Once again, to mark Data Privacy Day (or Data Protection Day in Europe), we have released a new update to the Data Privacy Periodic Table – our industry-renowned open project to create a regularly updated digestible guide to the confusing world of data privacy.
This is its sixth update, and roughly three and a half years after its launch in September 2018, what have we learned?
Firstly, that the open nature of the project is crucial. The contributions and observations that we receive on suitable additions and changes are often massively insightful and points of fascinating debate. We could not continue to deliver this resource without your input, so thank you.
Contact Sophie Chase-Borthwick here to add your own comments
Secondly, that judging by the eagerness with which it is consumed, shared and commented upon, data privacy remains just as confusing, daunting and multi-faceted an area of business as it did in 2018. If not more so. The speed with which the industry moves, the passion with which its rights are defended or demanded and the external forces that impact its application all contribute to a fascinating but at times overwhelming area of business.
|And finally, the degree of change that we announce with each update highlights perhaps the most important observation: privacy is has become one of the keystones of modern business practice. It is an unavoidable duty of practically every organization and one that requires very specialist skills and experience.
So, what does this update include?
Amongst others, new legislation, how geo-politics has impacted our industry, and commentary on effective implementation.
In other words, a mix of topics that serve to prove the points above: data privacy is perhaps the business area most heavily-scrutinised by governments and customers alike, and therefore the most susceptible to change.
- California Privacy Rights Act of 2020 (CPRA)
- Canada’s Consumer Privacy Protection Act (CPPA)
- Project Management & Infosecurity
|Element #116: “CCPA II” becomes CPRA
The California Privacy Rights Act of 2020 (CPRA), also known as “CCPA II” or “CCPA 2.0” passed in November 2020.
It will take effect on 1st January 2023, though any breaches in 2022 will be enforceable against from January 2023. Importantly, it does not replace the pre-existing CCPA. Instead, the CCPA will be incorporated into the new CPRA in 2023 and will remain in effect in the meantime.
As a result, we are keeping CCPA in the “Core Legislation” section, and CPRA in the “Future Developments” section until it takes effect.
Some of the principle modifications the CPRA introduces are:
“Do not sell” expanded to “Do not share”: Under CCPA, consumers are able to opt-out of businesses selling their personal data, but the CPRA expands this to ‘sharing’, giving consumers control over who their data may be shared with, particularly advertisers, even if there is no form of transaction involved.
An important side point is that consumers under 16 years old are required to opt-in to the sale and sharing of data, with consumers under 13 requiring parental consent to do so.
New consumer right: the ‘Right to Correct Inaccurate Personal Information’ (or the right to rectification)
A new sub-category of personal information, “sensitive personal information”: Those familiar with the GDPR will recognise many of the categories, though also appreciate how this is also a broader set of criteria. Sensitive Personal Information brings with it additional duties for businesses processing it and additional consumer rights to limit its use. It includes:
o Government-issued identifiers, such as social security numbers and passport numbers
The latter is a very interesting inclusion given the overall context of the US government’s powers of data retrieval from technology companies if it would assist in national security investigations.
A new regulator: The California Privacy Protection Agency is the first US government agency at either federal state level to have been created with the sole purpose of protecting individuals’ data privacy. Previously, any disputes had been handled by the Federal Trade Commission and state Attorneys General under “unfair or deceptive trade practices.” As a signal of California’s intent and need to enforce data privacy regulations appropriately, the establishment of the regulator sits outside the CPRA’s overall timeline and is required to assume rulemaking and enforcement authority from the California attorney general no later than July 1, 2021.
We have previously commented on the US federal law, Children’s Online Privacy Protection Act (COPPA), and included it as a specific element in the Future Developments section. This was because of the debate over consent and types of data introduced by the PROTECT Kids Bill, introduced in 2020. The main areas of intended reform were the ages at which consent could be given, and the types of data requiring protection.
CPRA addresses these concerns in substantial part with a combination of the opt-in requirement in the ‘Do not share’ modification plus the new sub-category of personal information. While only a state law, we have removed COPPA from the Future Developments section, but with the caveat that we intend to keep a watchful eye on how – or whether – this attention to minors is echoed in future US state legislation.
For more commentary on the privacy landscape in the US today, and how it may change in the near future, take a look at another article written for Data Privacy Day 2021: The Top 3 data privacy requests for the new US administration
Element #112: COPPA is replaced with CPPA
In place of COPPA, we have added a new piece of national legislation to the Periodic Table: Canada’s Consumer Privacy Protection Act (CPPA), which was introduced in November of last year, only days after the similarly-abbreviated CCPA was passed in Canada. As Sophie Chase-Borthwick, our VP of Data Privacy & Ethics often comments, “privacy really needs some different characters in its acronyms.”
