In a year rife with setbacks around the globe, due in large part to the COVID-19 pandemic, November was a fairly busy month for the global advancement of data protection, which will bring real short- and long-term consequences for global organizations.
Key Privacy Developments in the United States
California Consumer Privacy Rights Act (CPRA) – California voters approved a consumer privacy ballot initiative that amends and expands the California Consumer Privacy Act (CCPA), effective January 1, 2023. The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations, and establishes a new enforcement agency dedicated to consumer privacy. Are you prepared for CPRA? Click here for more details.
Consumer Financial Protection Bureau (CFPB) – The CFPB is a 21st century agency that helps consumer finance markets work by regularly identifying and addressing outdated, unnecessary, or unduly burdensome regulations, by making rules more effective, by consistently enforcing federal consumer financial law, and by empowering consumers to take more control over their economic lives. The election of Joe Biden will likely bring renewed vigor to the protection of consumer interests via a stronger CFPB policy in 2021, which should include an emphasis on enhancement of privacy rights in the financial services sector.
Key Privacy Developments in the European Union
While we have been busy in the U.S., the European Union’s leaders have been moving at light speed by comparison and raising the bar to boot. These changes will most certainly impact global companies with EU interests almost immediately.
Standard Contractual Clauses (SCCs) Updates – In response to the invalidation of the EU-U.S. Privacy Shield as the legal framework to enable data transfers to the U.S., The European Commission (EC) published two separate draft updates to the Standard Contractual Clauses (SCCs):
- SCCs governing cross-border transfers of EU personal data to third countries; and
- SCCs between controllers and processors located in the EU (implementing act), pursuant to Article 28.
The proposed Cross-Border SCC updates align much more closely to data protection requirements defined in the EU General Data Protection Regulation (GDPR) than the current SCCs, which were last revised in 2010, and which were written to align to GDPR’s predecessor, the Data Protection Directive. The new clauses anticipate more complex personal data processing relationships, including multiple parties who may be located around the globe.
After a month-long public feedback period, the European Commission is expected to finalize the language and adopt the SCCs within the next few weeks.
EU Cross-Border Data Transfers – The European Data Protection board (EDPB) issued its guidance on global data transfers; specifically “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.” The EDPB’s intent is to provide a framework that controllers should use to assess privacy risks associated with business partners in third countries. The EDPB’s recommendations help define the appropriate supplementary measure(s) that may have to be implemented by either controllers or processors, to maintain a level of protection that is “essentially equivalent” to the European Economic Area (EEA).
Data Governance Act – The European Parliament introduced a Proposal for a Regulation on European data governance. The Data Governance Act (DGA) is intended to “foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.” More specifically, the DGA seeks to address very specific situations:
- “Making public sector data available for re-use, in situations where such data is subject to rights of others.
- Sharing of data among businesses, against remuneration in any form.
- Allowing personal data to be used with the help of a ‘personal data-sharing intermediary’, designed to help individuals exercise their rights under the General Data Protection Regulation (GDPR).
- Allowing data use on altruistic grounds.”
(Source: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance, (Data Governance Act),” Explanatory Memorandum, p. 1.)
Critics of the DGA, such as the Center for Data Innovation, argue that implementation of the ‘data intermediaries’ requirement may be prohibitively costly for some American organizations, which may be an unstated objective of the rule. Presumably, this requirement should be unnecessary, given the global enforcement reach of the GDPR, which should negate the need for a local presence.
Digital Services Act – Finally, still expected to be introduced in December 2020 is the European Commission’s new EU Digital Services Act, which will replace the aging e-Commerce Directive (2000). The intent of the Digital Services Act will be to foster opportunity, competition, and innovation for EU organizations, who leverage digital services to facilitate trade with peers in EU member states as well as outside of the EEA. The Digital Services Act is expected to include provisions to preserve the security and privacy interests of EU citizens.
A New EU-U.S. Agenda for Global Change
To close out an already busy month, the European Commission (EC) and the EU’s High Representative for Foreign Policy have drafted a proposal for a renewed EU-U.S. partnership, entitled, “A New EU-U.S. Agenda for Global Change.” The EC seeks to revitalize its strategic alliance, which has been challenged under the Trump administration. Its 11-page proposal seeks to base its mission around common global threats and objectives, which include:
- Combating China’s disruptive influence in global affairs;
- Cooperation in the development of a COVID-19 vaccine and, hopefully, renewed support for the World Health Organization; and
- Mutual agreement on digital regulations, including approaches to enforce antitrust and data protection.
The paper’s authors recognize the fundamental differences between EU and U.S. approaches to geopolitical concerns, and that leaders will have to work hard to achieve successful compromise, particularly given the disparity between EU and U.S. privacy regimes.
How Protiviti can Help
Our privacy consultants bring deep expertise in regulatory requirements and privacy strategy implementation. We can support your business in a variety of privacy related efforts including:
- Privacy risk and maturity assessments against generally accepted privacy frameworks
- Compliance with regulatory obligations; assessing gaps and developing compliance roadmaps
- Guidance on strategy development and technical assistance in the implementation of security controls
- Independent assessments of privacy programs, including policies and procedures impacting data collection, minimization, and storage limitation
- Review of third-party and cross-border transfer documentation
- Development of record of processing activities, data inventories and data flows
- Legal support in response to consumer and internal requests for access to personal data
To learn more about our privacy and compliance capabilities, contact us.