The Privacy, Data Protection and Cybersecurity Law Review: Global Overview
Privacy law has propagated impressively around the globe since the United States enacted the world's seminal statutes, namely the Fair Credit Reporting Act in 1970 and federal Privacy Act of 1974. While growth of the field has been steady, it has also been amazingly dynamic.
The top leaders of the free world signalled the essentiality of 'privacy' in the communiqué they issued at the conclusion of the Carbis Bay meeting of the G7 in the United Kingdom on 13 June 2021. Specifically, they committed to 'championing data free flow with trust, to better leverage the potential of valuable data-driven technologies while continuing to address challenges related to data protection'.
The Presidents and Prime Ministers of the world's most prosperous democracies, alongside the Presidents of the European Commission and Council, emphasised their strongly held, shared values on privacy and data protection. They expressed a mutual desire to enhance coordination, promote innovative technology, develop global norms and standards, and harmonise principles of data collection. These leaders said:
[w]e will work together . . . as part of an ongoing agenda towards a trusted, values-driven digital ecosystem for the common good that enhances prosperity in a way that is sustainable, inclusive, transparent and human-centric. In doing so we will make it a sustained strategic priority to update our regulatory frameworks and work together with other relevant stakeholders, including young people, to ensure digital ecosystems evolve in a way that reflects our shared values. We commit to preserve an open, interoperable, reliable and secure internet, one that is unfragmented, supports freedom, innovation and trust which empowers people. If used properly, technologies can help us strengthen health capacities, tackle environmental threats, widen access to education and open new economic opportunities. We will leverage these technologies to advance tech for the common good and promote digital literacy worldwide. We will strengthen coordination on and support for the implementation and development of global norms and standards to ensure that the use and evolution of new technologies reflects our shared democratic values and commitment to open and competitive markets, strong safeguards including for human rights and fundamental freedoms. We also affirm our opposition to measures which may undermine these democratic values, such as government-imposed internet shutdowns and network restrictions. We support the development of harmonised principles of data collection which encourage public and private organisations to act to address bias in their own systems, noting new forms of decision-making have surfaced examples where algorithms have entrenched or amplified historic biases, or even created new forms of bias or unfairness.
To advance global norms and standards for privacy and digital regulation, the Digital Ministers of the G7 nations expressed a commitment 'to identify commonalities in regulatory approaches'. They tasked the UK's Information Commissioner to spearhead multilateral initiatives (in 2021) in support of international regulatory cooperation on privacy. The Digital Ministers agreed to:
a BUILD . . . [a] project on data governance for growth and well-being' and 'Mapping commonalities in regulatory approaches to cross-border data transfers'. We will highlight best practice case studies, enhance cooperation on data governance and data protection, identify opportunities to overcome differences, explore commonalities in regulatory approaches and promote interoperability between members.
b ORGANISE an event . . . led by the UK's Information Commissioner's Office. The event, to take place in 2021, will consider regulatory cooperation with a potential focus on innovative approaches, enforcement of regulation and regulation enabling cross-border data flows.
c ORGANISE a separate cross-sectoral regulators' event in 2021, that will bring together Data Supervisory Authorities and/or other competent authorities for data, and other regulators from across the digital sphere to share best practice and support international cooperation.
In addition to this promising G7 activity, the President of the United States and leaders of the European Union also committed to regulatory cooperation on data governance, cybersecurity and privacy at their summit on 15 June 2021. They committed to work together 'to ensure safe, secure, and trusted cross-border data flows that protect consumers and enhance privacy protections, while enabling Transatlantic commerce'. The leaders also resolved to boost cybersecurity information sharing as well as cybersecurity certifications for products and software.
The joint summit statement provided numerous, encouraging signals regarding a strongly shared desire to ameliorate US–EU tensions on privacy and data protection and 'strengthen legal certainty in Transatlantic flows of personal data'. The leaders committed to:
avoid new unnecessary technical barriers to trade; to coordinate, seek common ground, and strengthen global cooperation on technology, digital issues, and supply chains; . . . to cooperate on compatible and international standards development; to facilitate regulatory policy and enforcement cooperation and, where possible, convergence; to promote innovation and leadership by U.S. and European firms.
The US–EU statement described the US and EU as a community of '780 million people who share democratic values and the largest economic relationship in the world'. The two jurisdictions decided to kick-start effective cooperation on technology matters by establishing a high-level US–EU Trade and Technology Council (TTC). The new TTC is intended to promote convergence and innovation on digital issues.
The TTC will focus initially on technology standards cooperation for artificial intelligence, the internet of things, other emerging technologies, data governance and technology platforms.
Given these commitments from heads of state and ministers, privacy and digital governance are unmistakably ensconced among the top objectives of the free world. Moreover, the world's democracies are manifestly inclined to cooperate on finding commonalities and convergence, 'strengthen[ing] legal certainty', and promoting both privacy and innovation for their citizens. This is good news indeed for the future of international digital governance.
The world's top democratic leaders have also demonstrated that their conception of 'privacy' is broad and elastic: it subsumes far more than personal data protection. They now look to 'privacy' to provide the governance framework for addressing the broader social challenges of emerging technology.
And, in what may be among the year's most surprising twists, the People's Republic of China adopted a comprehensive privacy law this year. The Wall Street Journal's headline of 20 August 2021 described this shocking development as follows: 'China Passes One of the World's Strictest Data-Privacy Laws: China's once-freewheeling internet faces new rules protecting personal data, as the world's largest online population awakens to privacy concerns'.
