California Consumer Privacy Act (CCPA) which came into enforcement at the beginning of 2020. The CPRA is set to go into effect in 2023 with a one year look back period meaning organisations should prepare to be compliant with CPRA by 2022.
In India, a Personal Data Protection Bill has been introduced and is pending consideration.
Companies operating internationally will need to juggle multiple frameworks to comply with local regulations. Organisations outside of the EU or California should look to those jurisdictions with experience adopting and implementing new regulations.
- Will The US And EU Set Up A Third Privacy Shield?
In July 2020, the Court of Justice of the European Union (CJEU) struck down the Privacy Shield, which allowed data transfers between the EU and the US. The CJEU ruled in this way because of concerns over the surveillance practices of the United States government and the lack of judicial redress for EU citizens.
Under the current situation Standard Contract Clauses (SCCs) have taken precedent as the way to implement “additional safeguards,” and raise the level of protection to that “essentially equivalent” to the GDPR. Theoretically speaking those safeguards are supposed to implement a standard of protection over individual data like that in the EU, but practically speaking, the United States has not changed its surveillance laws and organisations located in the United States must comply with US law regardless of what their SCCs or the CJEU says.
Some suggestions to get around this issue relate to organisational transparency meaning organisations should make available the type and volume of government requests they receive. In addition, organisations are urged to challenge government requests in any way they can, and contractual clauses should be amended to include the additional safeguards suggested by the European Data Protection Board.
One thing to watch for in the coming months will be whether the U.K. gets an adequacy decision which may well direct negotiations for a third iteration of the Privacy Shield.
- Will The U.K. Get An Adequacy Decision?
When the U.K. decided to leave the European Union, they had to renegotiate a data transfer mechanism governing transfers from the EU to the U.K. Prior to Brexit, the U.K. was “adequate” as a member of the EU. Despite no changes in U.K. law, no “adequacy decision” was immediately granted, and a one-year grace period provided an opportunity for negotiations. Despite having enacted a form of the GDPR in 2018, the situation was complicated by the Schrems II decision that invalidated the adequacy of the Privacy Shield. Following this embarrassment, the EU Commission proceeded cautiously and no decision was made on the issue.
Fortunately, the UK and EU negotiated a Trade and Cooperation Agreement that has created a bridge period of up to 6 months meaning data can continue to flow between the UK and the EU without any additional safeguards through the first half of the year.
The hope is that an “adequacy” decision will be reached as currently privacy professionals have no clear guidance, and the issue has been delayed for at least 4, and potentially up to 6 months.[insert reference to “kick the can” blog]
- The Debate Over Federal Privacy Law Will Continue In The U.S.
A new administration brings new policies, and a Democratic administration may be more sympathetic to the urges of Silicon Valley for federal legislation. The Biden administration will likely be an extension of the Obama administration for which Joe Biden served as Vice President. Under Obama, there was a revolving door between Silicon Valley and Washington D.C. Expect much of the same this time around.
Big tech companies in Silicon Valley are pushing for a federal bill to create a uniform set of rules, and to have a hand in drafting that legislation through lobbying and placing executives in top positions within the Biden administration. The goal is to create a uniform set of legislation to replace their current fragmented situation by which every state has the power to enact its own legislation. Fifty states mean potentially fifty laws to comply with.
On a recent podcast Privacy Advisor podcast, Omar Tene, vice president of the International Association for Privacy Professionals (IAPP), argued the United States has a brief window within which to enact federal legislation citing 2022 as a deadline. After this time Tene argues motivation for federal legislation will be tempered by the heightened provisions in CPRA that will have a look back period to the beginning of 2022.
It is likely that one way or another Silicon Valley will have its say on privacy legislation in America.
- Technical Solutions to Solve Compliance Challenges
In addition to the challenges presented by new privacy and data protection legislation, technical solutions are emerging to deal with compliance challenges.
- Data Localisation
An often-debated topic is that regulation raises the price of business operations. When the costs outweigh the benefits organisations have no incentive to develop, innovate, or continue operations. Regulatory authorities are thus tasked with walking a tight rope adopting legislation with sufficient teeth to protect individuals while not being overly restrictive reducing business incentives. It is this tension between free market innovation and individual protections that is motivating the conversation around technological regulation in the United States.
