If there's one thing that's been true in the world of privacy over the last few years, it's that there is never a dull moment--and that certainly is the case for the summer of 2023. In terms of new laws and regulatory updates, we've seen some action internationally, but it's really paled in comparison to what is happening at the state and federal level in the US. When we look back over the last few months, though, three trends emerge as being especially important.
European Privacy Regulators Define a Status Quo
It makes sense, given that GDPR is the most mature of the major privacy laws, that European data protection authorities (DPAs) aren't looking so much to lay the foundation for enforcement as they are to defining a long term, stable regime that they can enforce. Two major steps towards this goal took place over the summer.
- The European Commission Approved a New EU-US Data Privacy Framework. With this announcement, it appears that the European Union (EU) and United States have finally resolved the issues which caused two previous agreements, the Safe Harbor and Privacy Shield frameworks, to fail under concerns from the Court of Justice of the European Union (CJEU) over potential US government surveillance of EU citizens. Noemi Alonso Calvo, Managing Partner at The Privacy Aces, explains that since a new court challenge may be forthcoming from Max Schrems, "The most sensible advice for EU companies would be to keep the SCCs with any US companies they export data to, even if they certify under the new DPF (just like most of us privacy professionals did when Privacy Shield was approved), as it maintains the status quo in case of invalidation of this new DPF by the CJEU, without disrupting businesses."
- The European Data Protection Board Releases New Guidelines for Administrative Fines. Five years after GDPR came into effect, the European Data Protection Board (EDPB) has released new guidelines for calculating administrative fines under the regulation. The new guidelines aim to clarify and standardize how fines are calculated by the national data protection authorities (DPAs) that enforce the regulation—but also may signal that higher fines will be forthcoming. Andreas Splittgerber, Parter at ReedSmith, explains, "These new guidelines should bring more transparency and consistency to the process, but they still leave much room for variation and discretion, so the EDPB may need to take additional actions to harmonize outcomes. All in all, these guidelines should lead to more predictability of fines, especially as more decisions are issued and case law evolves."
The US Federal Government Takes Baby Steps toward Privacy Regulations
Given the stop and start nature of federal privacy legislation, it's no surprise that summer of 2023 saw some signs of progress toward federal privacy regulations... but only time will tell if it's meaningful progress or another false start.
- Bipartisan Coalition Introduces Federal Privacy Legislation. While the list of states enacting comprehensive privacy legislation continues to grow, progress toward federal data privacy regulation has been slow-moving at best. However, a bipartisan group of legislators in the Senate and House of Representatives hope to change that by introducing the DELETE Act to the Senate. The change could be significant for data brokers, explains Amalia Barthel, Lecturer, Instructor and Advisor at the University of Toronto, "It would be a major change for data brokers—one that could grind the entire data brokerage business model to a halt."
- Two Children’s Privacy Acts Progress in US Senate. Two bills, KOSA and COPPA 2.0, aimed at safeguarding children online moved out of committee and into consideration by the full Senate, signaling that the federal government recognizes the need to modernize outdated protections of children and teens. Elements of the bills, explains Tyler Newby, Partner at Fenwick & West, "Critics charge that [KOSA's] requirement to act in the "best interests" of a user, is fatally flawed, because it will likely lead platforms to err on the side of restricting free speech to avoid being sued by a state attorney general or the FTC. Given the vagueness around what is “reasonably likely” to be used by children, COPPA 2.0, if passed, is likely to lead to the use of age verification across a broad array of services."
US States Push Forward on Privacy Regulations
Really, this is the big trend that's taking place right now. The US is up to 13 states with privacy laws passed, with five currently in effect. Several states have passed laws during calendar 2023, including Florida, Montana, Texas, Tennessee, and Oregon in the recent past. It's well past the time where organizations can take piecemeal approaches to compliance with privacy regulations. The most feasible alternative is to adopt best practices governing privacy compliance and following the strictest interpretations of various consumer rights, ensuring the ability to comply with all states' requirements.
- The Pace of US State Privacy Laws Continues to Accelerate. Montana, Tennessee, and Texas have all passed state-level consumer privacy laws in recent weeks, becoming the eighth, ninth, and tenth states to do so. While the nuances of the laws differ somewhat, collectively they reinforce the need for organizations to base their privacy policies and procedures not on the specificities of a given law, but rather on fundamental principles and best practices. Jodi Daniels of Red Clover Advisors sums it up well, "Companies that have a solid understanding of how data is collected, used, stored and shared will have an advantage in complying with these laws. Companies will need to determine if they have a scalable process for honoring individual rights and if they have trained teams on data privacy, including the marketing and product teams as they launch new initiatives. Privacy is not just the legal or compliance department’s responsibility; it’s everyone’s."