Privacy Law Update: May 17, 2021
There were no substantial legislative changes this week. Hope you enjoy the expanded newsworthy updates in its place.
The recent proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become—and stay—compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them.
Every effective PII protection effort addresses three critical imperatives —data discovery, access governance and risk mitigation. IT teams grappling with privacy mandates need to consider these factors across their unstructured and structured data contexts. And while regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) outline expectations for handling personally identifiable information (PII), they aren’t much help when it comes to the tactics you need to succeed. Let’s take a look at some effective strategies—and how they differ—across structured and unstructured data.
It can’t be a slogan for a company website but ignored in practice. Protecting the privacy of customers, clients, employees, and all others who are connected to the data under your control is a sound business practice—and a profitable one, too. To start, the creation of a data-privacy culture—which can happen only when data is properly secured and managed—is now a top priority of lawmakers. More than a dozen U.S. state governments are currently drafting, or are about to vote on, compliance legislation, building on a foundation of established regulations such as GDPR, HIPAA, PCI DSS, and Sarbanes-Oxley. Further, it is high on the list of expectations of consumers, who often don’t mind sharing their personal information for commercial purposes, as long as the organization that uses their data respects individual privacy.
When lockdowns swept across the globe as the Covid-19 pandemic spread, a massive boom in online shopping ensued as customers scrambled to buy their favorite products while staying safe. This tidal wave of e-commerce, a 44% increase from 2019 to 2020, created a mountain of data for marketers to leverage for future campaigns and target consumers. Against this backdrop, other tectonic shifts in the marketing landscape make it increasingly difficult to leverage that data. First, the EU’s General Data Protection Regulation, the California Consumer Privacy Act and other regional regulations limit how companies can leverage and move consumer data around the world.
Article 49 Derogations – Summary Table with Examples
The “Schrems II” case and subsequent recommendations by the European Data Protection Board show it is not straightforward for organizations in the European Economic Area to rely on “appropriate safeguards,” such as standard contractual clauses, to transfer personal data to third countries. Organizations may be inclined to look to the various derogations under Article 49 of the EU General Data Protection Regulation to see if these may provide alternative ways of transferring personal data. In January 2021, Thomas von Danwitz, the judge-rapporteur in the “Schrems II” case, also suggested the possibility of increased reliance on the Article 49 derogations, although readers should note von Danwitz’s comments were brief and given in a personal capacity.
Pending Privacy Legislation
No substantial changes in state or federal legislation