The whirlwind of events that took place in 2020 will drastically change the way we live and work throughout the remainder of our lifetimes. The pandemic, the invalidation of the EU-US Privacy Shield, and the continued development of global privacy regulations are just a few events to name.  

And the importance of data protection, as well as other regulatory compliance topics, will only continue to grow in 2021.  

To prepare for and mitigate the changes, you should take immediate steps to build privacy and compliance into the roots of your organization.  

Based on research and our in-house expertise, we’re presenting the top 5 predictions about privacy changes you can expect to see this year. 

 

Privacy Regulations Will Grow  

Gartner predicts by 2023, 65% of people across the world will have their personal data protected by privacy regulations, compared to 10% in 2020. 

Since the introduction of GDPR in 2018, more than 60 jurisdictions across the world have enacted or proposed some sort of privacy and data protection law. And it’s expected this growing trend will continue into 2021. 

Here are a few legislations predictions you can anticipate for this year: 

The United States Will Expand Regulations 2020 kicked off with the California Consumer Privacy Act (CCPA). It ended with an entirely new California regulation: the California Privacy Rights Act (CPRA). California is setting a solid example for the rest of the country for data privacy. You can expect other states to jump onto the bandwagon, too. 

There’s also reason to believe under a new administration, a federal privacy law might be introduced in 2021. 

The EU is Expected to Move Forward the ePrivacy Regulation 

The EU is still drafting its ePrivacy Regulation (ePR), which was anticipated to pass in 2020. This is an area we will continue to watch in 2021. The ePR will be an EU-wide law ensuring data privacy in the electronic communications sector. Experts predict it will specify the personal data protection standards of the GDPR for electronic communication. 

China is Expected to Pass Its Personal Information Protection Law (Draft PIPL)
In October 2020, China published its first draft of the Personal Information Protection Law. While there’s no confirmed timeline about the law’s implementation, it is currently under review and expected to pass in 2021. The Chinese government has encouraged companies doing business in its country to study the draft of the law. The intention is that these businesses should make necessary preparations as soon as they can to negate the expected wide-range impact. 

Brazil Will Enforce LGPD
Though already in effect, the LGPD – Brazil’s data privacy law – and its enforcement don’t take effect until August 1, 2021. However, any Brazilian resident damaged by a violation of the law is able to immediately seek remedies and civil actions have already been seen. You should make changes to be in compliance with this law well before August. 

South Africa Will Enforce POPIA
South Africa’s Protection of Personal Information Act (POPIA) took effect on July 1, 2020 with a grace period of 12 months. That means the government will start enforcing the law starting July 1, 2021, allowing companies time to implement a POPIA-compliant program

Singapore PDPA & Spam Control Act Amendments Will Go Into Effect
In November 2020, the Parliament of Singapore passed proposed amendments to the Personal Data Protection Act (PDPA) and the Spam Control Act of 2007. These amendments include mandatory data breach notifications and higher maximum financial penalties among other changes. The proposal should go into effect in 2021 after a final sign off of the amendment.  

Japan APPI Amendments To Go Into Effect 
In June 2020, Japan passed a law amending the Act on the Protection of Personal Information (APPI). While the bill was passed without any changes, it introduces new obligations for personal information controllers. It also includes mandatory breach reporting, among the other amendments. Prepare for these changes to be permanent at the end of 2021 or early 2022.

Countries Will Increase Adoption of Convention 108+
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – also known as the Data Protection Convention  opened for signatures in 1981. Today, it’s still the only legally binding international treaty with global relevance for protecting user data. Over 48 countries have signed it. 

However, since the ‘80s, a lot has changed in regards to data privacy. Just consider the sizable adoption of new information and communications technologies. The Council of Europe addressed these challenges through the modernization of the Convention and so far, 10 states have ratified the amendment. There’s no expectation that will slow down in 2021. 

 

Schrems II To Impact Cross-Border Data Transfers  

In November 2020, European Commission and European Data Protection Board (EDPB) released eagerly anticipated guidance. It addressed compliance with enhanced obligations introduced by Schrems II.  

