On Dec. 26, Canadian Prime Minister Justin Trudeau announced his mandate that Canada’s Minister of Innovation, Science and Industry establish a new set of online rights for citizens. In doing so, Trudeau signaled an intent to overhaul data protection in Canada — a country that since 2004 has had in place the Personal Information Protection and Electronic Documents Act, a law that has long served as a model for policymakers around the globe as they draft new legislation. Trudeau’s mandate requires enhanced rights for individuals, including rights to transfer their data across platforms; to withdraw, remove and erase basic personal information; to be notified and compensated when breaches occur; and to be protected against online discrimination.
Trudeau’s announcement marked 2020 as a year in which the global debate about privacy and data protection will again figure prominently.
Canada is not alone in its attention to personal data protection. In the United States, the debate about federal privacy legislation continues. While testimony at congressional hearings held in early December suggests that companies, experts and advocates have reached consensus on several key issues, challenging questions — among them the extent to which a new law would pre-empt state law and individuals’ ability to bring a private right of action when violations occur — remain to be resolved.
Meanwhile, activity continues in the states.
The California Consumer Protection Act (CCPA), which came into full effect as recently as Jan. 1, is already under review in the state legislature. The proponents of the original CCPA ballot initiative released the California Privacy Rights and Enforcement Act, a new ballot proposal that will likely be voted on in this year’s election (the proponents first need to collect the requisite number of signatures, an outcome many experts consider probable). If passed, the new initiative would substantially expand CCPA’s protections for consumers and obligations on businesses. While the new proposal preserves key aspects of the current CCPA statute, it will make some notable additions and amendments to a law that affects businesses across the U.S.
Bills in states like Arizona, Florida, Kentucky, Mississippi, Montana, and Washington stalled or failed to pass in 2019. But Washington introduced a new bill this month, and other states — including Connecticut, Hawaii and Louisiana — continue to study the issue in 2020 with a focus on data breaches and information brokers, relying on regulatory frameworks to design a path forward.
As a result, in-house data protection officers, consultants and privacy lawyers face a legislative environment in flux. But privacy professionals are the first to recognize that privacy is a work in progress. Technologies, data processing methods, and business models evolve rapidly. As tools to address security threats become available, new threats continue to emerge.
While full compliance with law and regulation is the goal, companies working to keep pace with change and sometimes conflicting legal obligations understand that data protection within a company is not a steady state. The measures an organization implements to fulfill legal obligations must be constantly monitored and reassessed. As the company collects new kinds of data, engages with new business partners or deploys new data processing methods, processes and policies must be evaluated to determine whether they provide necessary protections and promote responsible data use. When these measures do not make the grade, companies must be able to respond quickly.
In many ways, policymakers and legislators face similar challenges. Developments in technology and data processing — particularly artificial intelligence, facial recognition, and analytic processing of vast troves of data — prompt lawmakers to look for legal and regulatory solutions to address consumer concerns and the risks disruptive technologies and data uses raise for individuals.
But the Canadian example highlights that even laws that have worked well for decades are challenged by technological advances — and that the response may be to reassess and revise them. California’s quick return to amend the CCPA is a reminder that our understanding of how best to govern data is still at an early stage. It will take time and experience to understand what is effective and how law can be crafted in a way that protects individuals but does not impede the use of data for legitimate purposes.
How do organizations best respond to this uncertainty and change?
Companies are wise to ground their data strategy in C-suite commitment to data protection and responsible data practices.
Emerging laws have consistently included requirements that companies establish privacy programs centered on principles of fair information practice with a heavy emphasis on accountability. Putting such measures in place benefits companies no matter what jurisdiction applies and how the law may change.
Basing a company’s decisions about data protection on risk assessment and mitigation, and monitoring whether that evaluation provides the protections individuals deserve, can go a long way in guiding companies toward good privacy outcomes. With a solid foundation in place, organizations are well positioned to respond to new legislation and regulation and meet evolving requirements in existing law. Staying abreast of guidance — like that released early this month by the European Data Protection Supervisor about how the requirements of the General Data Protection Regulation interplay with the Clinical Trials Regulations — can help companies stay within established guardrails even when faced with reconciling requirements and making difficult choices about responsible data use.
The legal landscape in 2020 is far from static, and companies will face significant, often complex data protection challenges. But though the way forward is not yet clear, companies that stay aware and establish strong data protection foundations will be able to confidently navigate what the coming year — and the emerging regulatory environment — may bring.