Europe, on the other hand, is the leader in data protection regulation having adopted the General Data Protection Regulation (GDPR) in 2016, and yet issues with the regulation are still being ironed out.
One such issue relates to data transfers. Transfers within the EU are perfectly legitimate and do not require any additional safeguards. In addition, the EU Commission has determined 12 other countries are “adequate” with laws that are “essentially equivalent” to the GDPR requiring no further safeguards for the purpose of transferring data.
This sense of security regarding adequacy decisions was shaken when the Court of Justice for the European Union (CJEU) ruled in July in Schrems II invalidating the Privacy Shield. The ruling demonstrated that an adequacy decision by the EU Commission is by no means permanent again nullifying the transfer mechanism between the US and EU throwing some 5,000 organisations into a sea of uncertainty.
The decision was based on US surveillance laws and a lack of redress in court for EU subjects. The court now requires that additional safeguards be put in place highlighting the use of standards contractual clauses (SCCs) and binding corporate rules (BCRs). In addition, the court placed the burden on organisations to conduct a legal review of the local laws where the data is transferred requiring a finding that those laws are “essentially equivalent” to the GDPR or requiring the imposition of additionally safeguards.
What all this means is that organisations may think a bit harder about whether they want to transfer data outside of the EU. In countries, like Russia and China, data localisation is the norm requiring data operators maintain databases in the originating country. Perhaps a comparable solution will emerge in Europe.
- Pseudonymization, Anonymization, and Synthetic Data
Another solution addressing privacy concerns is de-identifying data. De-identifying data means removing or replacing direct identifiers (i.e. name, ID number, phone number). One example of this would be pseudonymisation defined in the GDPR Article 4(5) as:
“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.”
On top of this security and privacy controls can be implemented to prevent re-identification of data. One shortcoming of pseudonymised data is that it remains “personal data” subject to the requirements of GDPR.
Contrast pseudonymisation with anonymization. Anonymization is an even stronger form of de-identification and under European law would no longer be considered “personal data,” subject to the requirements of GDPR including the provisions of consent for processing, deletion rights, cross-border data transfers, retention limitations.
While the Working Party has been replaced by the European Data Protection Board, Article 29 provides guidance on data anonymization techniques in which they recommended two approaches. Under the first approach the data must meet three specific criteria or a re-identification risk analysis must be performed to demonstrate that the risk of re-identification is acceptably small. The three criteria of “an effective anonymisation solution prevents all parties from singling out an individual in a data set, from linking two records within a dataset, and from inferring any information in such a dataset.”
Some critics have argued this approach creates data sets with limited utility. For this reason, some are turning to synthetic data. Synthetic data is artificial information developers and engineers use as a stand-in for real data. To be effective, synthetic data must resemble the real thing having the same mathematical and statistical properties as the real dataset. How this is done is through statistical correlations of related variables that preserve those relationships without any of the identifying information.
If you are in Europe, synthetic data has the power to insure organisations continue to derive value from their data at the end of the data retention period or after a data subject makes a deletion request.
- Data Mapping
Article 30 of the GDPR requires companies produce a record of processing activities (ROPA). This allows regulators to see that companies are adhering to the GDPR showing under what legal basis the data is being processed (Article 6) and why data is being processed.
One way to do this is to map your data. Data mapping is a term referring to the journey data takes through an organisation. Mapping data allows an organisation to identify personal data and implement the appropriate technical and organisation safeguards.
This allows organisations to understand where their information comes from and what laws to apply. Understanding the data flow also reveals who has access to data and what is being done with the data. This audit trail is key to complying with Article 30 while also demonstrating a commitment to data protection by design (Article 25).
2020 is out, 2021 is in, but privacy should remain at the forefront of an organisation’s strategy. Not only because organisations must comply with expanding legislation, but also to build trust with customers and employees, and if you are into that kind of thing, make manifest the idealised hopes of GDPR to protect privacy and related freedoms that depend on our ability to make choices about how and with whom we share information about ourselves.
Wrangu will continue to monitor the situation and help you and your organisation stay on top of new privacy regulations.