China's new Personal Information Protection Law, which takes effect on 1 November 2021, is said to be patterned after the European Union's General Data Protection Regulation (GDPR) insofar as it entails requirements for prior consent to and minimisation regarding the collection of personal data. Based on press reports, the law apparently also requires prominent notice of public facial recognition cameras, and transparency and fairness regarding automated decision-making. Supposedly it will require the ability to opt out of personalised marketing and it addresses the issue of 'algorithmic discrimination'. Like the GDPR, the new Chinese law provides for potentially enormous fines for privacy violations, which apparently may go as high as 5 per cent of a company's business income for the prior year.
Time and actual experience will tell whether the privacy law enacted by perhaps the world's most intrusive surveillance state can be taken at face value and if it will live up to the Wall Street Journal's advance billing. But the very fact that China passed a major law to protect personal data demonstrates there is no stopping the international movement toward privacy.
The US has also been a hot bed of privacy developments. Indeed, privacy law has been a moving, and growing, target among the 50 states and federal government.
It was California that first imported the GDPR into American law. It started with the California Consumer Privacy Act in 2018, which was almost immediately substantially overhauled and tightened two years later by the California Privacy Rights Act.
In 2021, the states of Virginia and Colorado adopted comprehensive privacy laws based on the California and GDPR models. All of these laws entail similar individual (i.e., 'data subject') rights to access, delete, correct, port out their personal data, and to varying degrees, to opt out or limit the sale of personal data, targeted advertising, and legally or materially significant profiling.
The new laws generally obligate companies that control the collection and use of personal data to discharge the following duties: transparency (essentially, privacy notices that meaningfully describe what personal data is collected, for what purposes, and with what entities it is shared); purpose specification (i.e., the specific reasons why the data is collected); limitation of secondary uses that are incompatible with the specified purposes; data minimisation; avoidance of unlawful discrimination, heightened consent, assessment and documentation requirements for processing sensitive data; and, like the GDPR, requirements to memorialise controls imposed on third-party data processing in written contracts.
These new state laws will go into effect in 2023. Nevada also expanded its privacy law in 2021. Though Nevada's privacy law does not qualify as comprehensive, the amendments broaden consumers' right to block the sale of their personal information to third parties, and like in California and Vermont, Nevada's new law will regulate data brokers, namely 'persons whose primary business is purchasing covered information about consumers with whom the person does not have a direct relationship . . . and making sales of such covered information'.
Significantly, only California has created a new enforcement agency with jurisdiction over data protection, the California Privacy Protection Agency. And only California has granted individuals a private right of action to sue companies for violations of the state's privacy law. (Even then, California only provides a private right of action limited to suing over personal data breaches that result from a company's failure to implement reasonable data security practices.) The other states with new privacy laws will continue to rely on enforcement by existing officials such as attorneys general or, in the case of Colorado, local district attorneys in addition to the state attorney general.
It should also be noted that in 2021 the Uniform Law Commission in the US finalised its version of model legislation (i.e., a consensus template) that could be adopted in full by any state that chooses to do so. The Commission's Uniform Personal Data Protection Act (UPDPA) is generally comparable to the laws of California, Virginia and Colorado, but is considered to offer a somewhat lower compliance burden and, thus, may be more business- and innovation-friendly. The UPDPA is modelled to some extent on the federal Privacy Act of 1974, and only applies its data protection regulatory requirements to personal data that a company maintains in a 'system of records' that it uses to retrieve data about individuals for purposes of making individualised communications or decisions.
Interestingly, the UPDPA stipulates specific data practices that are prohibited. Providing a list of prohibited practices is useful because it could focus the regulator's mind on data-related risks that are truly injurious or actually unfair. Targeting regulation and enforcement at well characterised injuries, rather than at illusory or hyper-technical ones, helps avoid the risk of over-regulation. As the US Supreme Court confirmed again in 2021, in TransUnion v. Ramirez, some data practice failures (like inaccurate information that is never communicated outside of an internal database and never affects anyone) may not give rise to legally actionable harm.
The list of prohibited practices articulated by UPDPA is instructive as to what data practices could give rise to genuine harm to individuals:
Processing personal data is a prohibited data practice if the processing is likely to:
- subject a data subject to specific and significant: (1) financial, physical, or reputational harm; (2) embarrassment, ridicule, intimidation, or harassment; or (3) physical or other intrusion on solitude or seclusion if the intrusion would be highly offensive to a reasonable person;
- result in misappropriation of personal data to assume another's identity;
- constitute a violation of other law, including federal or state law against discrimination;
- fail to provide reasonable data-security measures, including appropriate administrative, technical, and physical safeguards to prevent unauthorised access; or
- process personal data without consent in a manner that is an incompatible data practice.
The Commission's effort could be significant. It is a highly respected body that previously drafted, for example, the Uniform Commercial Code and the Uniform Fiduciary Access to Digital Assets Act, both of which have been adopted in nearly every state.
In any event, with all this state-by-state and model-law drafting activity, it can be stated with confidence that the US Congress will continue to cogitate over federal, comprehensive legislation.
During the next year we will see whether the US federal government can catch up with states and deliver comprehensive legislation, whether the UK's Information Commissioner and the US–EU TTC will deliver on their respective mandates to develop and harmonise global standards and norms for privacy, and whether China will deliver on the potential of its strict new privacy law – or whether it will merely deliver more domestic surveillance and dominion over foreign and domestic technology companies.
As always, in the year ahead there will be both promise and peril for the future of privacy. But the increasing focus on commonality, convergence, harmonisation and innovation is certainly a good sign.
1 Alan Charles Raul is a partner at Sidley Austin LLP.