This two-part series takes a detailed look at what’s ahead this year in data privacy, including trends around the world and what next steps should be taken to stay ahead of the ever-changing privacy landscape. To learn more about how we can support your organization, visit our data privacy consulting page.
Data, often considered to be the “oil of the digital world,” is now considered the most important asset and lifeblood of today’s digital economy. We are only creating more of it and now, more than ever, significantly rely on digital technology to run our businesses. With each passing year, the magnitude and cost of data breaches exceed the year before, leading to a shift in how consumers view their data and expect their data to be secured. In 2019 alone, breaches soared, with billions of consumer accounts exposed. As a result, we have seen an increasing number of data privacy regulations, with many more in the pipeline. Now, more than ever before, companies are expected to have the right safeguards in place for data they collect, process and share in order to earn consumer and employee trust in data security.
With this context in mind, we share the top data privacy trends affecting businesses, both domestically and across the globe.
Several data privacy laws on the way
The GDPR inspired the movement. Following the record penalties for Google and Marriott Hotel Group under the European Union’s General Data Protection Regulation (GDPR) (enacted in May 2019), California enacted the groundbreaking California Consumer Privacy Act (CCPA) act in January. Similar to the GDPR, under this state statute, California residents have data privacy rights to the access to, deletion of, and sharing or selling of personal information collected by businesses. Further regulations are on the way, both internationally and domestically. So, what exactly should businesses and consumers need to be prepared for?
- Businesses need to be on the lookout for any relevant global, federal and state privacy or data protection laws in the pipeline and any rapidly evolving developments to those laws
- Businesses must quickly establish and maintain consumer and employee trust that they are doing the right thing with information they collect
- Businesses need to recognize that regulators and law enforcement are now enforcing data privacy requirements more than ever
On the global horizon we see:
Brazilian General Data Protection Law (LGPD) – This law is heavily inspired by the GDPR, is expected to take effect on August 15, 2020 and will be the largest data privacy law in Latin America. The LGPD is intended to replace fragmented legislation to create a unified law.
India – The long-awaited Personal Data Protection Bill, 2019 was introduced to the Indian Parliament in December 2019 and is currently being reviewed by a Joint Parliamentary Committee. We will likely see this bill progress through the Indian legislative process in 2020.
China – A Personal Information Protection Law and the Data Security Law have now been included in the legislative planning of the National People’s Congress (NPC) of the People’s Republic of China’s Standing Committee. The laws go through several rounds of drafts before finalized versions can emerge.
Others joining the global data privacy rush:
Indonesia – Indonesia is prioritizing the bill for the Personal Data Protection Act in their 2020 National Legislative Program, which is part of the Government’s data sovereignty roadmap.
Sri Lanka – Released the final draft of the Framework for the Proposed Personal Data Protection Bill in September 2019, which when ratified, will be implemented within three years from the date it is certified.
Other countries such as Japan, Malaysia, Hong Kong, Australia and more have rushed to make amendments to their existing privacy laws.
Privacy regulations in the U.S. are at an all-time high
From a business standpoint, it would be easier if there were a single federal statute like the EU GDPR. For now, however, businesses will need to be aware of differing state privacy laws, along with several data breach and biometrics laws which may also be applicable. The approach we often recommend is to leverage the most comprehensive privacy law (likely the GDPR or CCPA as fit) to develop a privacy program and governance, and to further layer in state variances as they are enacted.
Across the U.S., the patchwork of privacy bills is only getting more convoluted. In 2019, a number of proposed state privacy laws failed to move out of their house of origination in Nevada, New York, New Mexico and Hawaii. This effectively ends their entry into the 2020 legislative session.
In summary, 25 states, including Puerto Rico, have considered legislation on various aspects of consumer data, and all 50 states have their own laws about data breaches impacting personal information. The complex privacy landscape within the country creates enormous burden on businesses to navigate the complexity of these laws.