Privacy

2020 Privacy Wrap-Up for the European Union and the United States

Andy SoodekKatie Stevens
December 21, 2020
5 min read

In a year rife with setbacks around the globe, due in large part to the COVID-19 pandemic, November was a fairly busy month for the global advancement of data protection, which will bring real short- and long-term consequences for global organizations.   

Key Privacy Developments in the United States 

California Consumer Privacy Rights Act (CPRA) – California voters approved a consumer privacy ballot initiative that amends and expands the California Consumer Privacy Act (CCPA), effective January 1, 2023. The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations, and establishes a new enforcement agency dedicated to consumer privacy. Are you prepared for CPRA? Click here for more details.  

Consumer Financial Protection Bureau (CFPB) – The CFPB is a 21st century agency that helps consumer finance markets work by regularly identifying and addressing outdated, unnecessary, or unduly burdensome regulations, by making rules more effective, by consistently enforcing federal consumer financial law, and by empowering consumers to take more control over their economic lives. The election of Joe Biden will likely bring renewed vigor to the protection of consumer interests via a stronger CFPB policy in 2021, which should include an emphasis on enhancement of privacy rights in the financial services sector.  

Key Privacy Developments in the European Union 

While we have been busy in the U.S., the European Union’s leaders have been moving at light speed by comparison and raising the bar to boot.  These changes will most certainly impact global companies with EU interests almost immediately.   

Standard Contractual Clauses (SCCs) Updates – In response to the invalidation of the EU-U.S. Privacy Shield as the legal framework to enable data transfers to the U.S.The European Commission (EC) published two separate draft updates to the Standard Contractual Clauses (SCCs): 

  1. SCCs governing cross-border transfers of EU personal data to third countries; and 
  2. SCCs between controllers and processors located in the EU (implementing act), pursuant to Article 28.  

The proposed Cross-Border SCC updates align much more closely to data protection requirements defined in the EU General Data Protection Regulation (GDPR) than the current SCCs, which were last revised in 2010, and which were written to align to GDPR’s predecessor, the Data Protection Directive.  The new clauses anticipate more complex personal data processing relationships, including multiple parties who may be located around the globe. 

After a month-long public feedback period, the European Commission is expected to finalize the language and adopt the SCCs within the next few weeks. 

EU Cross-Border Data Transfers – The European Data Protection board (EDPB) issued its guidance on global data transfers; specifically “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.”  The EDPB’s intent is to provide a framework that controllers should use to assess privacy risks associated with business partners in third countries. The EDPB’s recommendations help define the appropriate supplementary measure(s) that may have to be implemented by either controllers or processors, to maintain a level of protection that is “essentially equivalent” to the European Economic Area (EEA). 

Data Governance Act – The European Parliament introduced a Proposal for a Regulation on European data governance. The Data Governance Act (DGA) is intended to “foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.”  More specifically, the DGA seeks to address very specific situations: 

  • “Making public sector data available for re-use, in situations where such data is subject to rights of others. 
  • Sharing of data among businesses, against remuneration in any form. 
  • Allowing personal data to be used with the help of a ‘personal data-sharing intermediary’, designed to help individuals exercise their rights under the General Data Protection Regulation (GDPR). 
  • Allowing data use on altruistic grounds.” 

(Source: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance, (Data Governance Act),” Explanatory Memorandum, p. 1.) 

Critics of the DGA, such as the Center for Data Innovation, argue that implementation of the ‘data intermediaries’ requirement may be prohibitively costly for some American organizations, which may be an unstated objective of the rule.  Presumably, this requirement should be unnecessary, given the global enforcement reach of the GDPR, which should negate the need for a local presence.  

Digital Services Act – Finally, still expected to be introduced in December 2020 is the European Commission’s new EU Digital Services Act, which will replace the aging e-Commerce Directive (2000). The intent of the Digital Services Act will be to foster opportunity, competition, and innovation for EU organizations, who leverage digital services to facilitate trade with peers in EU member states as well as outside of the EEA. The Digital Services Act is expected to include provisions to preserve the security and privacy interests of EU citizens. 

A New EU-U.S. Agenda for Global Change 

To close out an already busy month, the European Commission (EC) and the EU’s High Representative for Foreign Policy have drafted a proposal for a renewed EU-U.S. partnership, entitled, “A New EU-U.S. Agenda for Global Change.”  The EC seeks to revitalize its strategic alliance, which has been challenged under the Trump administration. Its 11-page proposal seeks to base its mission around common global threats and objectives, which include: 

  • Combating China’s disruptive influence in global affairs;
  • Cooperation in the development of a COVID-19 vaccine and, hopefully, renewed support for the World Health Organization; and 
  • Mutual agreement on digital regulations, including approaches to enforce antitrust and data protection. 

The paper’s authors recognize the fundamental differences between EU and U.S. approaches to geopolitical concerns, and that leaders will have to work hard to achieve successful compromise, particularly given the disparity between EU and U.S. privacy regimes.   

How Protiviti can Help 

Our privacy consultants bring deep expertise in regulatory requirements and privacy strategy implementation.  We can support your business in a variety of privacy related efforts including:   

  • Privacy risk and maturity assessments against generally accepted privacy frameworks  
  • Compliance with regulatory obligations; assessing gaps and developing compliance roadmaps 
  • Guidance on strategy development and technical assistance in the implementation of security controls 
  • Independent assessments of privacy programs, including policies and procedures impacting data collection, minimization, and storage limitation  
  • Review of third-party and cross-border transfer documentation 
  • Development of record of processing activities, data inventories and data flows 
  • Legal support in response to consumer and internal requests for access to personal data 

 

To learn more about our privacy and compliance capabilities, contact us. 

Andy Soodek

Senior Manager
Technology Consulting - Security and Privacy

View all posts

Katie Stevens

Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More