To read the latest update (August 2021) to The Periodic Table of Data Privacy, click here.
Data Privacy Day (or Data Protection Day in Europe) is the perfect occasion to release the latest update of the Data Privacy Periodic Table.
This is the fifth version of the open project, continuously receiving input and recommendations from industry experts all around the globe.
So, what does this update include?
Firstly, let’s discuss what does it not include:
While a great deal of the recent privacy conversation has revolved around its symbiotic relationship with AI, it has not impacted the arrangement of the Periodic Table. AI was included as a “Future development” in the very first rendition. However, on this topic, see our blog, also published today as part of our special Data Protection Day resources.
Similarly, the ongoing debate around whether the UK will be able to secure EU adequacy by the Brexit deadline of the end of 2020 has been a topic of keen discussion for many of our North American and European clients. But the urgency of the conversation does not change its position in the Table. A more in-depth discussion of this topic is available here.
Instead, we have made identified three key privacy topics that demand changes to the Periodic Table, focused on major legislation arriving or being debated, plus, speaking of debates, “Schrems II”.
California Consumer Privacy Act (CCPA) – and its national ramifications
The most obvious necessary change was to move the CCPA from Future Developments to Core Legislation. To accommodate it, we combined the two Canadian privacy laws of CASL and PIPEDA into “Canadian Data Privacy Laws (CaDP)”.
On the 1st of January, the CCPA – “the nation’s most far-reaching online privacy law and a potential model for other states” according to the Washington Post – came into force. Of course, its Proposed Regulations are still being debated throughout the industry, as much of this guidance for business’ execution of the CCPA actually exceeds the scope of the underlying law, or creates additional burdens. However, those discussions to one side, it is still a huge moment for US privacy law
Although, 2019 was a big year for US privacy legislation for other reasons. Two federal online privacy bills were proposed in 2019, one from US Democratic Senators, dubbed the COPRA – the Consumer Online Privacy Rights Bill – while Republicans proposed the US Consumer Data Privacy Act (CDPA). There are many similarities, especially around the now commonplace privacy provisions of data security, consent, and transparency. The main differences are in its implementation – COPRA aims to work in tandem with state laws while CDPA aims to supersede them. And let’s not forget that there were five other notable federal privacy proposals introduced in 2019:
- Online Privacy Act
- Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data (DASHBOARD) Act
- American Data Dissemination Act (ADD Act)
- Social Media Privacy Protection and Consumer Rights Act
- Privacy Bill of Rights Act
All of these are in such early stages that none of them warrants inclusion on the Periodic Table just yet – especially when element 114 in Future Developments includes “US States”. However, it would be a safe bet that there will be a change in this area in 2020.
Children Online Privacy Protection Act (COPPA)
This has been introduced into the Future Developments section, taking the space left by CCPA’s move into Core Legislation.
COPPA is a US federal law, in force since April 2000. Much like the thinking behind GDPR, its scope reaches any online service targeting US users or that intentionally collects information from children in the US, regardless of its country of origin.
The reason it has been added is the introduction of a new bill, the Preventing Real Online Threats Endangering Children Today Act – known as the PROTECT Kids Act.
This bill borrows most of its content from COPPA, but adds a Right to be Forgotten, and, most remarkably, raises the age limit from 13 to 16. This effectively creates the right for parents to demand the removal of their children’s online profiles up to the age of 16. A remarkable indictment of the suspicion of how personal data may be used in the future.
The protection of children’s privacy is an issue that the US takes seriously. In September 2019, YouTube (and by extension, Google) was handed a $170 million fine under COPPA after it was found to be gathering children’s personal data without parental consent and monetizing it. Although, a few days before the PROTECT Kids Act was proposed, YouTube passed all the burden of confirming audience age to content creators and removed most monetization mechanisms from any content marked as “suitable for children” – all to widespread indignation amongst the YouTube content community, many of whom relied on income streams from child-suitable content.
Despite being an enforceable law, COPPA will remain in the Future Developments section while the PROTECT Kids Act and other amends are in discussion.
Do Standard Contractual Clauses (SCCs), adequately meet Europe’s data protection laws? This is the heart of this long-running debate, brought about by the infamous Max Schrems asking whether his Facebook data could be adequately safeguarded in the US.
Schrems asserted that Facebook’s data transfer agreement was not consistent with the EU’s SCCs, and that even if they had been used, those SCCs could not justify the transfer of his personal data to the United States.
In December 2019, The Attorney General of the Court of Justice of the European Union seemed to agree by recommending that the European Court of Justice should “continue to consider” whether SCCs are lawful. Though did caveat by saying they were not to be considered unlawful – currently.
The problem is mainly that SCCs are made between two organizations alone, and do not put any requirement on the respective governments to safeguard that data’s privacy. Meaning in practical terms that data passed from the EU to the US under SCCs is still vulnerable to legal US surveillance measures. And, as the AG of the CJEU asserts, Privacy Shield does not solve this problem.
The result being that SCCs are now very much in question. They currently remain a suitable measure, but their practical effect – and therefore ongoing suitability – is very much under scrutiny.
We have therefore removed “EUx” from Future Developments as further exits from the EU seem less likely – or at least less immediate than this discussion over SCCs, which now takes its place. You can read more about the outcome of Schrems II here.