Data-protection regulation set to advance globally in 2020
31 December 2019. By MLex Staff.
In one illustration of the data-protection movement sweeping the planet, lawmakers could pass, update or make effective new privacy laws in 2020 that would cover nearly 3 billion people — more than a third of the world's population.
Nations that are either expected or certain to have new data protection rules in place during the coming year include the world's two most populous countries, China and India, as well the jurisdiction with many of the world's most widely used tech companies — the US state of California, where the first comprehensive US data-protection law takes effect tomorrow.
Other democracies, including Brazil, Canada, Japan and South Korea, may also pass, revise or make effective national privacy laws in 2020.
It was the US Federal Trade Commission, not the European Union as was broadly expected, that dropped the first multi-billion-dollar privacy penalty on an Internet giant when the FTC announced a $5 billion settlement with Facebook in July.
More than 18 months after the effective date of the General Data Protection Regulation, however, European data protection authorities could follow suit with big enforcement actions in 2020. Final decisions are eagerly awaited in several Big Tech GDPR investigations by the Irish data protection authority, including a probe of Google and other AdTech companies.
Large tech and telecommunications companies also are watching the new European Commission's next move on the bloc's e-privacy proposal — EU rules aimed at protecting the privacy and security of communications over their networks
Companies that depend on personal data to target advertising are starting to feel the revenue pinch as tighter data-protection laws in Europe, California and elsewhere make it tougher for them to track consumers.
"A majority of the potential signal loss [for ad targeting] is in front of us, and not behind us," Facebook's chief financial officer, Dave Wehner, warned Wall Street analysts on the company's last earnings call. That loss of signal due to regulation may become only more visible in 2020.
There are now more than 120 countries — and by the count of one expert, at least 136 countries — that have passed national data-protection laws. But that total is growing almost on a weekly basis. Expect that trend to continue in 2020.
— Europe —
2020 will mark the second year since the EU's GDPR entered into force in May 2018. All but one of the EU's 28 member states have transposed the stringent data-protection rules into national law at this point. Only Slovenia is still awaiting the final adoption, which is expected to happen next month.
Coinciding with the two-year anniversary of the rules, the European Commission will have to conduct a review of the law before May 25. In the run-up to this, national governments have said in feedback to the EU executive body that they support increased cooperation between competition, consumer and data-protection authorities in the supervision of Big Tech companies such as Google, Facebook and Amazon.
This approach could fuel a more active enforcement attitude across the EU, and the coming year is likely to bring more enforcement actions. National authorities have spent much time advising companies on how to be GDPR-compliant as those regulators deal with a backlog of complaints, sometimes leaving them limited time for audits.
In addition to the awaited probes of Google and other AdTech companies, more clarity is expected in a data-breach case that involves British Airways. The court case pending at the High Court in London could set a precedent for similar claims for nonmaterial damage under the GDPR.
Apart from enforcement, the EU governments also urged the commission to study whether it needs to monitor and assess the relationship between the GDPR and rapidly evolving technology such as facial recognition, new types of profiling and "deep fake" technology.
In terms of new regulation in Europe, the focus will be on the bloc's e-privacy proposal.
EU governments are split on how the proposal fits with the GDPR, how to handle "cookie walls" — pop-up windows that block access to websites until a user gives consent to advertising cookies — and whether an exception should be granted to allow tech companies to scan billions of images for child sexual abuse.
The new European Commission, which took office Dec. 1, must decide whether to scrap the proposal, amend it, or give EU governments another crack at a compromise. Thierry Breton, the European commissioner in charge of the file, said "all the options are on the table."
In addition to EU legislation, companies will also be watching for a new recommendation from France's data protection authority, the CNIL, on "practical techniques for obtaining a valid consent" for cookies. The recommendation will be made in the first quarter of 2020.
Companies also are awaiting the fate of a key data-transfer mechanism between the EU and the US. Judges at the EU's top court, the Court of Justice, are considering whether certain contract clauses that companies use to transfer data to the US are valid under the EU's fundamental rights principle on the protection of personal data.
The Court of Justice is also considering a case brought by privacy advocacy group La Quadrature du Net, which has challenged the US-EU Privacy Shield, another popular mechanism for EU companies to transfer personal data to certified companies in the US.
