PrivSec Report looks forward to the new year and what it could mean for the privacy and data protection worlds.
PrivSec Report looks forward to the new year and what it could mean for the privacy and data protection worlds.
Here are the key topics and trends we expect to see in 2021:
Privacy culture for all, as public awareness grows
2020 has been defined by the global pandemic which has affected every part of the world, every sector, every business, and every individual. But 2020 has not only ushered in an unexpected lay grounding in epidemiology, it has also seen a continued growth in consumer awareness of privacy rights, both driven by and reflected in an explosion of privacy and data protection regulation across the globe, even as Covid-19 spread.
With the publicising of issues such as location and health-related data collection and the growing need for employers to handle health-related employee data, privacy has an assured place in the spotlight through to 2021.
Some, like Camilla Winlo, Director of Consultancy at data protection and privacy consultancy DQM GRC, believe that the combination of consumer awareness and regulation will turn a spotlight on data ethics as a driver for decision making in 2021.
“Organisations will explicitly link their corporate vision and values to their ethical position around privacy and data protection, and we will increasingly see data ethics and privacy as a theme within annual reports and internal communications,” says Winlo.
As the privacy landscape evolves, and DPOs and CPOs continue to feel the weight of the task ahead of them, next year could also see a developing realisation that security and privacy need to work hand-in-hand in this brave new world.
“That connectivity with data governance and security has been there in the more mature areas for a little while, and it’s now openly talked about,” says Victoria Guilloit, Partner at consultancy Privacy Culture. That could manifest, she suggests, with more CISOs and CPOs reporting into a Chief Data Officer, with the CPO retaining an alliance with legal and the CISO with IT. More implementation of this role could have the potential to balance the budget between the often under-resourced privacy department, and the more established and better financed security team.
“I’d say it’s like we’re in like high school about just understanding that we need to have solid partnerships with our data governance partners, with our security teams – really understand that collaboration,” adds Heather Federman, VP of Privacy and Policy at BigID.
The privacy landscape will increase in complexity
Gartner predicts that 65% of people across the world will have their personal data protected by privacy regulations, compared to 10% in 2020. New data protection regimes are in the pipeline, such as China, which in October published a first draft of its comprehensive Personal Information Protection Law (Draft PIPL), aiming to protect the personal data of residents of mainland China, and Australia, which is currently consulting on changes to its privacy legislation.
India’s Personal Data Protection Bill, introduced in 2019, is currently pending consideration after being delayed by Covid-19, and has similarities with the GDPR, as well as crucial differences that some privacy commentators have concerns about.
“On the one hand, India is trying to make itself this new tech hub of the world, competing with China, and they have this draft bill. But on the other hand, there’s some really ambiguous and onerous provisions in that bill as well that go beyond what GDPR does and give the government much more authority over citizens’ data and companies’ data than I think others would like,” says Federman.
“That to me is probably the biggest one just because of how central a part India plays within the tech supply chain world,” she adds.
For companies operating internationally, the need to juggle multiple regulatory frameworks will continue into 2021 and beyond. Undoubtedly, the GDPR continues to cast a global shadow, influencing both emerging data protection frameworks and reasonably mature ones, such as the DIFC, which recently updated its 2007 law to be more aligned with the GDPR.
This ripple is likely to continue, and organisations subject to regimes like the GDPR or California’s CCPA may find it expedient to roll out those protections even outside the jurisdictions covered by those laws.
In the US, for example, without a federal privacy law at present, Sheryl Falk, Partner and co-leader of Winston & Strawn’s Global Privacy and Data Security practice, says:
“I predict that more and more companies will consider expanding data privacy rights beyond the required jurisdictions (California, Nevada, and the EU) in order to streamline data privacy rights requests and to be seen as good corporate citizens.”
The debate over a federal privacy law in the US will rumble on
Whether or not the US will exchange (or supplement) its patchwork of state and sector-level privacy and data protection regulations for a comprehensive federal law, remains anyone’s guess.
Falk is optimistic: “I predict that in 2021, we may finally see the long-awaited federal privacy law, which would address how companies handle consumer data. The political will and momentum from a change in administration increases the likelihood of passage,” she says.
“This new law would likely follow the California model focusing on transparency and consumer rights (as opposed to the European framework).”
