The past few years have been challenging for IT and business teams. From implementing the conditions of the European Union’s General Data Protection Regulation (GDPR); monitoring the slow passage of the ePrivacy Regulation (ePR); responding to the revised cookie guidelines of national agencies and preparing for and putting in processes to mitigate the potential implications of the will-they won’t-they Brexit situation in the UK, there’s been a lot to take in.
And, as we take our first steps into 2020, there are a number of developments, already, that could impact how companies manage data in the coming year and beyond.
The international data privacy landscape
The first is the roll-out of comparable legislation elsewhere in the world, such as California’s Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and India’s Personal Data Protection (PDP) Bill.
The former framework is now live across the Golden State and is being used as a blueprint by other state legislatures, as well as a template for lawmakers on Capitol Hill. If adopted, broad scale, in 2020, EU-based operations with interests in US territory could be required to alter their business processes where legislation differs from the GDPR. At a minimum, this year, they’ll need to meet individual conditions of state laws.
The Brazilian LGPD, meanwhile, bears a great many similarities to the European GDPR, but goes further on points such as legal bases and mandatory data breach notifications. With its roll-out marked for August 2020, this could require some additional compliance work by organisations with a presence in the country.
In India, changes to data protection laws could potentially impact how organisations move data between their international sites. All three laws resemble elements of the GDPR, in some way or another, and are likely to be joined, in 2020, by burgeoning legislation in countries across Africa and Asia.
The European data privacy landscape?
There’s also the determination of the Court of Justice of the European Union (CJEU) on the validity of Standard Contractual Clauses (SCCs) to look out for in 2020.
The headline case, known legally as Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems, has rumbled on for some time, but may now be nearing conclusion. Indeed, last month, we received the non-binding declaration of the EU’s Attorney General on the case, and we now expect to learn the formal position of the Court on this matter, as well as the determination of the EU’s General Court on the future of the Privacy Shield, via La Quadrature du Net v Commission, in the near future.
There is a significant risk that the CJEU may declare data transfer mechanisms, via SCCs, as invalid. If this happens, many organisations will be left without any practical solution to legitimise the international transfer of personal data outside the European Economic Area and exposure to the threat of GDPR revenue-based fines, regulatory sanctions including injunctions and third party claims for compensation.
Further still, if Facebook Ireland’s ability to share data with its US base is struck down, in the former case, we could see national-level revisions of practice come into play for data transfers out of a jurisdiction, given that alternatives are are limited and often difficult to apply to large-scale transfers.
Another key area to watch out for is cookie management. The publication of new rules by regulators in the UK, France and Germany in the fall of 2019 pre-empted the roll-out of pan-European regulations, via the ePR. And, later this year, many of these new requirements will come into effect across the above-mentioned member states. The CJEU Planet 49 decision, of 2019, made clear that consent cannot be lawfully established via pre-ticked boxes, and the UK’s Information Commissioner’s Office (ICO) was quick off the mark to integrate this into its rule book.
The ICO also published guidance on use of special category personal data and onwards data sharing without explicit consent, and, on 20 December 2019, set out the work it is doing in this area and its next steps.
In France, Germany, and most recently, the Netherlands, too, similar action is underway, with their national authorities each publishing statements explaining how they intend to carry out checks on websites within their jurisdictions, ahead of the introduction of their new rules from the middle of 2020.
Underpinning the majority of this work is yet-to-be enacted ePR, and its sister rulebook, the GDPR.
The latter, in particular, has changed the way we think about data, and, since its introduction in May 2018, has sharpened the teeth of national agencies on organisational behaviour and “best practice”.
The fines levied against major tech corporations in 2018 and 2019 are, arguably, the stand-out interventions to date. However, we’ve also seen a rise in enforcement action in Denmark and the Netherlands, as well as in Germany. There’s been growing movement on enforcement across the UK,, where, in the past 12 months, fines totalling €3 million have been dispensed by the ICO.
In light of this, and the risk of over retention from a cyber security perspective, initiating a data and records retention strategy should be foremost in the minds of business leaders and their sub-teams in 2020. After all, a large number of organisations drafted policies and processes for the GDPR with very little regulatory guidance.
The environment now, however, is somewhat different — and a year and a half on, many of us may benefit from the supporting documents published by data protection authorities (DPAs) and the European Data Protection Board. Example frameworks organisations can follow include Data Protection Impact Assessments (DPIAs), special category data, automated decision making, and briefings on certain laws, unique to specific areas.
The UK’s ICO and other national agencies across Europe have also produced “appropriate policy documents”, which contain information on processing data across a range of special categories — so it is perhaps, now, a good time to look at existing policies, and to take action to clean-up and minimise exposure.
The role of AI in GRC
And, last, but not least, there’s the subject of artificial intelligence (AI).
For many, in tech and IT units of an organisation, there are unwritten rules on the development and use of AI. This is unlikely to hold as we move through the year, and it would wise for these professionals to now push for a written code of conduct or practice within their organisation.
Support documents to assist with this, are available from most European agencies, with businesses in the UK, in particular, set to benefit from a new ‘AI auditing framework’.
This framework will set out the work of the ICO’s investigation and assurance teams , and could provide a useful blueprint on how to comply and pass possible ‘spot checks’. With new state, or European, regulations of this area an inevitability, taking action, now, could make the process of adherence easier in the long run.
So, as we look ahead, there’s a lot to consider in what promises to be a busy 2020.