— United States —
The new year brings the long-awaited debut of the first comprehensive privacy law in US history, as the California Consumer Privacy Act takes effect Jan. 1. CCPA applies to any company with at least $25 million in revenue or that trades significantly in personal data and that does business with any of California's 40 million residents.
Because California is the most populous US state, its size makes it extremely difficult for any company to segregate Californian consumers from the rest of its customer base. So for now, CCPA is the de facto law of the land in the US. Microsoft, Facebook and other tech giants say they will extend the new privacy rights in CCPA, such as the right for consumers to see or delete their personal data, to all their US users.
The effective date of the law could bring a wave of new data-breach lawsuits in the California courts, but enforcement by the California attorney general of the privacy rights bestowed by CCPA won't begin until July 1.
Challenges to the CCPA are highly likely, and a court battle appears to be looming about the definition of "sale" under the law, which allows consumers to opt out of the sale of their personal data. Facebook and Apple have said they don't need an opt-out page.
Whether CCPA will long survive as the nation's preeminent privacy law remains very much in question. In Washington, members of Congress are sure to continue discussions on federal privacy legislation, with Republicans and Democrats releasing dueling bills in the US Senate and House. And with a ballot initiative that would significantly tighten privacy rules potentially going before California voters in November 2020, the state's voters could decide that even CCPA's privacy protections aren't enough.
But threshold questions remain unresolved, including whether a federal law will preempt state laws such as CCPA, and whether a federal law should give consumers a private right of action to sue for privacy violations. With Washington likely to be occupied with the impeachment of President Donald Trump and then the presidential election during much of 2020, it's difficult to see how a complex data protection bill would gain the bipartisan support it would need to become law.
Meanwhile, lawmakers in New York and other states are considering their own comprehensive privacy legislation, with a New York state senator pushing the idea of forcing tech companies that trade in large volumes of personal data to function as a "data fiduciary." The concept is that firms would have to use the personal data they collect in the best interests of consumers.
Facebook faces what could be the highest-stakes privacy trial in history, with multiple billions of dollars at stake if it can't get the US Supreme Court to hear its petition for review in litigation that alleges the social media giant's use of facial recognition to tag uploaded photos violated the Illinois Biometric Information Privacy Act (BIPA). The plaintiff's brief arguing against Facebook's petition is due to be filed to the Supreme Court this week.
Probes of tech giants including Google, Facebook and Amazon by federal and state regulators, including the attorneys general of New York, Texas and California, will gain steam and may even conclude with an actual cause of action in 2020. While California's 18-month-old probe of Facebook is purely about privacy, multistate probes of Google, led by Texas, and of Facebook, led by New York, touch on data-protection issues as well as antitrust matters.
When the states announced their probe of Google this past September, Ashley Moody, Florida's attorney general, hinted at how antitrust and data protection are being linked when she asked: "Is something really free if we are increasingly giving up our privacy information? Is something really free if online ad prices go up based on one company's control?"
— India —
Like the US, the world's most populous democracy still hasn't enacted a comprehensive national data-protection law, but India took a major step when a personal data-protection bill was introduced into parliament this month.
The regulator established under the bill has wide-ranging powers to sanction companies and impose penalties modeled on the GDPR that can be as high as 4 percent of worldwide turnover. And like lawmakers in New York, India is placing in law the concept of a data fiduciary, designating social media platforms as "significant data fiduciaries" under India's Personal Data Protection Bill and providing an option for users to verify their accounts.
The bill has gone to a select committee amid criticism that the government has carved out too many exemptions for itself, and it won't be reintroduced into parliament until around May 2020. Even if it is passed then, implementation of the law isn't expected to be smooth or straightforward. The law will almost certainly provide a grace period before the enforcement provisions kick in.
That means India isn't going to see a rush of enforcement decisions anytime soon, but businesses will start to get a sense of the government's priorities by following the regular updates in this area.
— China —
The Chinese government recently disclosed that the national legislature has put the drafting of a Personal Information Protection Law and a Data Security Law on its 2020 agenda, following a previous plan to include the two laws in the five-year term of the current legislature.
The announcement came just as authorities across different sectors are wrapping up their year-long efforts aiming at data abuses by mobile apps, resulting in hundreds of apps being targeted for public reprimands. A plan has been approved by the Standing Committee, which was elected for a five-year period beginning in March 2018, according to a government spokesman.
The legislative plan suggests enforcement against data abuse, especially personal data, is likely to remain a priority for Chinese regulators.
