2021: Data Privacy Law Trends

Expert Panel Discussion Covered Big Trends in Global Data Privacy Laws

TrustArc’s Privacy Risk Summit 2021 brought together more than 40 experts to share their insights and best practices on managing data privacy protection in the fast-changing regulatory landscape.

Our Privacy Law Trends: The Bold, the Old, and the Folded panel discussion was very popular. This is not surprising, as it explored some of the big and emerging trends in data privacy laws globally.

At the time of the Privacy Risk Summit in March 2021, some of the new privacy laws discussed were yet to become enforceable in their respective territories. Some are still being refined before they come into effect.

Thus, continue to monitor what these new laws mean for your organization’s data protection activities.

Global Privacy Law Expert Panel

Our Privacy Law Trends panel featured four legal professionals with deep global data privacy expertise examining changes to regulations in Asia, Europe, and the Americas (US and Mexico):

• • Dr. Gabriela Zanfir-Fortuna – Senior Counsel and Vice President for Global Privacy at the Future of Privacy Forum
  • Constantine Karbaliotis – Lawyer and privacy counsel / advisor / coach at nNovation LLP
  • Ian Ballon – I.P., Data Privacy / Cybersecurity and Internet / Mobile Litigator at Greenberg Traurig LLP
  • Meaghan McCluskey – Associate General Counsel, Research at TrustArc (and chair for the panel discussion)

We’ve covered some of the highlights of the discussion below and included a link to a video of the full session at the end of this article.

Dr. Gabriela Zanfir-Fortuna: Omnibus Data Protection Laws in China and India

Dr. Gabriela Zanfir-Fortuna discussed how China and India are leading the way in Asia by proposing new rules for data privacy compliance under Omnibus Data Protection Laws.

Since the panel discussion in March 2021, the Chinese government has enacted its data privacy laws; however, the Indian government is yet to pass its proposed legislation.

China’s Personal Information Protection Law was introduced in 2020, passed on August 20, 2021 and began to take effect from November 1, 2021.

The Indian government’s Joint Parliamentary Committee published its report alongside the finalized framework for the country’s Personal Data Protection Bill 2021 on December 16, 2021, which was meant to be a major update on the privacy laws proposed in 2019.

In August 2022, the Indian government withdrew the Personal Data Protection Bill following more than two years of criticism from data privacy advocates, lawmakers and technology companies.

Opponents of the bill claimed the law potentially gave the government excessive powers over personal data, and exemptions to law enforcement agencies and some public entities.

Constantine Karbaliotis: Privacy Law in Canada

Constantine Karbaliotis highlighted some of Canada’s province-based data protection initiatives to replace the country’s 20-year-old Personal Information Protection and Electronic Documents Act (PIPEDA – enacted by the Parliament of Canada in April 2000) and its 2015 Digital Privacy Act.

He noted some provinces are proposing data privacy laws with GDPR-like (General Data Protection Regulation) obligations such as privacy by design and privacy impact assessments (PIAs).

For example, the Quebec government amended existing privacy laws to enhance privacy protection under Bill 64, which was adopted on September 22, 2021. Quebec’s amendment increases individuals’ rights and control over their personal information and adds to organizations’ data privacy compliance obligations.

Karbaliotis also noted Canada’s adequacy with the European Union (EU) is up for review in 2022, and it’s likely the country’s data privacy laws will move closer to EU GDPR.

What this means is that for once (perhaps), Canada will finally be able to enforce all the data breaches and rule breakings we have seen in the last few years. 

What remains to be seen is whether Bill C-11 (Canada’s Online Streaming Act) will include the same mechanisms to recognize and exempt ‘substantially similar’ provincial legislation.

This would mean that any adequacy decision from the European Commission will finally have to address the disparities between Canada’s federal law, and the data privacy laws of Alberta, British Columbia, Quebec and possibly Ontario. 

Canada’s Online Streaming Act was introduced in February 2022, passed in the House of Commons in June 2022 and is pending Senate approval.

The first set of changes under Bill 64 in Canada come into effect on September 22, 2022, with more provisions to schedule to come into force on the same calendar date (September 22) in 2023 and 2024.

