Data Privacy Day in the Years to Come
• read
January 28 marked the annual Data Privacy Day. In recognition, WireWheel CEO Justin Antonipillai brought together a group of leading international privacy experts to discuss what changes they posit for both the near and long term.
The Acting Under Secretary, U.S. Department of Commerce, under the Obama administration, Justin was a central figure in the EU-US Privacy Shield negotiations to replace the Safe Harbor agreement when it was invalidated by the Schrems I decision.
Justin was joined by:
- Travis LeBlanc, the Cooley Vice-Chair, cyber/data/privacy practice, and member of the litigation department leadership team. Travis was selected by the U.S. Department of Commerce and the European Commission as an arbitrator for the EU-US Privacy Shield Framework in 2017 and in 2019 was unanimously confirmed to the Privacy and Civil Liberties Oversight Board by the U.S. Senate.
- UK’s Information Commissioner’s Office (ICO) Technology and Innovation Executive Director, Simon McDougall. Prior to his 2018 ICO appointment, Simon was Managing Director of risk management and regulatory compliance consulting firm Promontory, which was acquired by IBM (2016) where he founded and led a global privacy practice. And,
- Daniel Solove. The John Marshall Harlan Research Professor of Law at the George Washington University Law School. Daniel is the founder of TeachPrivacy, a company providing privacy and data security training. He is the author of more than fifty articles and has published ten books including EU Data Protection and the GDPR (Solove and Schwartz, 2021).
COVID and Competition
“I think we have achieved amazing things around the world,” says McDougall regarding our response to COVID-19. “What I’ve seen in the UK is barriers being broken which have stood for many years. Not regulatory barriers. Very often they’d have to do with culture [and] duties of confidentiality outside of data protection.
“I think one of the challenges of this year, will be to find ways to carry on using health data productively as the pandemic recedes and the public interest rebalances…I think that’s a really important debate because…we should be able to use health data better coming out of current crisis.”
Simon also foresees the continued coming together of Privacy and competition as “a really fascinating dynamic,” and a significant trend that will continue. “It was a very nascent debate in 2018, says McDougall.
We’re in a much more advanced state now, but it’s still a very vibrant discussion. In the UK, we have the Digital Regulation Cooperation Forum. It’s a trilateral body between the ICO, UK Competition and Markets Authority, and the Communications Regulator. And we’re really delving into the synergies, and sometimes the tensions, between those different regimes.
I think reconciling different aspects of data usage – who has access to data, how it is used to achieve market power…but also how it’s used for profiling and how sometimes it’s privacy intrusive. Reconciling that with large and small organizations is going to be critical.
—Simon McDougall
Competition, California, and Cyber
On the centrality of competition to the data privacy debates, Travis notes that when he was in the then California Attorney General Kamala Harris’ office “— before we decided to create the privacy unit — one of the units that I invited to that meeting was the antitrust division…we were really beginning to recognize that a lot of companies were competing over data, [and it] is even more apparent now than it was then.”
“I think the biggest development is the “brand-new data protection authority that is being set up right now in the state of California” says LeBlanc. “That is going to be huge. I will note that that agency has rulemaking authority…enforcement authority…. And it could quite possibly [become] the most aggressive, the most active, the most effective enforcer of privacy in the United States.
A factor that LeBlanc thinks has gone somewhat unnoticed is the impact of Congress overriding President Trump’s Defense Authorization Act veto: “It created a brand-new position in the White House called the National Cyber Director…
This person will have the ability to engage in diplomatic and other efforts to develop norms around responsible state behavior in cyberspace. They will also focus on the cyber posture of the United States government…. Why is this important to privacy? Because we are at a time in history, where we really have to think about the balance between national security, cyber security, surveillance, and privacy.”
—Travis Leblanc
The FTC, States That Are Not California, and Congress
“I think there’s some really interesting developments at the FTC” opines Solove. “We have a new acting chair, Rebecca Slaughter. I think that given the dissents that she has issued from a number of cases last year, her views would take the FTC in some really interesting new directions. In the last few years… [the FTC] hasn’t been aggressively innovative in its enforcement. I think that will change…”
Daniel also sees legislative action resuming at the state level on the near horizon:
There was a lot of activity after the original CCPA in 2019…and then in 2020 everything ground to a halt with COVID-19. I think now we’re going to start to see…states start spooling back up…I think that it’s worth watching, because we could see at the end of this year, a few other states join the legislative party.
Will Congress pass a privacy law? I think that the answer is probably no.
—Daniel Solove
Convergence and Consumers
Antonipillai sees a “convergence” in state-level privacy regulation predicting they will largely start mimicking the approach of California and we will ostensibly “have something that’s essentially getting equivalent to GDPR.”