— Brazil —
Brazil also has a new national data-protection law, but the big question in 2020 is when it will take effect.
Full enforcement of the General Law for Data Protection, or LGPD, is scheduled to begin in August 2020, just two months after the National Data Protection Authority, or ANPD, is due to start work in June.
But a draft bill proposing a two-year delay in the LGPD's implementation could gain traction in Congress, especially if President Jair Bolsonaro continues to drag his feet on publication of a presidential decree establishing rules to govern the country's new data-protection authority.
If the decree isn't published soon, Brazilian lawmakers' discussions to delay the start of enforcement to 2022 may inevitably gain momentum in the coming year, because the new ANPD will need time to create guidelines and begin regulating sectors before it can effectively enforce the law.
The draft bill, submitted by lawmaker Carlos Bezerra, was proposed on the grounds that most companies haven't yet adapted to the new legal regime and that information on the ANPD is being released too slowly. Reasons for the latter include Bolsonaro's delay publishing the presidential decree needed to establish the protection authority and start discussions on regulation before the law goes into force.
— Japan —
In Japan, the data-protection agency began flexing its muscles in 2019, issuing its first-ever corrective recommendation — a type of administrative guidance — to Recruit Career, which sold job-seeking students' data on their likeliness to decline job offers to 38 companies, including Toyota and Kyocera.
The news drew heavy media coverage, and the Personal Information Protection Commission, or PPC, will likely continue to use its limited tools of enforcement in 2020, amid rising awareness of privacy in the digital space.
The PPC's big agenda next year is to amend the existing national privacy law in the backdrop of a 2019 data flow accord with the European Union and the government's stance to clamp down on big technology companies' abuse of personal data. The amendments are expected to strengthen the PPC with new tools, such as a notification requirement for data breaches, extraterritorial reach of enforcement and stricter rules on cookies.
The revision is likely to bring the Japanese law more in line with those of the European Union and other jurisdictions, but ambiguity remains over when cookie data becomes personal data subject to the law.
— South Korea —
Like Japan, South Korea is trying to update its data-protection laws so they are in better harmony with Europe's. Three data protection bills await approval in the National Assembly, but they are enmeshed in political fights due to unrelated domestic issues.
Among the three bills, the revision to the Personal Information Protection Act (PIPA) is key because it enables the country to establish a unified enforcement agency to handle privacy issues. The measure would upgrade the existing Private Information Promotion Commission, an advisory body, to an independent enforcement authority.
Although the bills are stuck in the lawmaking process, key observers believe they must pass before the current parliamentary term closes in the spring. Otherwise, lawmakers will face a strong backlash from businesses that need the data protection bills to pass in order to allow companies to use large anonymized datasets, incorporating them into their business strategies and product development.
The country is pushing for development in areas of Big Data, artificial intelligence and self-driving vehicles, so the government is focused on easing regulations in those emerging areas rather than restricting development. But it has also indicated it's aware of potential ethical, privacy issues as well.
— Canada —
Canada's government is also moving to update its national privacy law, with potential legislation before Parliament in 2020. Newly re-elected Prime Minister Justin Trudeau recently tasked his minster of innovation to work with the justice minister and attorney general in 2020 to create enhanced powers for the Office of the Privacy Commissioner of Canada.
In a recent mandate letter to Navdeep Bains, the minister of innovation, science and industry, Trudeau also directed Bains to work "to establish a new set of online rights" which could have a broad impact on tech companies and the digital advertising industry.
Those new rights, Trudeau said, should include "data portability; the ability to withdraw, remove and erase basic personal data from a platform; the knowledge of how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data; the ability to review and challenge the amount of personal data a company or government has collected; proactive data-security requirements; the ability to be informed when personal data is breached with appropriate compensation; and the ability to be free from online discrimination including bias and harassment."
Canada's privacy commissioner, Daniel Therrien, has been calling for stronger powers for his office, including the ability to levy fines for violations.
Therrien is also expected to take Facebook to court in early 2020. The privacy commissioner has said his office will file suit in Canada's Federal Court accusing Facebook not only of violating the nation's privacy laws as a result of the Cambridge Analytica privacy leak, but also of ignoring regulators' demands for changes.
This story was reported and written by Mike Swift, Cynthia Kroet, Matthew Newman, Ana Paula Candil, Wooyoung Lee, Sachiko Sakimaki, Xu Yuan, and Phoebe Seers.