Federman, on the other hands, is “deeply cynical” of the federal wrangle being solved in 2021.
With uncertainty lingering into January over control of the Senate, the lack of a bipartisan consensus on the nature of any federal legislation – largely over federal pre-emption and private right of action – is likely to persist, at least in the short term. That’s not to say, however, that legislation won’t continue to proliferate at the state level next year, as other states catch up not only with California’s trailblazing CCPA, but its newly passed California Consumer Privacy Rights Act, set to come into enforcement in 2023.
With questions of technology regulation – both in terms of competition and the responsibility of social media companies over content published on their platforms – still in the headlines, the new administration’s stance on tech will be key next year. Certainly Vice-President-Elect Kamala Harris has expressed interest in privacy in the past – “she was one of the first public officials I’ve ever seen tweet about a privacy issue”, says Federman – having created a Privacy Enforcement and Protection Unit in the Department of Justice focused on protecting consumer and individual privacy through civil prosecution of state and federal privacy laws as Attorney General of California, back in 2012.
“Protecting the privacy of Californians is one of Attorney General Harris’s top priorities”, said the news release at the time.
Whether Biden will build on Obama’s amenity towards privacy moves – for example his 2012 Consumer Privacy Bill of Rights – could become clearer next year.
With support on both sides of the political divide and among the business community itself, hopes are high for future US federal legislation – but when? For now, data privacy consultant Debbie Reynolds is modest in her immediate wishlist:
“The thing that I wish would happen, because I think it’s like the lowest hanging fruit you could possibly have, is that all 50 states have data breach notification laws, and they’re different in every state. If they could come up with the law where it harmonises that across a federal level, I’ll be super happy – that would be the first step, maybe that could be a foundation to other things.”
Uncertainty over international data transfers will persist
Ambiguity over international data transfers has dogged 2020. July saw the Court of Justice of the European Union (CJEU) strike down the Privacy Shield, which previously allowed data transfers between the EU and the US, in part over CJEU concerns about access to data by US surveillance mechanisms.
Solving the Privacy Shield issue could be a pressure point for the incoming US administration, not least because of the importance of data transfers to frustrated US and global businesses.
But it is not just those transacting with the US that will be following the regulatory fall-out of the Schrems II decision into 2021.
October 2020 saw the same court rule that EU privacy rules have jurisdiction over national security rules requiring companies to collect and retain general and indiscriminate bulk communications data with security agencies – with implications for the UK’s acquisition and use of communications data by British Security and Intelligence Agencies. The ruling could have significant implications for the UK’s bid for adequacy with the GDPR when the post-Brexit transition period ends on 1 January.
Standard Contractual Clauses remain valid for data transfers between the EU and so-called “third countries” (like the US and potentially the UK) under the Schrems II decision, although those wishing to transfer personal data must apply a case-by-case risk analysis to assess the suitability of the recipient country’s data projection regime and practice, placing pressure on businesses and regulators. Where shortfalls are identified, supplementary measures may be applied, and the European Data Protection Board (EDPB) is consulting on guidance for data exporters to establish what measures are necessary and effective, such as encryption and pseudonymisation. The EDPB also set out “European Essential Guarantees”, for determining whether third country laws allowing access to data for the purposes of surveillance constitute a “justifiable interference” with privacy and personal data protections.
According to Guilloit, however, many people seeking to navigate Brexit in early 2021 “don’t feel as if that [supplementary measures] guidance is hugely helpful… people are waiting for a precedent as well.”
The feedback period has also just closed on new (and more comprehensive) draft SCCs published by the EU, which are expected to be finalised in Q1, which could bring more clarity. However, Peter Crowther, Managing Partner at Winston & Strawn and Lisa Hatfield, Associate Attorney, say: “At least at present, a one-year transition period is envisaged within which the existing SCCs may be used in existing unchanged contracts, but it is expected after this period that all business will use the new clauses. This will inevitably cause disruption for businesses which rely on the current versions. Businesses should start to consider this process as soon as possible, not least because the new drafts include various warranties and obligations about third country laws which might affect compliance (following the Schrems decision).”
Amid the uncertainty, data localisation may increasingly rear its head in 2021.
