This article by partner Rohan Massey and associate Edward Machin was published by Law360 on February 25, 2019.
2018 was the year that data protection went mainstream. Having once been a topic that most folks treated with a combination of ignorance and inconvenience — “I have to read another privacy policy?” — by the year’s end the concept of privacy had firmly entered the public consciousness. Widely viewed congressional hearings on the misuse of personal data, a series of high-profile security breaches at Fortune 500 companies and an episode of “60 Minutes” dedicated to how a European law is influencing U.S. legislators all helped privacy and data security rise to the top of the public, corporate and legislative agendas.
There was also the small matter of the EU General Data Protection Regulation, which took effect on May 25, 2018, and dominated the privacy landscape for the rest of the year. While the penalties for getting it wrong — up to the greater of €20 million or 4 percent of annual worldwide turnover — generated most headlines, it was the day-to-day challenges of meeting the new and heightened requirements of the GDPR that most focused the minds of attorneys, compliance officers and in-house counsel alike.
This focus will continue in 2019. If anything, developments on both sides of the Atlantic mean that this year will likely prove to be even more important than 2018, as regulators start to aggressively enforce the GDPR while at the same time focusing on the development of related areas such as cookie compliance and cybersecurity.
This article sets out five predictions for the year. We have not included Brexit — as, at the time of writing, it is still unclear whether the United Kingdom will leave the EU with a no deal (or “hard”) Brexit or a negotiated (or “soft”) Brexit. Alternatively, the U.K. may hold a second referendum (the so-called People’s Vote) on whether remain to in the EU after all. The data protection implications for each of these options vary: from significant change, to some change, and no change, respectively. Needless to say, organizations that export data from the U.K. to countries outside the EU, or to the U.K. from the EU, should follow Brexit developments closely.
EU Regulators Show Their Teeth
In late January 2019, the French data protection authority — the Commission Nationale de l’Informatique et des Libertés, or CNIL — fired the starting gun on GDPR enforcement by fining Google €50 million for breaching its rules on transparency and consent. Although half a dozen small actions were brought in 2018, the size of scope of the Google penalty confirmed that a new era of privacy enforcement in the EU had begun. We expect other data protection regulators (particularly those in Germany, Ireland, Italy and the U.K.) will follow suit. While the Google fine may not be matched for some time, penalties of up to €10 million are likely to become commonplace in the coming 12 months.
Schrems, Again
2019 is set to be the biggest year in international data transfer compliance since 2015, when the European Court of Justice struck down the U.S. Safe Harbor. Notwithstanding the outcome of a final appeal by Facebook to the Irish Supreme Court in mid-January 2019, the CJEU will hear and rule on a challenge to the European Commission’s standard contractual clauses, or SCCs — the most popular mechanism used by organizations to export personal data from the EU. The SCCs are being challenged by the same Austrian privacy activist (Max Schrems), and on the same grounds (that U.S. law does not protect EU citizens’ personal data against NSA mass surveillance programs), that invalidated the Privacy Shield. As a result, it would not be a surprise if the CJEU struck down the SCCs in their current form at some point in 2019.
Local, but Global
The ubiquity of cloud computing highlights the impact of, and potential conflict with, data localization laws, which restrict the storage of data to within a particular territory. This tension is not new, and localization laws are already in place in Australia, Canada, China, Indonesia, Russia and Vietnam, among others. However, it again came to the fore in 2018, with vocal pushback from U.S. technology firms and industry bodies against India’s new localization rules, which took effect in October. As more countries look at localizing data storage, the often-competing interests of national governments and international businesses will continue into 2019 and beyond. As a result, we are likely to see an increasingly divergent approach to data governance globally (extraterritoriality versus localization) while potentially also creating additional cost, complexity and uncertainty for multinationals.
No Place to Hide
The cliché that businesses fall into one of two camps — those that have been hacked, and those that have been hacked but just don’t know it yet — became obsolete in 2018, as high-profile data breaches occurred on almost a weekly basis. The fallout from these events will intensify this year, as cyber compliance and enforcement becomes one of the key priorities — arguably, the key priority — for regulators around the world. This challenge is compounded by the fact that cybersecurity is not limited to personal data, but can encompass confidential information, financial data and trade secrets, amongst other things. Given how vulnerable many businesses are to cyber attacks, we expect that the largest GDPR fines issued this year will relate to inadequate security measures, most likely as the result of a large-scale personal data breach.
GDPR Lifts All Boats
If imitation is the sincerest form of flattery, EU legislators will have plenty to blush about in 2019. The GDPR has already influenced lawmakers globally, and this will continue in the months ahead. Argentina and India are in the process of passing legislation that includes key GDPR concepts (accountability and data protection officers, among others), while the California Consumer Privacy Act, which takes effect on Jan. 1, 2020, similarly reflects the spirit and purpose of the GDPR. There will — and should — be local variances in how legislation is tabled and enforced around the world. Nevertheless, we expect that the GDPR will represent the benchmark for many legislators as they draft their countries’ privacy laws in 2019.