Internet security continues to be a key concern for consumers and business, especially when it comes to data protection. While the best antivirus software will often have privacy settings to help consumers better control what information is shared with companies, businesses themselves have more regulations to face in the coming years.
The global privacy legislation landscape has shifted considerably during 2019, and 2020 is going to be another busy year from a data protection standpoint. In fact, the start of the new year (1 January 2020) will see the California Consumer Privacy Act (CCPA) enter into application.
On Friday, October 11, 2019, Xavier Becerra, the California Governor signed all five of the California Consumer Privacy Act amendments that were awaiting his signature as well as an amendment to California’s data breach law.
Attention is now being focused on draft regulations proposed by the California Attorney General. A period of public consultation, including several public hearings, will now take place up until 6 December 2019 and several proposals have already been tabled to make the legislation even stricter in 2020. This includes the Mactaggart ballot initiative, which proposes that a data protection authority be established in California to enforce the legislation on an ongoing basis.
About the author
Paul Brietbarth is the Director of EU Operations & Strategy at Nymity.
Focus on consumer rights
While CCPA legislation may not be an omnibus style law like the GDPR, it has been inspired by it, particularly around data subject rights. The primary focus of the CCPA relates to individual consumer rights; the right to request information, right of deletion, right to opt-out of data being sold and obligations on businesses to inform consumers and employees of what personal data of theirs will be collected and for what purpose – at the time of or before the collection takes place.
However, it is not only in America that the influence of the GDPR has been felt. Many other countries around the world are in the process of reviewing and discussing privacy legislation bills ahead of 2020.
This includes South Korea, which is updating its regulations with the hope to achieve adequacy in the coming year. The country’s current multiple data privacy laws could potentially be combined into one omnibus law that can be considered ‘essentially equivalent’ to the GDPR. Meanwhile in South America, the LGPD, Brazil’s first General Data Protection Law, will enter into force on 15 August 2020 and like the GDPR it is an omnibus law, covering many principles of data protection.
The most common aspect of GDPR being replicated globally is the guidance around data subject rights, data breaches and accountability requirements. More countries are implementing regulations to help with international data exchange, and we can expect to see more cases of legislation incorporating elements of GDPR in the coming year.
Another development we potentially may see in 2020 is progress around the European Union’s ePrivacy Regulation, which will replace the existing ePrivacy and Electronic Communications Directive 2002/58, that was implemented in the UK in 2003. The new law has been designed to work alongside the GDPR, taking on board the definitions of privacy and data and looking to enhance it around areas including cookies, unsolicited marketing and confidentiality for online privacy (something Linux distros for privacy are already developed to provide).
The latest discussions in the Council of Ministers suggest a move towards progress and headway being made in the ongoing negotiations. A joint government position on the draft legislation is looking hopeful, with a view to aligning the legislation with GDPR next year. That is, if agreement can be reached with the European Parliament, which seems to aim for much stricter rules than the government representatives.
Much of the progress follows the ruling made this last October by the Court of Justice of the European Union in relation to what has been labelled the Planet 49 case. This specifically looked at the need for explicit opt in consent when it comes to placing cookies on users’ devices when browsing online in relation to a case involving online gaming company Planet 49.
The company was taken to court in proceedings initiated by the German Federation of Consumer Organisations, a non-governmental consumer protection organisation, for its request to require people wishing to take part in an online lottery to consent to pre-ticked cookies to access the game. The Court confirmed in its ruling that pre-ticked forms for cookies do not constitute a free and informed consent and that consent provided in such a way thus is not valid.
While this is somewhat of a landmark ruling, we can certainly expect to see further similar cases around cookie laws in 2020, with many others, including on the legality of so-called cookie walls, still currently pending judgements.
In the meantime, consumers wanting to help protect their online presence are increasingly turning to browser plugins and even VPN software to anonymize their data.
Compliance is still lagging
On GDPR, the first full evaluation of the legislation and its impact is likely to be completed next year. It is unlike the European Commission will propose major changes to the law already, although it has been suggested minor changes related to data protection governance could be forthcoming. We can expect to see more enforcement from data protection authorities with many investigations still currently ongoing, although the challenge that many DPAs still face is that they are understaffed and under budget.
What is certain however is that we won’t see everyone becoming GDPR compliant in 2020. It’s still unfortunately the case that too many companies don’t want to invest in privacy or simply don’t give due care and consideration to achieving privacy compliance.
In the meantime, consumers can use free privacy software to try and protect their data.
Transfer of personal data
Going back to the Court of Justice of the European Union, another area undergoing review is the transfer of personal data to the United States, both using standard contractual clauses and under the EU-US Privacy Shield, a framework in place for regulating the exchanges of personal data for commercial use between companies in the EU and US.
A case (Schrems II) is currently pending with the Court to decide if either transfer mechanism offers sufficient and adequate safeguards to protect personal data originating in the EU, especially in light of the extensive US surveillance legislation. A decision is expected on this in February or March of next year. If the judgement states that things need to change it could have a big impact on international data flows, but it is too soon to tell on that currently.
Mobile users currently have various options for controlling their data. For example, there are privacy apps for Android which are proving increasingly popular in the Google Play store.
Legislating on the role of AI
Finally, another area that it will be interesting to monitor in 2020 is how the privacy legislation landscape is impacted by the new incoming president of the European Commission. One of the pledges of the new regime is to propose new legislation within the first 100 days of office as to how to deal with artificial intelligence. The impact of this in terms of the processing of personal data via AI technologies is something that will inevitably become a key discussion point in 2020.
Paul Brietbarth is the Director of EU Operations & Strategy at Nymity.