Top 5 Privacy Developments in 2020 and 5 More to Prepare for in 2021
By Sherrese Smith, Jacqueline Cooney, Daniel Julian and Brianne Powers
Around the world the privacy landscape has shifted considerably in the last 12 months -- from significant legal and policy changes, such as the implementation of the California Consumer Privacy Act (CCPA) and the Schrems II decision in the EU, which further complicated cross-border data transfers – to novel privacy issues related to sharing of medical data related to COVID-19. In this post, we take a look at the top privacy issues that our clients faced in 2020 and what they should be focusing on in 2021.
1. COVID-19 -- The world-wide pandemic spurred unanticipated and unwelcome change in the way that businesses and governments handle medical-related data as a result of COVID-19. Since January of 2020, businesses globally have been forced to grapple with the need to collect health-related data about both their workforce and consumers in their efforts to keep their businesses safe and healthy. Seemingly simple solutions, such as “health checks” before employees come to work or customers enter a business, are fraught with privacy issues, including how to provide an appropriate privacy notice and how long to store this type of data. For a list of all resources published by Paul Hastings on the topic please click here.
2. California Consumer Privacy Act (CCPA) – This law went into effect on January 1, 2020, affecting mid- to large -size companies that operate in California. The law provides additional privacy rights to California residents and its requirements had companies working throughout the year to implement changes in the way they collect, use and transfer personal information. These efforts have led many of our clients to adopt global policies and internal practices that are focused on: 1) knowing where their data is collected and shared, and 2) providing more information and choices to consumers. For more guidance and resources on the CCPA, click here.
3. Privacy Shield Invalidation and Schrems II – On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark decision invalidating the Commission Decision 2016/1250, also known as the EU-U.S. Privacy Shield Framework. The CJEU determined the Privacy Shield did not adequately protect the personal data of EU data subjects. Our clients that relied on Privacy Shield for transfers needed to quickly determine whether and how they could legally transfer personal information from the EU to the US, with some quickly executing Standard Contractual Clauses where needed and others taking a “wait and see” approach. To cap the year, the European Data Protection Board (EDPB) published draft revised Standard Contractual Clauses that will likely come into effect in early 2021. Find out more about the impact of and guidance related to Schrems II here.
4. Brexit – On December 31, 2020, the Brexit Transition Period is scheduled to come to an end, and with it the application of GDPR in the UK and the automatic free flow of personal data within the EEA. With the UK becoming a “third country”, the European Commission must make an adequacy determination as to the level of protection afforded under UK law. It is not yet clear whether the UK will qualify for a decision of adequacy. Our clients that are operating between the two jurisdictions are working to ensure appropriate data transfer mechanisms are in place between the EEA and UK prior to January 1, 2021. Find additional guidance regarding Brexit and its impact on our global privacy programs here.
1. New EU Standard Contractual Clauses – On November 11, 2020, the European Data Protection Board (EDPB) issued draft recommendations relating to the rules on how businesses may lawfully transfer personal information from the EEA to countries outside the EEA. The recommendations establish a six-step process that organizations should follow when engaging in cross-border transfers, and includes several significant operational changes, such as additional due diligence requirements for transfers to third parties and to countries outside the EEA. Following the EDPB guidance, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing decision. The Commission’s draft set of clauses allows for two new types of transfer mechanisms (EU-based processor to non-EU processor, and EU-based processor to non-EU-controller) and contains important updates to bring the text of the clauses in line with the General Data Protection Regulation (GDPR). Find out more about the details of the EDPB guidance and new draft SCCs here.
2. US State and Federal Legislation – California has continued to be a bellwether for US states as it continues to enact ever broader privacy laws. On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA) through a ballot measure. The CPRA amends the CCPA, further broadening the control that California residents have over their personal information, and imposing new obligations on businesses subject to the law. Most of the CPRA’s provisions will become operative on January 1, 2023, with enforcement beginning July 1, 2023. It is expected that other states, such as Washington, and possibly federal legislative action may follow in the coming year. Find additional information and guidance regarding the CPRA here.
3. Brazil’s LGPD – On August 14, 2018, the Brazilian government approved the Brazilian General Data Protection Law, known as the LGPD, which is the country’s first comprehensive data protection law and is designed to enhance the privacy and protection of personal information of individuals. Brazil's data protection authority, Autoridade Nacional de Proteção de Dados (ANPD), will oversee administrative enforcement of the law which has been delayed until August of 2021. Similar to GDPR, the LGPD has extraterritorial reach, and applies to businesses that process the personal information of individuals collected in Brazil, regardless of their location or where the data is processed or stored. We will be working with our global clients that operate in Brazil to implement compliance efforts in the coming months in anticipation of the 2021 effective date.
4. Canadian Legislation – On November 17th, 2020, the Canadian Minister of Information, Science and Economic Development introduced Bill C-11, the Digital Charter Implementation Act (DCIA). In light of the Schrems II decision in the EU, this appears to be Canada’s effort to maintain its EU adequacy determination. The changes proposed by the DCIA would amend several existing pieces of legislation, most notably transitioning the Personal Information and Electronic Documents Act (PIPEDA) into the Consumer Privacy Protection Act (CPPA), as well as the creation of a privacy and data protection tribunal through the Personal Information and Data Protection Tribunal Act. The DCIA also introduces a host of new GDPR-inspired requirements and rights, including a privacy management program, consumer rights to data portability and deletion, and enhanced enforcement authority for the Office of the Privacy Commissioner. It also creates a private right of action. Find additional information on the draft DCIA from the Innovation, Science and Economic Development Canada (ISED) here.
5. The UK, Brexit and the Age Appropriate Design Code – The UK will be a country to watch as it leaves the EU and works to enact and enforce its own data protection legislation. As an initial matter at the beginning of the year, Brexit will mean that the UK will be designated as a “third country” for the purposes of cross-border data transfers. The UK is working to adopt legislation that will meet the levels of protection required under GDPR. It will also be looking for an adequacy determination from the European Commission for cross-border data transfers. For now, our clients have been working to execute Standard Contractual Clauses between EEA and UK entities to ensure data transfers are lawful. Find additional guidance regarding the transition period and compliance obligations here. Brexit has not stopped the UK from enacting other data protection reforms, including, most notably, the recent passage of the Age Appropriate Design Code (the “Code”), which became effective on September 2, 2020, with a 12 month implementation period for Information Society Services (ISSs) to comply. ISSs that provide information services likely to be accessed by children in the UK must comply with the new, granular coding requirements. They will apply to services such as streaming-platforms, applications, programs, websites, social media platforms, messaging services, games, community environments and connected toys and devices, where these offerings involve the processing of personal information. The Code establishes 15 standards intended to protect children’s privacy, including high-privacy settings by default, data minimization requirements, geolocation settings off by default, and guidance regarding the use of “nudge” techniques. It also addresses issues of parental control and profiling, and the criteria for determining the appropriate types and timing of providing notice and obtaining consent from children and adults. We will be working with many global clients in 2021, especially in the entertainment and technology markets to implement these requirements in ways that minimize impact on their businesses. Find further guidance and resources on the Age Appropriate Design Code here.
Final Thoughts as the New Year Approaches
Our global Privacy and Cybersecurity Practice keeps up-to-date on privacy and cybersecurity developments around the globe. Our mission is to help clients build privacy programs in practical and innovative ways that enable their businesses to ensure compliance with wide-reaching and disparate global legal requirements.Our team is ready to say goodbye to 2020 and move into 2021 to tackle the new challenges that lay ahead as the privacy landscape continues to change. We are looking forward to working with our clients to meet these challenges together.