With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. This is the second in that series.
If 2019 was an opportunity for privacy advocates to push for preparation ahead of looming data protection deadlines, then 2020 was the year organizations were expected to prove themselves ready.
But while many may have felt relatively comfortable with the state of progress by the time the July 1 enforcement deadline for the California Consumer Privacy Act (CCPA) rolled around, what came just two weeks later was "stunning and completely unexpected," in the words of attorney Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton Andrews Kurth.
Indeed, the Schrems II decision by the EU Court of Justice (ECJ) effectively killed the Privacy Shield agreement outlining how the EU and U.S. could legally exchange personal data, leaving companies of all sizes scrambling.
The Schrems II decision, which essentially confirmed that the privacy pact didn’t protect EU citizens from being spied on by the U.S. government, was particularly disruptive at a time when cloud and other technologies are quickly making geographic boundaries less defined, ratcheting up concerns about protecting data across borders.
“We forget that the shift from on-premises software to cloud computing was a seismic one,” said Matt Spohn, general counsel at Red Canary. “You have to address data security, because the vendor now has the customer’s data. [And] you need to assess whether any of the data given to the vendor is regulated," such as personal data, protected health information, payment card data, and so on.
"If the data is regulated, then an organization must “assess which laws, regulations, or standards apply – no easy task given that one, many apply regardless of your contract’s choice-of-law provision; two, cloud software could be accessed from anywhere; and three, cloud software might be processing data from various jurisdictions,” Spohn said, noting that while that’s doable, it requires close cooperation between compliance and legal teams.
“Data doesn't live in one place. It has a footprint that spans many systems and applications throughout the enterprise," explained Brendan O’Connor, CEO and co-founder at AppOmni. "The pandemic has greatly accelerated the adoption of cloud applications, and more data than ever before is stored and accessed outside the corporate perimeter. Organizations of all sizes must evolve their security strategy to operate in this new landscape.”
Spohn called Privacy Shield “probably the easiest" of the three available mechanisms under the General Data Protection Regulation to transfer EU personal data to the many, many countries the EU had not identified as having an adequate level of data protection, including the U.S. But with its demise, organizations are primarily left to implement binding corporate rules under GDPR (which is no easy process, and is generally only practical for large multinational corporations) or sign standard contractual clauses that were promulgated by the European Commission, said Spohn.
“But as part of its decision invalidating Privacy Shield, the EU Court of Justice cast some doubt on the sufficiency of those standard contractual clauses," he added.
In retrospect, companies probably shouldn’t have gotten too comfortable with Privacy Shield anyway. Even though the pact, which took months for the U.S. and EU to hammer out, had been in place four years, the surveillance practices in the U.S. had always been a controversy likely to rear its head again. Western European countries view privacy and surveillance very differently – privacy is considered a right there. The U.S., by contrast, allows surveillance of foreign nationals.
The court’s decision should be a rallying call for the U.S. to finally cobble together a national privacy law.
The patchwork of privacy laws that make up the various rules governing personal data in the United States, as well as the failed attempts by states like Washington and New York to establish their own, "point to the long overdue need for a federal law on privacy that at least meets the same level of protection as the GDPR,” said Steve Durbin, managing director of the Information Security Forum.
Although the EJC ruling applies to transfers between the U.S. and EU, its implications spread well beyond the U.S. “Twice now the European Commission has tried to reach an agreement with the U.S. on data protection, only to have its efforts ruled unlawful,” Stewart Room, global head of data protection and cybersecurity at DWF, said at the time of the decision. “There needs to be a different mindset to how the challenges of international transfers to the U.S. are met, because failed schemes like this have significant impacts for individuals and for businesses.”
In the aftermath of the EJC ruling, Durbin doubts such national legislation will be forthcoming. “Federal lawmakers have traditionally shied away from such a move preferring to hand responsibility for enforcement to state attorneys general.”
But inspiration for a federal law may come from another piece of California legislation, the recently passed California Privacy Rights Act (CPRA), whose strong support of privacy rights is more in line with European privacy protections.
“The CPRA gives Californians some of the most stringent online privacy rights in the world. Californians now have the right to know about the personal information businesses collect and share, the right to delete personal information collected about them, and the right to opt-out of the sale of their personal information,” Charles Ragland, security engineer at Digital Shadows, said of the legislation, which applies to Californians even when they’re temporarily out of state.
The law strengthens the tenets of the CCPA “by creating a new government agency dedicated to handling enforcement and compliance with the new Privacy regulations,” said Kevin Courtney, Acuant’s vice president of product. And, he said, it adds a subcategory, Sensitive Personal Information (SPI), that covers “data like login credentials, race, ethnicity, biometric data (from health trackers) and precise geolocation.”
Ragland said that although it’s too early to assess the ramifications of the CPRA, he expects, given the connected nature of society in 2020, “many companies will be legally compelled to be compliant with this law in order to continue providing services to Californians.”
But will CPRA become the basis for federal legislation? Spohn would rather see GDPR become the foundation of a national law, which he said "holds as a cohesive, internally-consistent legal work. The CCPA and CPRA have some intersection with GDPR, but "are a less ideal starting point.”
Regardless, the adoption of CPRA, will impose a heavier privacy compliance burden on organizations – the lastest chapter in what O’Connor views as a global trend toward enhanced consumer privacy with a dose of hard consequences for offenders.
On the international front, without the protection of Privacy Shield, organizations are vulnerable. But there are steps they can take to protect data and themselves. In the short term, companies must “make sure they have a clear understanding of whose data they have, their residency, where the data is stored, where that data center is located, and maps of where data is flowing,” said BigID Vice President of Privacy & Policy Heather Federman. “If a multinational corporation can ensure they are accurately tracking personal data, it will significantly minimize the risk."
Europe’s strict privacy regulations can help protect companies while the EU and U.S. sort out future requirements. “Good practice will require strict adherence to the GDPR rules since without the Privacy Shield" exceptions really no long er apply, said Durbin.
For guidance, the European Data Protection Board is recommending additional terms should be added to the existing standard contractual clauses, and the European Commission has issued drafts of new standard contractual clauses that address some of the concerns.
Regulators have “a good opportunity to put in place a viable Privacy Shield replacement,” Spohn said. But “the U.S. and EU will need to address the U.S. government surveillance program that drove the Privacy Shield invalidation” and place the new scrutiny on standard contractual clauses.
“U.S. government surveillance seems to be less widely-used than I would have thought, and it’s not as if surveillance is unknown in EU member states,” he added. “But again, the current political climate would seem to be a major barrier."