“I expect organisations will think much harder about the reasons why they transfer data outside of its originating country. The perceived risk associated with such transfers is increasing, and the steps necessary to permit such transfers mean that many processes simply won’t work in their current format anymore,” says Camilla Winlo, at DQM GRC.
Winlo adds that some cross-border transfers may be prevented by supervisory authorities.
She says: “This makes international transfers a business continuity issue – and one that is solved by designing localised alternative processes. Once these localised processes have been finalised, it will become more difficult to justify the continuation of data transfers. Hence, I expect to see an increasing move to localise data processing.”
Data professionals will need to have mapped out where their data actually is, be on top of local laws, and completely across contracts. But they will also want to consider whether international transfers are truly necessary.
Nevertheless, organisations should also apply a degree of calm and pragmatism in the current climate, says Guilloit: “Regulators are typically massively underfunded and under-resourced,” she says. Given the context of the pandemic, she anticipates limited capacity for a huge regulatory push that could damage businesses as they seek to keep data flowing across borders in early 2021.
“I think there’ll be a massive pushback by governments protecting businesses if that happens, saying, come on, we’re just recovering from Covid, what are you doing?”
She adds: “I think we might have got a reprieve from Schrems because of Covid.”
A maturing understanding of the potential for automation among privacy professionals
2020 has not seen an eradication of poor data hygiene, nor the risks associated with unstructured, unclassified, aged and poorly understood gobbets of data lurking on company devices and servers, alongside a lack of standardised processes for processing data across industries. With Covid-19 driving masses of staff into remote working, the difficulties of data tracking have intensified as use of home networks and BYOD have increased.
Many organisations are still grappling with the development of a (manual or automated) data inventory, and companies face a proliferating choice of solutions for automating the process through data discovery and management.
Federman, at New York-headquartered company BigID, which uses advanced machine learning and identity intelligence to discover and map data, believes the privacy market is at the “infancy” of automation.
Guillot says that the use of automation in the privacy space is less evolved than it could be, and much centres on the ethics of using tech in this way.
“On the security side, it’s been there for so long – it’s a bit of an in joke in the industry, just buy another box of flashing lights and throw it at it, whereas on the privacy side that that generally at the moment hasn’t happened,” she says.
“There’s a there’s a lot of talk about automation in privacy. There’s a lot of talk about AI and machine learning, and the pros and cons of that… It can’t stop going in that direction, they’re not going to stop developing. But, I think typically the people in the privacy space will question whether or not it’s right to do it. I think that’s the difference.”
We are unlikely to reach consensus over the use of encryption
October saw the release of a statement from the United States Department of Justice, undersigned by representatives from the US, UK, Australia, New Zealand, Canada, India and Japan, arguing that end-to-end encryption technology poses challenges to public safety, including to highly vulnerable members of society such as sexually exploited children.
The statement called for law enforcement to be allowed to access content in “a readable and usable format where an authorisation is lawfully issued, is necessary and proportionate”, and to consult with governments to facilitate legal access.
As of 21 December, the European Electric Communications Code (EECC) removes the explicit legal basis for Over-The-Top (OTT) companies to voluntarily scan online material for child sexual abuse unless national law allows them to do, although a temporary proposal allows voluntary detection of child sexual abuse to continue until 2025.
In a December 2020 report, the UK Children’s Commissioner, Anne Longfield, said that end-to-end encryption of electronic communications should not apply to children’s accounts with tech companies such as Facebook Messenger. She warned the government to be wary of big tech’s intentions around encryption, stating social media firms may be using encryption in a “cynical” attempt to “side-step sanctions and litigation”.
But privacy campaigners, such as the Electronic Frontier Foundation, are opposed to any attempts, EU or US-based, to weaken encryption.
“The problem is the solution – that they want to weaken encryption for everybody,” says consultant Debbie Reynolds.
“They want to be a given a key so they can unlock the contents of X person’s data. But what they’re asking for really is to create a vulnerability so they can unlock everybody’s data. Once they create their vulnerability, that vulnerability is everywhere.”
Any inroads into a softening of end-to-end encryption in 2021 will likely generate vigorous debate between big tech players, regulators and privacy campaigners – not to mention potential complexity over European supplementary SCC measures to enable international data transfers.