These publications include:

  • The EDPB guidance about supplementary transfer tools to ensure compliance with the EU level of protection of personal data (Supplementary Measures Guidance) 
  • The EDPB guidance about essential guarantees for surveillance measures (Surveillance Recommendations) 
  • The European Commission’s draft containing new Standard Contractual Clauses for use in various data transferring contexts (New SCCs)  

The EDPB adopted the Surveillance Recommendations outrightwhilst a finalized version of the Supplementary Measures Guidance and the adoption of the New SCCs early this year will be eagerly anticipated. 

Now that the proper regulatory guidance is in place, organizations like yours can spend the early days of 2021 formalizing a compliance program to meet these changes.   

 

Cookie Enforcements Will Get Serious 

In 2020, Spain and Ireland published new requirements for cookie banner compliance. Those regulations went into effect in October. Cookie changes will continue to dominate in 2021, starting with France’s updated CNIL Cookie Guidelines in March.

However, the CNIL reserved its right to take action against certain infringements. In particular, this action refers to serious infringements of the right to privacy. And at the end of 2020, it executed those rights: It fined Amazon France Core, Google LLC, and Google Ireland Limited a total of €135 million. 

In October 2020, the AEPD in Spain also fined Iberia €30,000 for unlawful cookie practices. In 2021, you’ll probably see increased enforcement for cookie compliance. 

Regulations aren’t the only worry for 2021, though.  

Max Schrem’s group, None Of Your Business, is also calling out organizations that fail to comply with cookie policies. One example is its expose of Apple in November. Keep an eye out for more press releases such as this from the publication as the year continues. 

 

Retention and Data Governance  

As security frameworks and privacy regulations continue to evolve in 2021, you should take steps to build more robust data governance into your operations.  

In 2021, creating data governance strategies should be at the top of your to-do list. You need to know not only what data you have, but where you have it and who has access to it.  

Your organization will be better positioned to gain objective, data-driven insights that allow you to make more informed business decisions. You’re also more likely to boast more robust privacy and security programs as a result. 

 

Further Development in Ethics and Employee Privacy  

2021 will be another busy year for compliance officers. Building a trusted work environment and privacy-by-design culture will take precedence in 2021. Here are some expectations for the next 12 months: 

COVID-19 and Returning to Work 

As COVID-19 vaccinations become the norm, employers will begin to allow employees to come to work. To limit the spread of sickness, you’ll need to leverage health data like temperature checks, medical history, and COVID-19 test results. But with the collection of this data comes increased risk of privacy law penalties and breaches.  

Be familiar with the legislation you’re subject to when it comes to employee data. You must also ensure data minimization when screening team members for health reasons. Be conscious of how you disclose health data.  

Be aware: The Americans with Disabilities Act prohibits employers from telling other employees about which employees have tested positive for COVID-19.  

Compliance with the EU Whistleblower Protection Directive 

The EU whistleblower directive was another step towards increased ethics in the workplace. All organizations with more than 250 workers must comply with the legislation by December 17, 2021. Companies with over 50 employees must comply by December 17, 2023.  

Increased Focus on AI, Data Ethics, and Algorithmic Bias 

More and more companies and industries are turning to machine learning and artificial intelligence to automate processes and streamline business functions.  

In 2015, one of the largest tech companies realized its algorithm used for hiring employees was biased against women. The algorithm was based on the number of resumes submitted over the past 10 years. Since most of the applicants were men during this time, the algorithm favored men over women. 

In 2020, the Equal Employment Opportunity Commission, which investigates employment discrimination, was reportedly looking into at least two cases involving algorithmic discrimination. At the same time, the White House encouraged federal agencies tasked with artificial intelligence regulations to keep technological innovation in mind. 

As more and more of these cases develop in 2021, look for increased guidelines, frameworks, reports, and proposed regulations to combat machine learning bias.  

 

Conclusion: Navigate the Changes in 2021 With Automation 

Today, laws about consumer data, cookies, cross-border transfers, and employee privacy vary from region to region. They’re becoming increasingly difficult for organizations to keep up with.   

As a final bonus prediction for 2021, we expect more organizations to invest in software that automates data privacy, from handling privacy requests to consent and preference management.  

OneTrust offers powerful and easy-to-use compliance solutions purpose-built to solve these challenges at scale. OneTrust Privacy allows organizations to simplify their privacy program management. Request a demo or try it free today.