As discussed in our previous article Data Privacy Amid Coronavirus: Blockchain to the Rescue, 2020 was a year of tremendous upheaval and disruption; especially in the privacy and cybersecurity space. The COVID-19 pandemic, which continues to devastate worldwide, raised challenging questions about the balance between data protection and public health. Unprecedented cyberattacks by cybercriminals and foreign state actors highlighted vulnerabilities in both the private and public sectors. New privacy laws were developed and enacted addressing: the regulation of privacy and data security, updates related to the COVID-19 pandemic, enforcement actions by federal and state authorities, and new regulatory guidance on data privacy and the collection of electronically stored information by government actors. If there was one takeaway from 2020, privacy law is evolving rapidly in nearly every corner of the world. We will outline below a non-exhaustive list of early 2021 developments.
In the United States, the year 2021 brings a new administration and a potential shift from the prior administration’s deregulatory priorities. Policymakers now recognize the need for federal privacy legislation. That said, contention around potential federal privacy legislation includes questions as to what extent legislation should preempt more stringent state laws and whether the legislation should include a private right of action. For example, the new California Privacy Rights Act (“CCPR”) consists of a private right of action and civil enforcement by the attorney general.
In the absence of federal privacy legislation, New York and other states, including Connecticut, Oklahoma, Minnesota, Mississippi, and Virginia, are set to follow in the footsteps of California’s Consumer Privacy Act (“CCPA”) in passing legislation that creates data rights for consumers. In New York, a comprehensive data privacy law, the Data Accountability and Transparency Act (“NYDAT”) seeks to expand the scope of New York’s privacy protections, providing for visibility into and control over how companies use and share data. NYDAT would cover any company that conducts business in New York or produces goods or services that target New York residents, and “controls or processes” the personal information of at least one hundred thousand consumers, or derives over fifty percent of gross revenue from the “sale, control, or processing” of personal information. “Personal information” is defined broadly as “data relating to an identified or identifiable natural person.” If passed, NYDAT would create consumer privacy rights and, accordingly, impose new requirements on covered businesses regarding data collection and maintenance. The most notable provisions of the current proposal are as follows:
Notice of collection and use
Covered businesses would be required to inform consumers of the type of personal information being collected, as well as the purposes for which that information would be used.
NYDAT’s focus, like all well-conceived privacy laws, is on notice and consent, and it contains an opt-out provision. If a covered business intends to sell or share a consumer’s personal information, it would be required to provide a “clear and conspicuous link” to enable consumers to opt-out.
Businesses would also be required to provide consumers with the ability, upon receipt of an appropriate request: to confirm that the company possesses personal information about that consumer and access and challenge its accuracy or veracity have the data returned, destroyed, rectified, completed or amended.
NYDAT would also prohibit covered companies from discriminating against consumers who exercise their rights under the law, for example, by denying goods or services to the consumer.
Information security safeguards
From a security standpoint, the law would mandate that businesses implement safeguards to protect personal information from security risks “such as loss, unauthorized access, destruction, use, modification, or unauthorized disclosure.”
NYDAT is not the only state privacy legislation proposed in 2021. Additionally, New York is considering a Biometric Information Privacy Act (BIPA), virtually identical to the Illinois statute, which has been in effect since October of 2008. The Act would require disclosures, consents, and use restrictions when a person’s “biometric identifiers,” e.g., finger and handprints, retina scans, and facial geometry or “biometric information,” i.e., information derived from biometric identifiers are captured, stored, or used. New privacy legislation from New York will have operational and compliance implications for businesses across the country. Businesses need to stay compliant as violations alleged under BIPA can potentially fall within the scope of directors and officers liability, employment practices liability, general commercial liability, or cyber liability, depending on the nature of the claim.
In the health care industry, the US has seen a recent focus on patient privacy rights under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). In response to the challenges presented by the pandemic, the US Federal Government, through the Department of Health and Human Services Office for Civil Rights (OCR), has relaxed HIPAA enforcement and issued new guidance to reassure companies assisting in the fight against COVID-19. OCR announced it would exercise its enforcement discretion and not impose penalties for noncompliance against health care providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” OCR also issued new guidance to ensure HIPAA compliance in the wake of COVID-19. This guidance addressed how covered entities may disclose protected health information to law enforcement, paramedics, and other first responders to comply with HIPAA and still facilitate sharing real-time data to keep themselves and the public safe.
