2020 Privacy Wrap-Up for the European Union and the United States

In a year rife with setbacks around the globe, due in large part to the COVID-19 pandemic, November was a fairly busy month for the global advancement of data protection, which will bring real short- and long-term consequences for global organizations.   

Key Privacy Developments in the United States 

California Consumer Privacy Rights Act (CPRA) – California voters approved a consumer privacy ballot initiative that amends and expands the California Consumer Privacy Act (CCPA), effective January 1, 2023. The CPRA affords California residents significantly more control over their personal information, imposes heightened compliance obligations, and establishes a new enforcement agency dedicated to consumer privacy. Are you prepared for CPRA? Click here for more details.  

Consumer Financial Protection Bureau (CFPB) – The CFPB is a 21st century agency that helps consumer finance markets work by regularly identifying and addressing outdated, unnecessary, or unduly burdensome regulations, by making rules more effective, by consistently enforcing federal consumer financial law, and by empowering consumers to take more control over their economic lives. The election of Joe Biden will likely bring renewed vigor to the protection of consumer interests via a stronger CFPB policy in 2021, which should include an emphasis on enhancement of privacy rights in the financial services sector.  

Key Privacy Developments in the European Union 

While we have been busy in the U.S., the European Union’s leaders have been moving at light speed by comparison and raising the bar to boot.  These changes will most certainly impact global companies with EU interests almost immediately.   

Standard Contractual Clauses (SCCs) Updates – In response to the invalidation of the EU-U.S. Privacy Shield as the legal framework to enable data transfers to the U.S.The European Commission (EC) published two separate draft updates to the Standard Contractual Clauses (SCCs): 

  1. SCCs governing cross-border transfers of EU personal data to third countries; and 
  2. SCCs between controllers and processors located in the EU (implementing act), pursuant to Article 28.  

The proposed Cross-Border SCC updates align much more closely to data protection requirements defined in the EU General Data Protection Regulation (GDPR) than the current SCCs, which were last revised in 2010, and which were written to align to GDPR’s predecessor, the Data Protection Directive.  The new clauses anticipate more complex personal data processing relationships, including multiple parties who may be located around the globe. 

After a month-long public feedback period, the European Commission is expected to finalize the language and adopt the SCCs within the next few weeks. 

EU Cross-Border Data Transfers – The European Data Protection board (EDPB) issued its guidance on global data transfers; specifically “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.”  The EDPB’s intent is to provide a framework that controllers should use to assess privacy risks associated with business partners in third countries. The EDPB’s recommendations help define the appropriate supplementary measure(s) that may have to be implemented by either controllers or processors, to maintain a level of protection that is “essentially equivalent” to the European Economic Area (EEA). 

Data Governance Act – The European Parliament introduced a Proposal for a Regulation on European data governance. The Data Governance Act (DGA) is intended to “foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.”  More specifically, the DGA seeks to address very specific situations: 

  • “Making public sector data available for re-use, in situations where such data is subject to rights of others. 
  • Sharing of data among businesses, against remuneration in any form. 
  • Allowing personal data to be used with the help of a ‘personal data-sharing intermediary’, designed to help individuals exercise their rights under the General Data Protection Regulation (GDPR). 
  • Allowing data use on altruistic grounds.” 

(Source: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance, (Data Governance Act),” Explanatory Memorandum, p. 1.) 

Critics of the DGA, such as the Center for Data Innovation, argue that implementation of the ‘data intermediaries’ requirement may be prohibitively costly for some American organizations, which may be an unstated objective of the rule.  Presumably, this requirement should be unnecessary, given the global enforcement reach of the GDPR, which should negate the need for a local presence.  

Digital Services Act – Finally, still expected to be introduced in December 2020 is the European Commission’s new EU Digital Services Act, which will replace the aging e-Commerce Directive (2000). The intent of the Digital Services Act will be to foster opportunity, competition, and innovation for EU organizations, who leverage digital services to facilitate trade with peers in EU member states as well as outside of the EEA. The Digital Services Act is expected to include provisions to preserve the security and privacy interests of EU citizens. 

A New EU-U.S. Agenda for Global Change 

To close out an already busy month, the European Commission (EC) and the EU’s High Representative for Foreign Policy have drafted a proposal for a renewed EU-U.S. partnership, entitled, “A New EU-U.S. Agenda for Global Change.”  The EC seeks to revitalize its strategic alliance, which has been challenged under the Trump administration. Its 11-page proposal seeks to base its mission around common global threats and objectives, which include: 

  • Combating China’s disruptive influence in global affairs;
  • Cooperation in the development of a COVID-19 vaccine and, hopefully, renewed support for the World Health Organization; and 
  • Mutual agreement on digital regulations, including approaches to enforce antitrust and data protection. 

The paper’s authors recognize the fundamental differences between EU and U.S. approaches to geopolitical concerns, and that leaders will have to work hard to achieve successful compromise, particularly given the disparity between EU and U.S. privacy regimes.   

How Protiviti can Help 

Our privacy consultants bring deep expertise in regulatory requirements and privacy strategy implementation.  We can support your business in a variety of privacy related efforts including:   

  • Privacy risk and maturity assessments against generally accepted privacy frameworks  
  • Compliance with regulatory obligations; assessing gaps and developing compliance roadmaps 
  • Guidance on strategy development and technical assistance in the implementation of security controls 
  • Independent assessments of privacy programs, including policies and procedures impacting data collection, minimization, and storage limitation  
  • Review of third-party and cross-border transfer documentation 
  • Development of record of processing activities, data inventories and data flows 
  • Legal support in response to consumer and internal requests for access to personal data 

 

To learn more about our privacy and compliance capabilities, contact us. 

Andy Soodek

Senior Manager
Technology Consulting - Security and Privacy

Katie Stevens

Director
Security and Privacy

Subscribe to Topics

As businesses compete for #quantum compute time, things can get complicated. @Strangeworks provides shorter queue times and cost and access control for customers. Join @KonstantHacker as he chats on this with Cesar Rodriguez from @Strangeworks. http://ow.ly/jERF50Gvo0W

Read this #SAP Blog to learn five considerations that have improved #ROI for our clients, highlight new ways of working and the art of the possible in the organization’s future #S4HANA system compared to ECC 6.x systems. http://ow.ly/WE5I50GuBRT

#ProtivitiTech #analytics #cloud

The intersection of #5G and #edgecomputing technologies will reinvent industries, change the way #security is implemented and revolutionize business operations. Learn in #Technology Insights why 5G and edge computing impacts approaches to security: http://ow.ly/hut750Gu2Um

Digitally transforming business with #Dynamics365 CE provides organizations with easy configuration and #integration with other #Microsoft products, fewer post-deployment issues and can be accessed anywhere. Read more in the #Technology Insights blog: http://ow.ly/AueX50GqQZs

In Protiviti's #cybersecurity #webinar series, learn insights from the effectiveness of crisis management response in #ransomware attacks to articulating core concepts of #zerotrust and the toolsets needed to architect zero trust. Explore sessions here: http://ow.ly/qVLp50Gi52T

Load More...