This month, TrustArc held its third Privacy Risk Summit with over 40 thought-provoking speakers and more than 20 sessions covering numerous privacy topics. The highly-attended session, “Privacy Law Trends: The Bold, the Old, and the Folded,” showcased global privacy trends in what is shaping up to be an interesting 2021. Session panelists included Dr. Gabriela Zanfir-Fortuna (Senior Counsel for Global Privacy, Future of Privacy Forum), Ian Ballon (I.P and Internet Litigator, Greenberg Traurig), Constantine Karbaliotis (Lawyer, nNovation LLP), and Meaghan McCluskey (Associate General Counsel, Research, TrustArc). The following is a recap of the session highlights.
Dr. Gabriela Zanfir Fortuna discussed how, in Asia, China and India are at the forefront of having Omnibus Data Protection Laws, which could perhaps be signed into law by the end of this year. Furthermore, the United States playing field is getting more heated by the day! The panel discussed how Virginia signed into law the Consumer Data Protection Act, coming into force January 2023, and Washington and Oklahoma are poised to become the next states with their own Consumer Data Protection law. Focus may shift to the federal landscape where the US government just released its own data protection bill. Even in the United States, where California usually sets the lead, these more recent state laws tend to be following the EU GDPR as a model, including enhanced individual rights, but also fair information principles, such as data minimization and purpose limitation.
Constantine Karbaliotis discussed how Canada is also making data protection waves, with moves to replace PIPEDA, with a law that includes GDPR-like obligations, such as privacy by design and PIAs. A new focus on enhanced privacy for Canadians may see the provinces take it upon themselves to create their own laws (or amend existing laws, like in Quebec). With Canada’s adequacy with the EU up for review in 2022, all things are on the table. This will be interesting to see because for once (perhaps), Canada will finally be able to enforce all the data breaches, and rule breakings we have seen in the last few years. What remains to be seen is that Bill C-11 includes the same mechanisms to recognize and exempt “substantially similar” provincial legislation, meaning that any adequacy decision from the EU Commission will finally have to address the disparities between the federal law, Alberta, British Columbia, Quebec, and possibly Ontario, if the Ontario proposal moves ahead.
What about potential litigation trends? Litigator Ian Ballon shared that more than 100 cases asserting CCPA claims have been filed since January 1, 2021 in the United States courts system. Out of these cases, many of the plaintiffs do not have causes of action due to a lack of actual harm suffered. In many cases, these claims are being made more for the court of public opinion, trying to embarrass a company and extract a settlement, rather than to be heard in an actual court. Moreover, these cases are not just being filed in California, but across the country, as all they need is a representative plaintiff in California.
Another litigation trend regards factors that are going into privacy litigation settlements. While all cases are different, a framework for settlements should consider the type of information breached (such as children’s data or health data), nature of the breach, how many firms are involved in the litigation, if insurance coverage is part of the mix (and the value of coverage), and the political ideology of the judge. All this adds up to reaching amounts that seem arbitrary in the grand scheme of things. Mr. Ballon shared that including a private right of action in the multitude of state consumer privacy laws will merely exacerbate this issue and make the Plaintiff’s bar very wealthy. Instead, he would like to see regulation of these laws firmly placed with entities like the Federal Trade Commission, as government regulatory bodies are best placed to drive meaningful changes to business practices. In the meantime, Ian encouraged everyone to review their relationships, to ensure they have privity of contract for agreements where they are not a party, and review any arbitration clauses, to ensure they are strong and enforceable in the jurisdictions in which you operate.
When it comes to securing recognition from the European Commission as having an adequate level of data protection, the panelists were not optimistic about North America’s prospects. Constantine noted that it would be a political black eye for Canada to lose its adequacy status, but with the USMCA trade agreement, the possibility of onward transfers needs to be addressed. Gabriela also noted that in Mexico, the government is trying to restructure the INAI (Mexico’s data protection regulator) as part of a government branch, rather than a separate entity, and this kind of move to strip independence from the INAI will be viewed poorly by the Europeans.
The biggest takeaway is that now is not the time to rest on your laurels, there are a ton of moving pieces and many initiatives on the horizon. 2021 is going to be an exciting year in data privacy. Watch the session “Privacy Law Trends: The Bold, the Old, and the Folded” in its entirety here.