The European Union (“EU”), 2020 saw significant developments in the evolution of the data protection and cybersecurity landscape. The Court of Justice of the EU (“CJEU”) in Schrems II struck down the legality of the EU-U.S. Privacy Shield, on which companies relied to transfer personal data from the EU to the US. In Schrems II, the Commission re-examined whether the Privacy Shield complies with GDPR requirements, i.e., affords the level of protection of fundamental rights equivalent to that guaranteed under EU law. The CJEU found that interference arising from US surveillance law, e.g., FISA, did not ensure equal protection because data subjects had no actionable rights before the courts against US authorities. Additionally, there no adequate remedies available to data subjects to access or rectification their personal data. In its FAQs on Schrems II, the EDPB stated that no “grace” period is granted for entities that relied on the EU-U.S. Privacy Shield. Entities relying on the now invalidated Privacy Shield should immediately put other data transfer mechanisms or frameworks in place. While companies are turning to other frameworks to transfer personal data, such as Standard Contract Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”), EU law compels these companies to ensure that personal data will be safeguarded. The adoption of new SCCs will bring more certainty to companies that relied on this framework to transfer personal data reducing implementation costs as well. The European Data Protection Board (“EDPB”) posits that given a change in the US federal administration and the need for legal certainty to facilitate cross-border commercial activity in the current economic context, the EU and the US will work swiftly towards a mechanism that can resolve transatlantic transfers for once and for all.
It would seem best for all companies to closely follow EDPB changes and instruct Data controllers who rely on SCCs and BCRs to transfer data to ensure that the level of protection required by EU law is respected in the third country concerned. If personal data is not adequately protected in the importing Member State, the controller or the processor should determine what supplementary measures would be needed to ensure an equivalent level of protection and implement the same before they become law.
With respect to the pandemic, while EU data protection laws were not meant to hinder the deployment of measures to trace the virus evolution, EU supervisory authorities stress that this should not come at a cost in terms of privacy. These standards will remain high as Member States commence their vaccination plans. The EU plans to propose issuing a certificate called a Digital Green Pass that would let people who have been vaccinated against the coronavirus travel more freely. Implementing a system to issue certificates will take coordinated technical and legal effort. It is no small task. It is also unclear what legislative steps would be required, nor whether the system would extend beyond European Union citizens. Regarding tracing and detection data, public administrations and companies have to assess the proper retention periods applicable to the storage and archival of such information.
As a consequence of the COVID-19 pandemic, a number of public, corporate, and workplace practices have emerged to limit the spread of the virus, all of which have privacy implications. To respond to this, many EU Member States have smartly issued rules and guidelines balancing privacy and the processing of personal data in the context of the pandemic.
In the area of cybersecurity, EU and Member State supervisory authorities and cybersecurity agencies have continued to be active in the adoption of measures and decisions that enhance and enforce cybersecurity standards. The EU Agency for Cybersecurity (“ENISA”) has the mandate of increasing the protection of public and private networks and information systems, developing and improving cyber resilience and response capacities, and developing skills and competencies in the field of cybersecurity, including management of personal data. ENISA has developed a strategy that sets out objectives, including effective cooperation amongst operational actors within the EU in case of massive cyber incidents, the creation of a high level of trust in secure digital solutions, and efficient and effective cybersecurity information and knowledge management for Europe.
In conclusion, data privacy isn’t new; the attitude shift is. People demand more, and the changes that have occurred in the workplace due to the pandemic make it critical for businesses to privacy-compliant across the entire enterprise. In no other area will businesses be required to balance public health, legal obligation, and personal privacy. Data ethics will be important as consumers care less about their data being captured and more about how it is used. Consent, selling, and sharing will remain definitions of importance. Expectations will be placed on businesses to communicate how they handle data, i.e., where it is going, who it is going to. Privacy protection will need to be continuous and holistic. Securing data and day-to-day operations from remote locations will be a significant focus. The blurring of personal and professional lives and mobile devices’ roles will require businesses to determine how they protect their data and track its use while not inadvertently monitoring employees’ personal lives. With GDPR, the focus is on fines. The fear of violating the law should make responsible businesses comply at every turn. This will continue as more US legislation is put into play. Businesses will have to sort out the confusion that multiple legal frameworks cause. They will have to understand what is required to become compliant, perhaps reversing years of naively irresponsible data use. The turmoil of 2020 has provided some protection, but 2021 will see a return to stricter measures. The European Data Protection Board has instructed European Supervisory Authorities to increase scrutiny and shorten their patience. 2021 is likely to see more and more considerable fines. No matter what trends play out in 2021, continuous privacy is going to determine if an organization is safe or not!
Our Withers team can help you safely prepare your businesses from both a technical and legal standpoint incorporating these emerging technology trends in a customized, secure and efficient manner. We have the experience and knowhow to help you stay ahead of the competition.