If you feel like every day you wake up to a new data privacy law or piece of guidance, you’re not dreaming. Regulation and rulemaking are happening faster than ever before. The complexities relating to ethical data usage are profound, especially in the emerging era of artificial intelligence (AI) and cyber-terrorism concerns.
Data privacy no longer simply refers to keeping data about an identifiable person secured. It extends to national security issues, deep fake media unfairly endangering reputations, and corporate databases broken wide open through misuse of biometric data.
Being a compliance, ethics, risk, or data privacy officer is challenging in this environment. So much has changed in the law, and so much more is going to change in the upcoming year. Let’s look at where we are, emerging issues, what to do now, and our predictions for 2024.
Where we are now
Every part of the globe is now interested in data privacy, but some places are more focused than others.
Europe and the General Data Protection Regulation
Europe is ground zero for data privacy regulation. It was the first place to put a consistent, European Union-wide standard in place for data privacy, first with a Directive, and later with the 2018 General Data Protection Regulation (GDPR). Much has happened since the heralded law came into force.
The regulators have been highly focused on technology companies, with nine of the top ten fines being levied on social media and internet search companies. Enforcement is likely to continue at pace.
In 2020, post-Brexit United Kingdom adopted the U.K. GDPR, which is substantially similar to the European GDPR. This is unsurprising, as it is critically important for the U.K. to maintain its EU-granted adequacy decision, which means the U.K. can transfer data into and out of the EU without any additional protections such as standard contract clauses.
U.K. politicians have talked about making the U.K. more data processing friendly to try to make it a more popular place for technology development and deployment. Thus far, little has moved away from the EU’s version of GDPR.
United States federal law
Much ink has been spilled over the years in hopes of a federal data privacy law. Last year, this publication focused on the bi-partisan efforts in the U.S. Congress to agree on a federal data privacy law, but sadly, those hopes were dashed. There is currently no U.S.-wide law, nor do we anticipate one coming into force in 2024.
US State law
Where the federal government has lagged, individual states have sprinted. California has been on the forefront of data privacy legislation ever since the California Consumer Privacy Act (CCPA) came into force in 2020. Unsatisfied that it went far enough, California voters approved the California Privacy Right Act, which uses a GDPR-like framework.
California created a brand new regulator, the California Privacy Protection Agency. While a new regulator, they have signaled a desire to be an aggressive protector of consumer and employee rights. News sources have commentated that the California privacy regulator is defining personal data extremely broadly – one which goes beyond the European Union’s Artificial Intelligence Act and the GDPR.
A total of 11 states have now passed data privacy-related legislation, and many more are in the legislative pipeline. Unhelpfully, each is a bit different in application and requirements.
Data localization requirements
Data is a global currency, and some countries want to keep their citizens’ data squarely under their control. Russia’s data privacy law, passed in 2022, provides new rules for personal data processing and cross-border data transfer. It establishes mandatory requirements for data controllers and processors, including a new requirement on data breach notification.
China has become a hotspot for data privacy practitioners. China’s Personal Information Protection Law (PIPL) includes a number of challenging provisions, including some data localization requirements. Additionally, the transfer of personal information overseas is subject to a security review assessment.
Many exciting developments are on the horizon for 2024.
The US Adequacy Decision and Schrems III
In July, the data privacy world was jolted with the exciting news that the European Commission determined the United States had adequate protections for data transferred out of the European Union. President Biden signed the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities in October 2022 with an aim to meet the requirements of the EU for a positive adequacy decision. He was successful.
The adequacy decision allows companies in the U.S. to sign up with the Department of Commerce for the Data Privacy Framework Program. In exchange for agreeing to various terms, companies can now transfer personal data freely between the U.S. and the EU.
As exciting as this development is, litigation is brewing with a favorite character in the data privacy universe, Max Schrems. Max Schrems, through his organization, NOYB, has successfully challenged two previous U.S./EU transfer schemes at the EU Court of Justice – Safe Harbor and Privacy Sheild. Schrems will undoubtedly challenge the legitimacy of the U.S./EU transfer agreement on the grounds that the U.S. continues to practice unreasonable surveillance against EU citizens.
