As we stand at the beginning of 2021 and a new presidential administration, we look back on the year behind us. Hindsight is always 2020, and 2020 may be best viewed in hindsight. We saw rapid changes in the privacy space, prompted in part by the global COVID-19 response. Infrastructure and services across multiple sectors continue to rely on data and digital platforms to function. Five prominent developments shaped the data privacy environment in 2020.
- State and Local Privacy Legislation
At the state level, the California Privacy Rights Act (CRPA), which builds on the California Consumer Privacy Act (CCPA), was passed in November 2020 and will be effective Jan 2023. The CRPA codifies some principles from the General Data Protection Regulation (GDPR), such as data minimization and storage limitation, and gives consumers new rights while amending existing rights under the CCPA. Other notable state developments include the proposed New York Privacy Act, which explores the concept of a data fiduciary, and a third version of the proposed Washington Privacy Act. Expect both of these to return.
There is continued interest in developing a federal, non-sectoral data privacy law, although there is disagreement about whether such a law should include a private right of action, and whether it would preempt state laws with stronger privacy protections. Federal developments are likely to mirror ongoing state level deliberations about the scope and impact of privacy laws. These bills may be shaped by the newly elected Democratic-led Senate. In addition, it is likely that incoming administration will prioritize privacy, especially since Vice-President Elect Kamala Harris was a vocal proponent of stronger privacy laws during her tenure as California’s Attorney General.
- U.S. Regulatory and Enforcement Action
Coming off the heels of its 2019 settlement with Facebook for $5 billion, the largest civil penalty ever imposed by the Federal Trade Commission (FTC) for a violation of consumer privacy, in 2020, the FTC continued to actively review big tech’s data and security practices using its powers to regulate unfair and deceptive trade practices, as provided under Section 5 of the FTC Act. In November, after months of investigation, the FTC reached a settlement with Zoom, which required Zoom to enhance its security practices and maintain a comprehensive information security program. And just last month, on Dec. 14, 2020, the FTC issued 6(b) orders to nine social media and video streaming companies, requesting disclosure of their data collection, use, retention, and advertising practices.
- Cross-Border Data Transfers
The GDPR’s prohibition on transferring data outside the EEA without adequate safeguards has raised questions about the compatibility of varying data protection regimes worldwide, and the impact of inconsistent laws on data-heavy commercial activity.
On July 16, 2020, the Schrems II decision invalidated the EU-US Privacy Shield, which for several years was a Safe Harbor companies relied on for cross-border data transfers between the EU and the U.S. In response, the Department of Commerce released a white paper advising on post-Schrems II data transfers. The paper noted that companies could continue to rely on Standard Contractual Clauses (SCCs) but would need to independently assess, on a case-by-case basis, whether foreign data security laws meet EU standards. The paper also notes that the Court of Justice of the European Union (CJEU) did not consider many post-2017 Foreign Intelligence Surveillance Act (FISA) § 702 amendments as it was not on the record. Nonetheless, Schrems himself has continued to call on the US government to strengthen FISA § 702 privacy protections. The U.S. is expected to continue working with the EU to develop a feasible compliance plan, and the EU is expected to continue to be bond by the CJEU’s approach which is equally problematic for EU and US surveillance.
Globally, countries will continue to explore international data transfer safeguards to minimize any disruption on commerce. In the past few years alone, the Cyberspace Administration of China (CAC) published new guidance for data transfers outbound from China, and Japan’s Personal Information Protection Commission and the EU recently adopted mutual adequacy decisions allowing the transfer of personal data between the EEA and Japan. China’s approach in particular merits attention as it represents a resurgent self-reliance in China that focuses not on human rights or contracts, but the ability of the State to control the data in its borders – Data Sovereignty as we and many others have named it.
- Health and Biometric Privacy
There is increased interest in regulating corporations’ and governments’ use of biometric information. Illinois, Washington, and Texas have state biometric privacy laws, and the Illinois Biometric Information Privacy Act (“BIPA”) provides a private right of action for consumers. Several other states added biometric data to their definitions of personal information in respective state privacy laws, including the New York SHIELD Act. Local governments, such as Somerville, Massachusetts, and San Francisco, California, also passed laws prohibiting city department (including police) use of facial recognition technology.
Throughout 2020, the U.S. Department of Health and Human Services (HHS) has also been actively amending the Health Insurance Portability and Accountability Act (HIPAA) rules to accommodate the increased administration of healthcare over digital platforms such as telemedicine and mobile applications. As recently as Dec. 10, 2020, HHS proposed amendments to the HIPAA Privacy Rule with the goal of alleviating regulatory barriers to coordinated care and strengthening individuals’ right to access their own health information. HHS is expected to continue revising health privacy regulations in light of the growing overlap between the healthcare and technology fields.
With respect to HHS leadership, President-Elect Biden recently nominated California Attorney General Xavier Becerra to serve as HHS Secretary for his administration. Given that Becerra’s office led efforts to finalize the regulations for the CCPA, it will be interesting to see how Becerra, if confirmed, will use his experience to develop healthcare privacy laws.
- National Security and Cybersecurity
Law enforcement access to encrypted devices continued to be a heavily debated issue in 2020. At present, end-to-end encryption prevents government officials from obtaining electronic evidence collected by companies about their users in the course of government investigations or litigation. The law enforcement community views such encryption as a barrier undermining national security, whereas privacy advocates worry about the effect of such access on civil liberties, arguing that government surveillance has and will likely exceed the scope of any regulation. This debate started with the mid-1990s Clipper Chip, and it has changed little since then.
This debate left lawmakers divided about whether to reauthorize Section 215 of the Patriot Act, which expired on March 15, 2020 without renewal. Policymaking was active in this area months before Section 215 was set to expire, with Attorney General Barr proposing the EARN IT Act, which would give the government special access to users’ private online messages, and Senators Graham, Blackburn, and Cotton introducing the Lawful Access to Encrypted Data Act, which would allow the Justice Department to require service providers to decrypt data upon request.
On the cybersecurity front, courts have been grappling with the scope of anti-circumvention laws such as the Computer Fraud and Abuse Act (CFAA). Notably, the Ninth Circuit’s ruling in HiQ v. LinkedIn notes that automated scraping of publicly accessible data does not violate the CFAA, and the Supreme Court’s decision in Van Buren v. United States may resolve a circuit split on whether a person “exceeds authorized access” of a computer simply as an unauthorized person, or whether it extends to authorized users accessing it for unpermitted uses.
Finally, as the use of interconnected Internet of Things (IoT) applications continues to grow, the IoT Cybersecurity Improvement Act of 2020 has directed NIST to release minimum security standards for the use of such devices in government contracts, though these guidelines will heavily influence the private sector as well. These regulations are expected to build on the NIST Privacy Framework released in January 2020, which sets more general enterprise risk management standards for vendors with government contracts.
For more information or to discuss privacy or data security issues generally, please contact a member of our Data Practice group or visit https://www.ropesgray.com/en/practices/data-privacy-cybersecurity.