In fact, the similarity was recognised by Navdeep Bains, the Canadian Minister of Innovation, Science and Industry, who at the announcement of CPPA also stated Canada’s law would be stronger than California’s.
Canada’s principle data privacy legislation, PIPEDA, has been fully enforceable since 2004, having received Royal Assent in 2000 and coming into force in stages from 2001. It was the foundation stone of a data protection regime that was considered robust enough for EU Data Adequacy to be awarded in 2002. CPPA will now amend and replace PIPEDA in order to create an even more stringent environment.
These reforms are important. With the arrival of GDPR in 2016, and the tendency for seemingly every piece of new national data privacy to mimic its provisions, the misalignments between PIPEDA and GDPR have become more and more stark, raising questions about Canada’s Data Adequacy rating, especially while the UK’s adequacy application is currently under such scrutiny (more on this later)
So while there is currently no published timeline for its completion and enforcement, there is clear urgency to protect Canada’s practical status with the EU and its overall data privacy reputation on the global stage.
Some of the key improvements (each of which has clear echoes of GDPR principles, and in some cases, even GDPR language):
Consent: CPPA would effectively update the consent thresholds of PIPEDA and CASL from implied to “GDPR strength” explicit (in most scenarios). This is one of the key objectives of CPPA, as informed, affirmative and freely-given consent has become a prerequisite for strong data privacy laws (again, more on this later)
Related to this, legitimate interests for processing that allow consent requirements to be bypassed are also formally defined for the first time in Canadian data privacy law.
Enforcement: The Office of the Privacy of Commissioner of Canada (OPC) can currently investigate complaints and make recommendations, but it cannot hand down fines or other punitive measures. The CPPA would give the OPC power to order the immediate cessation of data processing, and to deliver fines of up to 3% of global revenue or C$10 million, rising to 5% of global revenue or C$25 million for the most serious offences. As a reminder, GDPR’s fine framework has a maximum of 20 million Euros (approx. C$31 million), or up to 4 % of total global turnover.
Privacy management programs: Canadian organizations will be required to design and maintain privacy management programs that show how the organization will protect personal information, including the creation of policies and procedures, employee training and complaint processes.
Automated decision-making: Similar to GDPR, the CPPA addresses the use of personal data in automated decision-making. CPPA creates a right for Canadians to demand explanations of how automated decisions were made. In contrast, GDPR requires specific consent to be given to allow algorithmic decision-making to take place. This will be a particularly interesting area of discussion as the Bill progresses, as what constitutes ‘transparency’ vs a company’s IP will doubtless be a hot topic.
Data portability/mobility: The CPPA will the create a right for Canadian individuals to transfer data from one organization to another.
Right to erasure: Individuals will also be able to require organizations to delete data held on them and withdraw consent their consent for its use.
Element #56, Consent, becomes #4
You cannot miss consent as an underlying trend of the article above. There is a clear determination within new major data privacy legislation to protect and define the requirement for businesses to have individuals’ specific, informed and voluntary consent to process their data. On this basis, we felt – as did some of the input we received over the last few months from industry figure who we regularly discuss this resource with – that Consent’s position in the Periodic Table was underserving and not representative of its importance.
We have therefore moved it up the “Lawful Justifications for processing” column to position 4. It’s important to note however that our original statement when the Periodic Table was first announced in 2018 remains true: all six of these legal bases are equally valid and powerful. The movement of Consent is simply to reflect its noteworthiness, not its superiority over the others.
Element #115: Brexit
Simply put, it’s still there. While Brexit may be formally concluded, from a data privacy perspective, it is still very much a live issue.
To save repetition, and because the issue requires fuller explanation than can be addressed here, we have included a dedicated resource to the Brexit situation here.
How Brexit impacts your data strategy
The data leader’s guide to preparing their data environment for Brexit + a visual guide that shows how Brexit impacts GDPR obligations
Element #67: Project Management replaced with Infosecurity
In reviewing the Periodic Table with some of our industry peers, we have decided to remove Project Management as a key skill.
This is because privacy should not be considered a “project”. To do so insinuates that privacy is a temporary initiative, with a clear end – which is the antithesis of a correct privacy mindset. While the initial set-up of a privacy programme can absolutely be considered a project, we have collectively agreed that organizations ought to be beyond this starting point now, and instead, privacy should be “live”.
This is of course perhaps not true in reality, as many organizations are still regrettably coming to privacy late, but we were regardless keen to make sure the Periodic Table did not propagate the myth of privacy being “a quick fix” rather than a culture to live by.
In its place, we have added “Infosecurity expertise”, pulling this out as its own required skillset, distinct from “Technical Knowledge” in Element #65, and essential for accurate, effective, coordinated and resilient privacy implementation.