Privacy Predictions Roundup
WireWheel CEO Justin Antonipillai has talked with many data privacy industry leaders, analysts, and advocates who have shared their insights, experience, and predictions about data privacy from both an industry and regulatory perspective.
And much has happened to inspire speculation in the past six months including of course Brexit and the change in U.S. administration. Some predictions have already proved out rightly or wrongly. For most, the jury is still out though continuing events inspire optimism in some cases and pessimism in the likely outcome of others. Ultimately only time will adjudicate.
A New Third Party
Back in September of 2020 Brexit was still not a foregone conclusion, when Forrester made the prediction that the UK would become a third party with regard to data protection transfer protocols. Still, as Senior Analyst Serving Security and Risk Professionals, Enza Iannopollo confessed back in January that it was a relatively easy prediction to make.
Still, Iannopollo cautioned that absent an adequacy decision, it would mean that “an organization would need to run risk assessments to determine whether adequate protections [and] whether current standard contractual clauses alone are sufficient.” Adding uncertainty, risk, and burden to every transaction. She also opined that Britain may make changes to their data protection regimen that could disrupt the six-month bridging mechanism when she spoke with Justin.
On 19 February 2021, however, the European Commission did issue a draft adequacy decision. “The UK now urges the EU to fulfil its declared commitment to complete the technical approval process swiftly…” (gov.uk PR, 2021).
WireWheel’s Antonipillai – who was the Obama Administration Acting Under Secretary, U.S. Department of Commerce and instrumental in negotiating Privacy Shield post Schrems I – muses that given the CPRA’s GDPR-like protections, could California conceivably obtain an adequacy decision as a “territory” under the GDPR.
Cooley’s Travis LeBlanc avers “the challenge that I face in trying to imagine a world in which California is deemed adequate, is it seems to fundamentally contradict the premises for the striking down a Privacy Shield:” namely section 702 of the Foreign Intelligence Surveillance Act. “If the concern is around the lack of an independent ombudsperson that can address complaints from European person. It is very hard for me to see how California is going to get around those concerns.”
The Fed, the State, and Privacy Shield
During the 2020 Spokes Privacy Technology Conference, WireWheel’s Antonipillai met with Microsoft’s Corporate Vice President, Deputy General Counsel and Chief Privacy Officer, Julie Brill; Lindsay Finch, Vice President Global Privacy and Product Lead at Salesforce.com; and Senior Counsel of the Future of Privacy Forum Gabriela Zanfir-Fortuna for the aptly named “Privacy Tech Leaders” panel.
“I do think Washington state will likely pass something this year….[They] has been very forward leaning in terms of a number of important privacy issues,” said Brill. “ She is equally optimistic about a Federal privacy law being passed in the next year. Finch agrees that Washington State will pass in the year, though “one year might be a bit aggressive” for the passage of a Federal privacy law, and believes two years is more likely.
Zanfir-Fortuna is equally optimistic about Washington State’s “version 3.0,” and says with regard to Federal law, “I do give it very high chances especially if you’re a timeline is three years.”
Interestingly, and perhaps most pragmatically, Forrester predicts “more bills at the state level which then increase that fragmentation issue that might [in turn create] urgency around the creation of a federal bill. That may be the way forward here.” Forrester is also more conservative regarding the likelihood of a federal bill anytime soon proffering that “serious conversation about what can happen in terms of a bill moving forward” is the most to hope for in 2021.
Daniel Solove is most definitive: “Will Congress pass a privacy law? I think that the answer is probably no.”
And a Privacy Shield 2.0?
“I do think we will have a replacement…a new framework between Europe and the United States within the next year…” says Microsoft’s Brill. Finch agrees and sees a new Privacy Shield agreement is likely “by the end of 2021.” Gabriela however is only “cautiously optimistic.”
Data Privacy, Competition, and Enforcement
Daniel Solove predicted that “given the dissents that [acting chair of the FTC Rebecca Slaughter] has issued from a number of cases last year…her views would take the FTC in some really interesting new directions. He noted that the FTC “hasn’t been aggressively innovative in its enforcement. I think that will change.” A view shared by Slaughter.
Solove, who is the John Marshall Harlan Research Professor of Law at the George Washington University Law School, had his prediction seconded by the FTC’s Slaughter herself less than 2-months later: “I believe the FTC must push antitrust law forward though bold agency action. That means prioritizing deterrence and using the full range of the FTC’s authority to stop unfair methods of competition,” (Matthews, 2021).
Big Tech (clearly in Slaughter’s sites) are increasingly perceived as at the confluence of data privacy and anti-trust. Their accumulation, use, and control of personal data as more than just the crossing of some “creepy line,” but a function of monopolistic behaviors and power: so-called data monopolies and the data industrial complex.
The confluence of data privacy and unfair competition is a view shared by Simon McDougall, Executive Director of the UK’s Information Commissioner’s Office (ICO) Technology and Innovation. And Simon foresees the continued coming together of Privacy and competition. “In the UK, we have the Digital Regulation Cooperation Forum. It’s a trilateral body between the ICO, UK Competition and Markets Authority, and the Communications Regulator. And we’re really delving into the synergies, and sometimes the tensions, between those different regimes,” says McDougall.
Perhaps the most notable privacy cum competition bellwether is the Facebook action commenced in 2016 “when the German competition authority, the Bundeskartellamt, announced it had launched a probe into Facebook over whether it had abused its market position and power by infringing EU data protection rules” (Jordan, 2021). Facebook’s appeal has just been deferred by the Düsseldorf court to the CJEU.
As Jordan notes, “The [Bundeskartellamt] case remains “fairly unique in Europe, with the approach of fusing tenets of both competition and privacy law into its proceedings and subsequent decision.”
This Will Be Huge
“I think the biggest development is the “brand-new data protection authority that is being set up right now in the state of California” says Cooley Vice-Chair, Cyber/Data/Privacy practice Travis LeBlanc. “That is going to be huge! I will note that that agency has rulemaking authority…enforcement authority…. And it could quite possibly [become] the most aggressive, the most active, the most effective enforcer of privacy in the United States.”
(When Travis made this prediction, Xavier Becerra, since confirmed as secretary of health and human services, was the California Attorney General and Democratic State Assemblyman Rob Bonta has been chosen by Governor Newsom as his replacement.)
These are just a few of the predictions bandied about during the wide-ranging conversations hosted by WireWheel in forums like the SPOKES Conference, and frequent webinars that bring together privacy professionals, thought leaders, regulators, NGOs, thinktanks, and senior executives from across jurisdictions and industries, brands and publishers, adtech, martech, privacy tech, and Big Tech.
These conversations have marked the changing consumer attitudes and consequent responses from businesses that are driving data privacy, its adoption, and influencing proposed regulation. They continue to track the trends that have evolved among forward-looking firms as they journey from compliance to privacy by design. From regulatory burden to competitive differentiator.
The professionals in the privacy community with backgrounds in law, ethics, government, technology, and business, are a diverse, thoughtful group of experts. We look forward to continuing the conversation.