Each year, the world observes Data Privacy Day on January 28. This international effort recognizes that users might not be aware of how organizations might be using, collecting or sharing their information. It also considers that some businesses might not be taking the privacy of their corporate or customer data seriously. In response, Data Privacy Day seeks to inspire dialogue surrounding the importance of privacy for all in the digital age.
The theme for Data Privacy Day 2021 is “Own Your Privacy.” Its aim is to help consumers learn how they can protect their privacy as well as hold organizations responsible for respecting the privacy of their customers. This message gives consumers and organizations alike an opportunity to look back on the events that shaped privacy in 2020 with an eye towards the future.
Let’s look back on four events in particular.
CCPA Takes Effect
On January 1, 2020, the California Consumer Privacy Act (CCPA) of 2018 took full effect. The Office of the Attorney General for the State of California explains that the CCPA gives California residents more control over their personal information. It specifically upholds California consumers’ right to know about the types of information that businesses are collecting about them and how those entities are sharing/using that data, the right to delete that collected information, the right to opt-out of businesses selling that information and the right to non-discrimination when exercising their rights enshrined by CCPA. Under this legislation, businesses, data brokers and other in-scope entities must provide consumers with notices that explain their privacy practices.
The World Moves Beyond Privacy Shield
Over the summer of 2020, the Court of Justice for the European Union issued what’s come to be known as the “Schrems II decision.” This ruling found that the EU-U.S. Privacy Shield framework did not uphold EU citizens’ privacy rights. In so doing, the Schrems II decision made it difficult for organizations in the United States and European Union to ensure their data transfers were secure without instituting a series of Standard Contractual Clauses (SCCs).
The European Data Protection Board (EDPB) took up this issue in November when it adopted recommendations on supplemental measures for securing transatlantic data transfers. One point stood out in this blog post, “A Solution to Schrems II and the Security to Transatlantic Data Flows”: the need for encryption to prevent public authorities from gaining access to personal data. Using that technical measure and others like it, organizations could build a new privacy framework for transatlantic data flows. This agenda would enable organizations to classify their data, use encryption to protect it in motion and at rest as well as securely store those encryption keys while controlling access to that data.
California Passes CPRA
California voters passed Proposition 24, the California Privacy Rights Act (CPRA) on November 3 last year. The purpose of CPRA is to amend CCPA in several ways. As noted in a recent blog post, “CPRA Becomes the New Standard. Are You Ready?,” CPRA’s changes help to further protect California consumers’ personal information and highlight the importance of specifically safeguarding children’s privacy.
CPRA also includes two other notable changes for businesses that collect California consumers’ information. First, it provides a comprehensive, specific and historically more wide-reaching definition for Sensitive Personal Information (SPI), a category of data which comes with certain rights for consumers and certain compliance burdens for organizations. Second, it creates the California Privacy Protection Agency (CalPPA), an agency charged with enforcing CPRA by imposing fines and penalties on those who violate the law. It is the first agency in the United States whose sole mission is to uphold consumers’ privacy rights.
GDPR Fines Increase
In the beginning of 2021, DLA Piper reported that the regulators had imposed $332.4 million in response to organizations’ infringements of Europe’s data protection requirements including the General Data Protection Regulation (GDPR). The multinational law firm went on to say that regulators had received 281,000 data breach notifications since GDPR took effect in May 2018. Over the course of 2020, these regulators received an aggregate 331 data breach notifications per day—up 19% compared to the previous year.
Organizations and Consumers Can Defend Their Privacy
The events of 2020 will no doubt shape privacy for the months and years ahead. Organizations and users don’t need to wait for clarification to take privacy seriously. The National Cyber Security Alliance recommends that individuals be careful about whether they want to share their data with certain businesses and weigh this against the benefits of what they might receive in return. They also need to exercise caution around apps that request an unnecessary amount of information as well as manage their privacy and security settings to keep their data safe.
Simultaneously, organizations need to follow security measures to keep their stored information safe and protect that data against unauthorized access. Towards this end, they can consider adopting a privacy framework with which they can manage risks as well as conduct an assessment of privacy risks. Finally, organizations should heed the NCSA by being transparent with their consumers as well as maintaining oversight of both their partners and vendors.