“And I actually think as part of that, there’s a good chance that California could be adequate under GDPR. And you might have noticed under the law, you can self-certify under California, which would simplify a lot for all of those companies that are trying to get qualified.”
—Justin Antonipillai
It is the consumer that is going to drive change says Justin. “A lot of the movements I’m seeing are driven by companies wanting to do more and wanting to earn the consumer’s trust.” And in particular, “the larger enterprises are thinking more about the privacy user experience.”
“I think you’re going to see that drive in…the consent and preference management infrastructure, because to actually do what a consumer is asking from all the different channels: it takes a lot of infrastructure.
And “I agree completely with Travis,” concludes Justin. “When the regulators start pounding at it from the consumer view it starts moving things.”
onsonance, Concerns, and the CJEU
“The convergence point is especially interesting,” says Travis, “because it does feel like we’re at the cusp of a new wave of discussions as to what regulatory models work for data. I think…the 95 Directive in Europe was a pretty good blueprint for a lot of the world.
“California [is] a very interesting framework in itself” continues LeBlanc, “but you have other regulatory areas and other regulatory perimeters converging and collapsing onto privacy data protection. And that’s the other convergence.”
We’ve touched on privacy and competition. But I think the overlaps and tensions between online harms and content moderation are just as interesting.
We’re living in a world and suffering the consequences of hyper personalized content being delivered sometimes maliciously, sometimes by indifferent but ultimately unhelpful algorithms, and we’re trying to work out well, is this a privacy issue, is this not?
So, I think when we talk about convergence, and we look out over the next few years, yes, convergence in terms of traditional Data Protection Law and who adopts what model [of consent] is still critically important. But how it overlaps other regulatory regimes is going to be just as important.”
—Travis LeBlanc
“In 2019, I joined Allister [McTaggart, the privacy advocate who led the CCPA and CPRA initiatives,] in Las Vegas, and he announces that he was about to file the CPRA” says LeBlanc.
It was then that Travis floated the idea that California could be “deemed adequate” and he was roundly mocked for it recalls LeBlanc. “However, at that time, we didn’t have the Schrems II decision. [1]
“And the challenge that I face in trying to imagine a world in which California is deemed adequate, is it seems to fundamentally contradict the premises for the striking down a Privacy Shield:”
If the concerns were around section 702 of the Foreign Intelligence Surveillance Act.[2] If the concern is around Executive Order 12333. [3] If the concern is around the lack of redress rights for non-U.S. persons to challenge intelligence surveillance in the United States. If the concern is around the lack of an independent ombudsperson that can address complaints from European person. It is very hard for me to see how California is going to get around those concerns.”
—Travis Leblanc
Justin, is in complete agreement, noting that his prediction of a California-specific adequacy designation is premised on a “Privacy Shield 2” being agreed. But, even with the advent of a new Privacy Shield, what Travis still “struggles with is whether the ECJ or the CJEU will go along with whatever deal the European Commission signs off on…And so the question will be how do they negotiate that deal in a way that it can be sold to the court…”
Final Thoughts
From Simon McDougall:
“I think there’s going to be a lot of legislative change in the UK over the next few years…. And that’s partly a reflection of the fact, that digital regulation needs to catch up, because in the UK, Brexit has occupied so much legal bandwidth in terms of parliamentary time.…”
From Travis Leblanc:
“I think there were a lot of people that thought that when [Trump] left office, the debate over section 230, might end. I think it’s now beyond apparent that the debate is continuing…. I am going to posit the possibility that there may be room for a bipartisan agreement to exchange something on section 230 for data privacy legislation…”
From Dan Solove:
“I think we will start to see some movement on platform responsibility…. It’s not just 230 that deals with platform responsibility. The platform responsibility for items sold on the platform, or anything being done on the platform.
“Right now, there’s a very weird technology, digital exceptionalism, where various platforms, and anything on the internet operates with a different set of rules than everybody else. And I think when the world wakes up to this, as we are, realizing that maybe that’s not the best approach…I think we’re starting to see that movement.
And where that goes, I don’t know. But I think we’re going to start to see that coming down in the years to come.”
[1] In Schrems II, the IDP argued that the SCCs did not constitute an adequate level of protection of personal data, as they lacked safeguards against U.S. government surveillance and therefore violate Articles 7, 8, and 47 of the EU Charter of Fundamental Rights” (Jones Day, 2020).
[2] Section 702 of the Foreign Intelligence Surveillance Act (FISA) is a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. internet service providers (such as Google, Facebook, and Microsoft) or traveling across the internet’s “backbone” (with the compelled assistance of U.S. telecom providers such as AT&T and Verizon).
[3] Executive Order 12333 “United States intelligence activities,” was signed by President Regan in 1981.
Watch Data Privacy Day – A View to Next Year and Beyond Webinar Replay