As 2021 comes to a close, so does our 12 Days of Data series, but we will see you on the other side in 2022 with more posts on the top privacy and data protection issues. 2021 was an interesting year. While vaccinations spread and some sense of normalcy started to return, new strains of COVID-19 led to additional waves of shutdowns that stalled many of the debates. In 2022, we anticipate that the move toward a new normal will continue, and we will once again start to see traction on some of these data, privacy, and cybersecurity issues. As a preview, here are some of the key areas where we expect to see potential developments in 2022.
New privacy laws at home and abroad
As we discussed at length in an earlier post in this series, 2021 saw significant movement on the state level to consider and, in a few cases, actually pass comprehensive privacy bills. While only Virginia and Colorado joined California is passing a comprehensive law this year, many other states were weighing proposals at the end of 2021, which may be renewed in future legislative sessions. Some of these proposals—like the Massachusetts Information Privacy Act and the New York Privacy Act—go beyond the current bills and would raise the bar for the discussion of a potential federal privacy law, especially when considering the issue of preempting state laws.
Most of these laws continue to replicate a notice-and-choice paradigm that is routinely criticized for failing to build trust with consumers and simply leading to more complex boilerplate terms. A few laws have pushed novel ideas, such as data fiduciaries, but, as 2021 closes, there is little consensus as to the best way to legislate in a way that allows for a personalized web experience when desired and a private experience for others without undermining the Internet’s ability to deliver free services and information.
In countries around the globe, such as Australia, Canada, and India, debate continues to consider new privacy laws or changes to existing privacy laws that will impact companies with global operations. Many of these laws incorporate elements that could make it more difficult for U.S.-based entities to conduct business across borders, which leads us to our new mega-trend for 2022.
Cross-Border Data Transfers, Data Sovereignty, and the Potential SplinterNet
While the World Wide Web has been a leading driver of globalization for more than two decades, new restrictions on data transfers and data sovereignty requirements threaten to segment the Web into gated kingdoms where data cannot flow freely between geographic borders. We expect this fundamental issue to arise in a few different contexts in 2022.
First, the U.S. and EU are still grappling with the problem of negotiating an agreement that will satisfy the European Court of Justice (“ECJ”) and allow for free transfers of data after the ECJ’s Schrems II decision from 2020 destroyed the EU-U.S. Privacy Shield. While many had hoped for more clarity in 2021, none has emerged. The ECJ continues to express concerns about surveillance and data access by law enforcement and other government entities in the U.S., despite the prevalence of legal regimes across Europe—some of which the ECJ has also found lacking. There has not been a big push in any of the privacy legislation we saw in 2021 to address those concerns. It will be interesting to see whether the U.S. and EU can make any progress on a negotiated system for free data flows without directly confronting the surveillance question.
To complicate this issue even more, China and Russia have both implemented strict data sovereignty requirements and many new privacy laws and proposals for new laws being considered around the globe incorporate some notion of data sovereignty that could make it increasingly difficult for companies to engage in global business.
As we close 2021, we see the U.S. model of consumer protection, the EU model of human rights, and the Chinese model of data sovereignty all is stiff competition. It will be interesting to see whether we will start to see solutions for enabling global data flows or further segmentation into geographic boundaries in 2022.
The End of the Password and Next Level Cybersecurity?
In 2021, the repeated waves of ransomware attacks have raised the cost of poor cybersecurity practices, leading to significant scrutiny of whether the password has outlived its effectiveness. With threat actors developing new and innovative methods for stealing or cracking passwords, businesses and industry groups have been developing increasingly onerous password complexity requirements and mandating more frequent password changes. These demands have led individuals to need systems for storing and remembering passwords—at best this can look like a secure password manager/honeypot, and at worst it can look like a sticky note attached to a laptop, visible to anyone with physical access. The growth of business email compromises in 2021 was only further proof that the password is no longer a sufficient gatekeeper. Without another layer of protection, like multi-factor authentication, companies were exposed to even the least sophisticated phishing attacks.
These developments have led to companies starting to incorporate other measures for log-in, even for consumers. Many consumer email providers, social media sites, and other online account providers now have a log-in option that requires a second factor—often in the form of a code sent to a known cell phone number or email address—before the consumer can log into the account. In 2022, we could see more companies apply this approach or even provide the option to abandon the password entirely, relying only on a rotating security key or biometric factors like facial, fingerprint, or voice-recognition, that eliminate the need for a password or other verification code altogether.
Biometrics and Facial Recognition
With this increased desire for the use of biometric data, companies must be cognizant of their compliance with the state biometric privacy laws—in Illinois, Washington, and Texas—that have come into maturity in the last couple of years. As with comprehensive privacy laws, other states have been considering biometric-specific laws in 2021, which we could see return in 2022 legislative sessions.
As the only state law with a private right of action, the Illinois Biometric Information Privacy Act (“BIPA”) is the most actively litigated of these statutes, and several 2021 cases further refined its scope and applicability. In May 2021, the Illinois Supreme Court ruled that a businessowner’s liability insurance policy provider was required to defend the business against claims that the business collected and stored consumers’ fingerprints in violation of BIPA. This decision could affect the way that insurance policies are written, given that BIPA may not have been in place or a consideration when the policies were originally drafted. Businesses that use biometric data will need to review such policies carefully if they expect such claims to be covered going forward.
In another key BIPA case from December 2021, the Illinois Appellate Court held that BIPA claims accrue every time that biometric information is collected and not just the first time it is collected. While the court did not specifically address the issue, this ruling could raise claims that allowing accrual at each collection could result in multiple violations of BIPA per plaintiff, which would further compound BIPA’s already significant statutory damages of $1,000 or $5,000 for “each violation.” The court did not discuss how this ruling could affect calculation of damages, limiting its decision to whether the claims were time barred. In a similar case, the Seventh Circuit sent the question of BIPA violation accruals to the Illinois Supreme Court. We expect to see that decision in 2022. These decisions could lead to additional activity from an already active plaintiff’s bar in this area, and we will be watching closely for further developments in the coming year.
Artificial Intelligence / Machine Learning
The mass processing of biometric and other data will take increasing urgency as more of the common experience of consumers and employees are impacted by complex algorithms that control any number of aspects of the worlds we experience. Academic literature continues to warn of the need to confront the underlying bias in training data sets so that ancient prejudices will not follow us into the future.
At the same time, the exceptional potential social benefits of automated analysis of massive data sets will force regulators to recognize the use of data for good, even as they struggle to evaluate and approve systems that will drive the new wave of advances in FinTech and Digital Health when those systems learn, grow, and change in ways that can lead to novel insights. We hope that 2022 will lead to thoughtful approaches that preserve the benefits of these technologies in our world.
Augmented Reality / Virtual Reality
Blockchain technologies from cryptocurrency to gaming platforms will continue to rise in 2022. The role of cryptocurrencies in the financing of ransomware and their continued extreme volatility will continue to pose existential challenges, particularly after China and other countries have made use of the currencies illegal. Nonetheless, the potential for Blockchain to decentralize the Internet power looms large on the horizon as potential paradigm shift that could define the decade.
* * * *
Whether legislatures and regulators will get ahead of the curve on these advances remains to be seen, but our best bet is that the path of the law, for better or worse, will continue to trail the advance of technology. In either case, you can be sure that Ropes DataPhiles will continue to provide thoughtful perspectives on the worlds of data, privacy, and cybersecurity as we step into 2022.