It will likely take several years for the EU Court of Justice to rule on Schrems’ next suit. In the meantime, the data firehose is flowing at full speed across the pond.
Artificial Intelligence regulation
With great power comes great responsibility, and AI holds tremendous power. The world’s governments have noticed, and they are trying to respond by regulating an ever-changing landscape that seems impossible to control.
The European Union is in the process of passing the Artificial Intelligence Act. This Act will be the first large scale framework for the use of artificial intelligence. In June, the European Parliament adopted its negotiation position. Commentators expect that the final version of the Act will be passed by the EU relatively quickly, with enforcement likely by 2026..
The U.S. government held a Congressional hearing with thought leaders like the creator of Open AI (ChatGPT), who implored Congress to put regulations in place for AI. Right now, Senators and members of the House of Representatives are trying to come up with legislation to manage an industry few of them understand.
Meanwhile, the states fill in some of the gaps. California and Illinois are leading the way in AI regulation in employment. Illinois has enacted the Biometric Information Privacy Act which requires a whole host of disclosures and consents, including a requirement for a publicly-available written policy that establishes a retention schedule for personal biometric information.
We anticipate more AI regulation, especially when it comes to the use of personal data.
With great power comes great responsibility, and AI holds tremendous power.
More data localization requirements
As cyber-attacks escalate and sanctions regimes become more common and stringent, more data localization laws are likely. While the feasibility and success of these efforts are questionable, it is politically popular in many jurisdictions to try to localize data so it isn’t vulnerable to bad actors in other parts of the world.
As cyber-attacks escalate and sanctions regimes become more common and stringent, more data localization laws are likely.
What to do now
Although there are many differences between current and upcoming regulations, the principles underlying data privacy laws are nearly universal. These include obtaining consent for the use of data by individuals, using the data in a way that would be anticipated by the individual, allowing for the correction and deletion of data, and agreeing to the sale of personal data to third parties.
Implement a principles-based approach to data use
Given the complexity of the laws, a principles-based approach is likely to be successful for compliance with most data protection laws. Look to the seven principles underlying the GDPR. They are an excellent place to start.
Complete data inventory and data mapping exercises
Work with the Information Technology department and assist them in completing a data inventory and data mapping exercise. A data inventory catalogues all of the categories of personal information used by the company by system. The inventory should be used to create maps showing the flow of personal data from the company into and out of various third-party systems.
A good data map is critical if your company receives a subject or consumer access request from an individual who wants to know what personal data is held about them by the company and how the company is processing and sharing it. Laws require a speedy turnaround, so complete the data inventory and map as soon as possible.
Review and update contracts
If your company transfers data to third parties (and it almost certainly does), review the contracts to ensure you have proper data breach notification and data security requirements. Keep the language broad so it expands to meet new legal requirements as they come into force.
Get it on the table
There’s nothing like a real-life experience to help leaders realize how badly things can go wrong. Many companies perform annual or semi-annual data breach simulations (often referred to as table-top exercises) to help functions and leaders to practice their response to a crisis.
Ask your IT group to include a personal data breach in their next tabletop exercise. This will help focus attention on the importance of personal data protection, especially from an employee and customer perspective.
Find a reliable source for updates on proposed and existing laws, as well as enforcement actions. Review these materials and alerts frequently. Whether a law firm, consulting group, or industry trade association email, or news alerts, find a way to consistently learn of legal, regulatory, and enforcement updates so you’re up to date on the latest requirements.
The only constant is change
Benjamin Franklin said that nothing is certain in life except death and taxes. Change should be added to that list. The use of personal data will continue to evolve faster than ever. It’s up to compliance, ethics, risk, and privacy officers to hold the line to make sure that, whatever the clever new use of personal data, it meets all current and likely future requirements.
GDPR enforcement will continue, bringing higher and higher fines. Schrems will challenge the U.S. Data Privacy Framework Program at the EU Court of Justice, and AI regulation with respect to employees and consumers will keep coming.
Top 10 Trends in Risk & Compliance
For many more insights and guidance, download the full eBook and access to the accompanying webinar featuring analysis and expert insights from Carrie Penman and Kristy Grant-Hart.