The rising wave in privacy regulations prompted by the GDPR is set to begin a new chapter on how personal data is handled. The details of each regulation may differ, but they all share a common goal which is for customers to have ownership over their own data. As these new regulations come into force, businesses can either thrive in a post GDPR world or get bogged down under the weight of it in 2019.
The major trends we see developing this year include:
The most obvious trend for 2019 is GDPR enforcement. Some enforcement began after the summer of 2018, but the first of many major investigations by DPA’s will be concluded in the next couple of months (mostly before the 1-year anniversary of the regulations) and sanctions will be imposed. It is not clear at this stage whether there will be massive fines immediately.
Shortly before Christmas, the Dutch DPA showed that imposing a processing ban is also an option that should be taken seriously as long as compliance is still a possibility. In the ramp up to California’s CCPA & Brazil’s LGBD, smart multi-jurisdictional organizations are leveraging the hard work they put into the GDPR to also comply with these new laws.
The GDPR now fully applies across the EU. However, not all countries have met the deadline to ensure that the GDPR is fully embedded in national law. So far, 23 EU member states and 3 EEA (European Economic Area) countries have finalized their legislation accompanying the GDPR.
The new GDPR which came into force on May 25 2018 was supposed to give users a free choice on whether they agree to data usage or not. In fact, the opposite feeling spread where large number of “consent boxes” popped up online. On the first day of GDPR, NOYB (None Of Your Business, a privacy advocacy group launched by Max Schrems) has filed four complaints against Google (Android), Facebook, WhatsApp & Instagram. On 18 January 2019, NOYB filed eight further complaints related to the right of access, as provided by online streaming services.”
Another series of major cases was brought forward by Privacy International, which on 8 November 2018 filed seven complaints against data brokers, ad-tech companies and credit referencing agencies in France, Ireland and the UK, for lack of transparent and lawful processing. It is argued the companies collect vast amounts of data without a proper legal basis and without providing sufficient information to the individuals concerned.
European Commission Adequacy Decision and ePrivacy
The debates will continue on what adequacy means and what level of data protection is actually enough to obtain an adequacy decision from the European Commission.
The European Data Protection Authorities created an opinion on the EU-Japan draft adequacy decision and its key objective was to assess whether the Commission has ensured sufficient guarantees are in place for an adequate level of data protection for individuals in the Japanese framework.
The debate on Japan is ongoing, with the EDPB having recently said the current deal is not good enough yet, thereby negotiations with South Korea & Mexico have started. The EDPB considers that the EU-Japan adequacy decision is of high importance as it is the first adequacy decision since the application of the GDPR, and as such, it will set a precedent. In addition, it is the first adequacy decision with reciprocity, allowing Japan to judge on the EU’s level of data protection too.
Also, the ongoing reviews of existing adequacy decision may have an impact on this debate. More so, in the EU, the legislator needs to finalize the negotiations on the ePrivacy Regulation that accompanies GDPR. It is doubtful that a final agreement can be reached before the European Parliament elections in May, which may mean we won’t see a final version of the ePR until at least the end of the year.
A Federal Privacy Law in the United States?
In the US, we will see a reinforced debate on the need for a federal privacy law, with various proposals already floating around. It is possible that we will see a draft that is acceptable to a majority in Congress. We do know from California, that developments can happen very fast.
Some tech giants in the US are acting proactively to create a federal privacy law on their terms through some lobby groups such as ITI. These lobbying efforts could eventually influence the creation of not only a US based law but could also potentially impact regulations across the world. A federal US data privacy bill will differ from the GDPR in fundamental ways due to comprehensible differences between the two jurisdictions in terms of privacy and data protection.
LGPD and CCPA
The new laws in Brazil and California will be big triggers for companies to invest heavily into compliance. These two major new laws are entering into force in 2020 and this means many companies will invest more heavily in compliance above than the bare minimum within a jurisdiction if it avoids creating new compliance and accountability mechanisms.
Although the CCPA enters into application on January 1, 2020, organizations needed to be ready on January 1, 2019. This is so they can comply with the 12 months look back for consumer requests for data processing disclosure.
On August 15, 2020, Brazil’s general law on the protection of personal date will enter into force. Like the GDPR, the LGPD is an omnibus law, covering many principles of data protection.
Finally, to summarize, 2019 will see more countries adopting privacy and data protection laws, especially in Asia and Africa. Also, the number of signatories of the Council of Europe Convention 108+ will increase, slowly making that Convention into a real global minimum standard on data protection.