Privacy Law Update: July 12, 2021
U.S. President Joe Biden signed an executive order to promote competition in the American economy. The executive order includes a shift toward a greater scrutiny of mergers, “especially by dominant internet platforms, with particular attention to the acquisition of nascent competitors, serial mergers, the accumulation of data, competition by ‘free’ products, and the effect on user privacy.” It also encourages the U.S. Federal Trade Commission to establish rules on surveillance, data accumulation and “barring unfair methods of competition on internet marketplaces.”
As the one-year anniversary of the Court of Justice of the European Union’s “Schrems II” decision approaches, the privacy industry has seen a wave of developments on international data transfers. However, one important element of the “Schrems II” ruling still needs to be addressed: a replacement to the EU-U.S. Privacy Shield agreement. During an IAPP LinkedIn Live event, U.S. Department of Commerce Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, offered a window into the progress on the Privacy Shield talks, assuring privacy professionals the negotiations are not stuck at the starting line
On June 10, 2021, almost exactly three years after the passing of its Cybersecurity Law (CSL), the National People’s Congress of China passed a new Data Security Law (DSL) (click here for an unofficial English translation of the DSL), which goes into effect September 1, 2021. Where the CSL is primarily focused on cybersecurity for Critical Information Infrastructure (CII) operators and network operators, the DSL was promulgated in order to regulate data processing activities, promote data security, protect the lawful rights and interest of individuals and organizations, and safeguard national sovereignty, security, and development interests. (Article 1). The scope of the DSL is quite broad, and without clarifying regulations or guidance, the law lacks significant detail on how companies should comply, leaving many open questions in advance of the September 2021 effective date. While it is expected that the relevant authorities in China will issue guidance and formulate certain corresponding regulations, it is clear that given the sweeping scope and broad territorial reach of the DSL, the DSL may have far-reaching implications for many companies.
Attitudes about data privacy are changing. For one thing, consumers are increasingly vocal about how their data is used. For another, organizations are beginning to recognize that data privacy actually expands business opportunities. Of course, all of this is taking place against a more onerous backdrop: a spate of privacy regulations, including the likes of GDPR, CCPA and the Virginia Consumer Data Protection Act.
Dealing with today’s regulatory environment is a formidable challenge since it requires two distinct sets of capabilities: discovering sensitive consumer data stored in enterprise systems and tying it back to each individual to whom it belongs. While traditional methods of discovering and classifying data have been used to find personally identifiable information (PII), they were never designed to map all of this information back to its owner and address these evolving regulatory requirements.
Today’s online consumer is drowning indeed — in the deluge of privacy policies, cookie pop-ups, and various web and app tracking permissions. New regulations just pile more privacy disclosures on, and businesses are mostly happy to oblige. They pass the information burden to the end user, whose only rational move is to accept blindly because reading through the heaps of information does not make sense rationally, economically or subjectively. To save that overburdened consumer, we have only one option: We have to kill the standard privacy notice.
Pending Privacy Legislation
- Colorado SB 190 was signed into law by Democratic Gov. Jared Polis on July 7.
- New York Privacy Act (S 6701) failed to pass
- State legislative activity continued to slow down as state legislative sessions ended in Arizona, Colorado Connecticut, Delaware, Illinois, Louisiana, Nevada, New Hampshire, New York, Oregon, and Rhode Island.
- IAPP Privacy Law Tracker