Welcome to this special “Data Privacy Day” edition of Last Week in Privacy. Here are some of the top stories in data protection regulation from around the globe, including a look ahead for 2019.
Few would argue with the GDPR being the top privacy story of 2018. The EU General Data Protection Regulation went into effect on May 25th, and the enforcement of the world’s most comprehensive data protection law has been ramping up exponentially ever since that date. Most recently, the French data protection authority, the CNIL, announced a fine of fifty million euros against Google, in accordance with the GDPR, for lack of transparency, providing inadequate information, and lack of valid consent regarding ads personalization. The fine is a result of complaints that were filed back on May 25th, 2018, the day in which the GDPR came into effect. And with a reported fourteen different cross-border investigations currently being investigated by the Irish Data Protection Commissioner, alone, it’s easy to predict that 2019 will be a big year for GDPR enforcement, as data subjects and EU data protection authorities begin to test the limits of their enforcement capabilities.
Also in focus in 2019 will be the adoption of approved GDPR codes of conduct and certification mechanisms to assist in demonstrating compliance with the GDPR and serve as a cross-border data transfer mechanism. In particular, the DPAs of Luxembourg, the Netherlands, and France have all reported significant activity in developing certification mechanisms; and in terms of codes of conduct, the Cloud Security Alliance has published a code of conduct for GDPR compliance that is currently in the process of being approved by EU supervisory authorities.
The United Kingdom is still due to leave the European Union on March 29th, but so far a deal has not been reached on how the Brexit will take place. This means the future of personal data transfers from the EU to the U.K. remains uncertain and many U.K. companies may need to scramble to put standard contractual clauses in place to maintain business as usual. After voting down Prime Minister May’s Brexit deal, Parliament is set to vote January 29th, on other options for avoiding a potential no-deal exit from the EU.
Also, you might be wondering what happened to the ePrivacy Regulation. You may recall it was originally supposed to accompany the GDPR and replace the ePrivacy Directive (which is still in effect by the way). Well, unfortunately, it’s still not clear when EU lawmakers will agree on a draft and approve the legislation, and with European Parliament elections happening in May, it still looks like a long road ahead.
And in the U.S., Silicon Valley continues to lobby for a federal privacy law that would pre-empt the controversial California Consumer Privacy Act of 2018. And so far, there looks to at least be bipartisan agreement that comprehensive legislation is needed, as lawmakers on both sides continue to introduce bills, with the most recent coming from Senator Marco Rubio of Florida, and many of these bills have included proposals for expanding the Federal Trade Commission’s enforcement powers and giving the FTC rule-making authority.
And speaking of the CCPA—it’s set to go into effect in less than a year, on January 1, 2020. However due to recent amendments, enforcement of that law could be delayed until as late as July 1, 2020, depending on how quickly the California Attorney General can adopt regulations, as required by the Act. And of course, additional and more substantive amendments are possible as both consumer activists and industry groups continue to lobby for changes on both sides.
But aside from the CCPA, will we see more comprehensive legislation adopted at the state level? Well, some lawmakers in Washington state say yes, and have wasted no time introducing a new bill that would give residents more control and access rights over their personal data, similar to what California has implemented with the CCPA.
Switching gears now to the Asia-Pacific region, the European Commission has adopted its adequacy decision on Japan, creating what the Commission calls “the world’s largest area of safe data flows.” The Commission’s adoption of the adequacy decision culminated after Japan put in place a number of additional data protection safeguards, including a set of supplementary rules designed to bridge differences between the two data protection regimes; assurances on safeguards limiting the access of Japanese authorities to EU data for law enforcement and national security purposes; and a complaint handling mechanism to investigate and resolve complaints from Europeans about access to their data by Japanese authorities. The decision also complements the EU-Japan Economic Partnership Agreement, which is set to enter force next month.
India is also anticipating a big year for privacy, as the draft data protection legislation that was circulated last year could finally become a reality in 2019. The Indian Government has sought an international consultation on the draft, most notably receiving feedback on the draft from the EU Directorate-General for Justice and Consumers, which makes sense given that the law was modeled after the GDPR. The draft is expected to be introduced and passed this year, but with India holding elections in the spring, it’s unclear when exactly that might happen.
In South America, Brazil will also be establishing their new National Data Protection Authority, which will begin preparations for an August 2020 effective date for the Brazilian General Data Protection Law. Prior to that effective date, the DPA will be expected to exercise both collaborative and consultative functions leading up to the effective date, with the aim of providing guidance to organizations as they to try to understand what the new law expects of them and organize their compliance efforts.
Also in South America, both Chile and Argentina are expected to pass new data protection laws based on the GDPR and thus align themselves with the EU. Interestingly enough, Argentina has been a leader in data protection in South America, as they were the first South American country to adopt EU data protection standards and receive an adequacy determination by the EU. And now, Argentina is expected to follow the EU’s lead once again.
Well, we definitely have a big year ahead, but that’s all for today. As always thank you for watching Last Week in Privacy, and a happy Data Privacy Day to you from all of us at OneTrust. See you next time!