Today, we are launching the sixth version of our industry-renowned Data Privacy Periodic Table since its initial launch in September 2018.
The open project takes input from privacy professionals across the industry and is continuously updated throughout the year to reflect significant changes and developments.
And these last few months have certainly seen some notable announcements and new trends appearing…
California Consumer Privacy Act 2.0 (CCPA)
Oddly, for the second time in a row, the CCPA saga appears as one of the Periodic Table’s updates. This year, on 1st January, California’s consumer privacy law, CCPA came into effect, giving Californian consumers more control over how their personal data is collected and processed by businesses.
But on the 4th May 2020, the team behind the CCPA, Californians for Consumer Privacy, announced that they had received enough signatures (over 900,000) to qualify the ‘California Privacy Rights Act (CPRA)’, also known as CCPA 2.0, for the November 2020 ballot – a process where California citizens vote on a list of proposed legal changes for the state.
The CPRA broadly aims to tie up the CCPA’s loose ends, such as requiring businesses to be more transparent on how personal data is processed and expanding on the “Right to Opt-Out” clause to include the ability to opt-out of personal information being shared, not just sold. The key modifications however are:
||Creation of a new category of “sensitive personal information” which includes:
- Consumers’ social security, driver’s license, state identification card, or passport number
- Consumers’ precise geolocations
- Consumers’ racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or union memberships
- Consumers’ genetic and health data
- Consumers’ biometrics
||Right of correction where Californian consumers can request information on them is adjusted if it is inaccurate
||Enhanced protection of children’s data by tripling the level of fines for any rights violations of consumers under the age of 16
||The data breach liability provision will be amended so that any illicit disclosure of usernames and passwords would come under the provision
||Changes to enforcement as the CPRA will establish the Californian Privacy Protection Agency to enforce the law, rather than leaving it to the Californian Attorney General.
While CCPA remains as Element 50 in the Core Legislation section, we are adding “CCPA II” as Element 116, in place of Standard Contractual Clauses…
SCCs, Privacy Shield and EU-US Transfer Mechanisms
This is one of the impactful areas of change in recent months.
In July, the Court of Justice of the EU (CJEU), the European Union’s top court, ruled in favour of the case referred to Schrems II and struck down the EU-US data-sharing agreement, Privacy Shield, with immediate effect.
The CJEU stated that Privacy Shield did not provide the adequate protection of EU citizens’ personal data when stored in the US.
You can read more about the Schrems II ruling and its effects by clicking here.
With Privacy Shield now invalidated, it now leaves room for a replacement, much like how Privacy Shield replaced the EU-US data transfer agreement, Safe Habor. But the question is, what will be next?
For the time being, all companies (including the 5,300+ who relied on Privacy Shield) will now have to rely on Standard Contractual Clauses (SCCs) as their mechanism to transfer data between the EU and US.
However, organizations must ensure that the SCCs guarantee that any EU data transferred is afforded the same level of protection under EU law at any time, otherwise, they must suspend all data transfers. This does raise more questions: how will organizations determine that their EU data is adequately protected? And, will this inconsistency of application and protection be the cause of SCCs also being invalidated?
The removal of Privacy Shield is one thing, but if the only remaining legal mechanism to protect data is also being called into question, organizations whose operations rely on EU-US data transfers will have to work hard to ensure their SCCs are as robust as possible, else face further disruption in the near future – and potential regulator scrutiny.
Alongside removing Element 116 “SCCs” as mentioned above, we have also removed Element 113 “Py (Privacy Shield)” and replaced it with “EU-US (EU-US Transfer Mechanisms)” so we can monitor the situation as it progresses.
US Privacy Federal / States Law
We have expanded Element 114 “USSs (US States)” to “USP (US Privacy – Federal / States Law)”.
Why? Because, as is well known in the privacy industry, there is currently no federal data privacy law in the United States. Instead, regulations and data privacy frameworks are being introduced and enforced at state or sector level.
However, this does mean each region or industry’s regulation differs from each other – from different definitions over the classification of personal data, on what constitutes as a data breach, the severity of consequences plus several other nuances. There are even differences, overlaps, and gaps in whose personal data is in scope. All of this leaves businesses that operate across multiple states in unavoidable confusion as to what their obligations are.
The current – and ongoing – debate is therefore how to control individual states introducing or building upon their own existing data privacy laws (such as with the CCPA 2.0), and potentially furthering the disconnect, and whether the solution is in fact an overarching federal data privacy law – and whether that is practical.
COVID-19 Contact Tracing
In recent months, organizations across the globe had to facilitate remote working, more often than not, for the very first time. Not only did this include maintaining “business as usual” data privacy practices, but it also included having to track, manage and report employee cases of COVID-19 within the organization whilst respecting data privacy obligations.
Data Privacy & Data Security Recommendations
Guidance on how to protect your business’ data & follow data privacy regulations during COVID-19
And, as lockdowns ease, businesses are now facing another challenge – COVID-19 contact tracing.
With multiple methods being used, from internal documents, paper sign-ups, to an array of apps and QR codes, most of which were hurriedly put in place by businesses with minimal track record or expertise in data privacy, many businesses will find they aren’t meeting their data privacy obligations.
In parallel, the debate continues whether the importance and implications of contact tracing outweigh even data privacy ethics. The combination of rushed deployments, lack of oversight, the volume of data collected, and this debate mean “COVID-19” has been introduced as a new element under our section for Legislation and practices whose powers and requirements can conflict with data privacy.
Businesses need to remember that they must only collect the minimum amount of information required and need to ensure the following:
- that they are transparent on why they are collecting the information and how it will be used
- the security of the data
- only keep the data for as long as they need it
- the secure erasure of the data
- and under no circumstances use the data for marketing or additional purposes.
As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.