Ian Ballon: litigation cases under CCPA

Litigator Ian Ballon discussed the avalanche of new cases under the California Consumer Privacy Act (CCPA) brought to the US courts system since January 1, 2021, many of which were unlikely to succeed. 

He explained that although more than 100 claims had been filed in the first few months CCPA was enforceable, many of the plaintiffs did not have causes of action as they could not prove actual harm suffered. 

However, as Ballon noted, these claims are being made more for the court of public opinion, with plaintiffs trying to embarrass a company and extract a settlement, rather than expecting a decision in an actual court. 

These cases are being filed in courts across the US – not just in California – as all they need is a representative plaintiff in California to get them registered for a hearing.

Ballon also pointed out another litigation trend, relating to settlements for privacy breaches. A

Although each case is different, the framework for settlement should consider several factors including:

• • Type of information breach (such as children’s data or health data)
  • Nature of the breach
  • Number of firms involved in the litigation
  • Insurance cover – whether insurance is in the mix, and the value of coverage and 
  • Political ideology of the judge. 

These factors might well add up to settlement amounts that seem arbitrary in the grand scheme of things; and that including a private right of action in the multitude of state consumer privacy laws will merely exacerbate the issue and make the Plaintiff’s bar very wealthy.

Instead, Ballon would like to see these privacy laws regulated by entities like the Federal Trade Commission, as government regulatory bodies are best placed to drive meaningful changes to business practices.

In the meantime, reviewing your organization’s data privacy management practices is recommended.

Examine your relationships to ensure the business has privity of contract for agreements where it’s not a party; and review of any arbitration clauses to ensure strength and ability to be enforced in the jurisdictions in which the organization operates.

Updates to State Laws Governing Privacy in the US

The panel of experts in the Data Privacy Law Trends sessions also discussed several updates to data privacy laws in various States which could impact organizations doing business in the US, including:

• • Virginia recently signed into law the Consumer Data Protection Act, coming into force January 2023.
  • Washington and Oklahoma were poised to introduce their own Consumer Data Protection laws.
    • The panelists agreed that where California normally sets the lead, these more recent state laws more closely follow the EU GDPR model, including enhanced individual rights and fair information principles, such as data minimization and purpose limitation.
  • Although the US federal government is yet to enact national data privacy laws, it released its own data protection bill in early 2021.
    • On June 3, 2022, the Senate and House released a draft of the American Data Privacy and Protection Act.

The panelists were not optimistic about North America’s prospects when it comes to securing recognition from the European Commission as having an adequate level of data protection:

• • Karbaliotis remarked it would be a political black eye for Canada to lose its adequacy status, but with the United States-Mexico-Canada Agreement (USMCA) trade agreement, the possibility of onward transfers needs to be addressed 
  • Zanfir-Fortuna noted the government in Mexico is trying to restructure the National Institute of Transparency, Access to Information, and Personal Data Protection (INAI – Mexico’s data protection regulator) as part of a government branch, rather than a separate entity. She suggested this kind of move to strip independence from the INAI will be viewed poorly by the Europeans. 

Learn More About Keeping Your Organization Compliant with Data Privacy Laws

TrustArc’s Privacy Risk Summit 2021 highlighted the major new trends in data privacy law as part of our ongoing commitment to raise awareness about the importance of data privacy.

As global data privacy laws continue to increase, your organization needs a reliable way to keep up.

We offer a range of useful resources to help your organization stay up to date with new data privacy trends and best practices:

• • Watch: Privacy Law Trends: The Bold, the Old, and the Folded. In this session our expert panel discusses the trends in global privacy legislation and its impact, to help you plan for changes as part of your privacy program development.
  • TrustArc clients can also access (via login) all the session videos from Privacy Risk Summit 2021.
  • Download the whitepaper: A New Era of Privacy: Perspectives from Privacy Practitioners for a summary of expert perspectives about trends in data privacy and risk management, and the role technology can play in addressing privacy challenges.
  • Discover how our AI-Powered Intelligence PrivacyCentral can simplify privacy management.