Horizon 2020

2019 saw antitrust regulators promising to use competition law to regulate the collection and use of personal data. This shift is potentially fundamental, as it represents an effort to block certain data collection and uses in themselves, rather than merely regulate how those practices are disclosed or how data is secured.

Major decisions: further challenges expected to EU/US data transfers

In December 2019 the EU Advocate General issued an opinion recommending that the Court of Justice of the EU uphold the validity of the “standard clauses”, key mechanisms businesses use to transfer personal data from Europe to the US. Max Schrems, a notable privacy advocate, had challenged them on the grounds that they provide inadequate protections for Europeans in light of US government surveillance programs. In doing so, Mr Schrems also questioned the validity of the EU-US Privacy Shield, another critical framework for transferring data across the Atlantic.

Mr Schrems had previously sunk the Privacy Shield’s predecessor, Privacy Safe Harbor, although this time the Advocate General avoided ruling. Nonetheless, the opinion (if confirmed) leaves open other avenues for the Privacy Shield to be challenged. In 2020 we can expect to see additional attacks on transfers of data to the US, together with an EU initiative to revamp its standard clauses in line with the GDPR. Any of these developments could fundamentally change how companies transfer European personal data outside Europe’s borders.

Legislation: is this the year we see movement on US privacy law?

There are likely to be major developments in privacy laws around the world in 2020, with more jurisdictions set to adopt regimes inspired by the GDPR model.

Brazil’s privacy legislation modelled on GDPR – the LGPD – comes into effect in August 2020. Likewise the implementing regulations and technical standards for China’s cybersecurity framework (with its onerous data localization requirements), and the associated Cybersecurity Multi-level Protection Scheme may also be finally brought in this year.

The biggest movement, however, could be in the US. The California Consumer Privacy Act (CCPA) came into force on January 1, 2020, with enforcement starting six months later. Some aspects of the law are familiar from GDPR and other privacy regimes, such as the requirement for transparency around data practices and the granting of rights to Californian data subjects to access, control and delete their personal data. But unlike previous laws, the CCPA tends to focus on the “sale” of data. Its definition of “sale” is unconventional, confusing and broad, and depending on how it comes to be interpreted by the Attorney General and the courts, may pose major headaches for business.

Even as companies work to implement the CCPA as it stands, the ground is already shifting. Alastair MacTaggart, a major mover behind what became the CCPA, is promoting a ballot measure in California’s 2020 election that would create a California Privacy Protection Agency and impose additional requirements around targeted advertising, children’s data, automated decision-making by businesses and the use of personal information by political campaigns. Meanwhile, legislators in Washington state have proposed laws falling somewhere in between the CCPA and GDPR; after early versions failed to pass the legislature, a new proposal is making the rounds that includes ad targeting and facial recognition among its focus areas.

We may also see movement at the federal level in 2020. Democratic and Republican senators in November 2019 introduced competing proposals for a new federal privacy law, both of which would adopt key elements of GDPR/CCPA including by introducing transparency requirements and providing data subjects with rights over their data. Both bills also agreed on who would enforce the law (the FTC), but where they did not agree was on whether to provide a private right of action and whether to pre-empt state laws such as the CCPA.

In December the House Energy and Commerce Committee introduced a bipartisan bill adopting the points of agreement, while avoiding the areas of divergence. Whether any of these bills make it into law remains to be seen, but the flurry of activity and apparent cross-party convergence around certain themes seem to presage faster movement on a US-wide privacy law than had previously been expected.