Internet security continues to be a major concern for consumers and businesses, especially in terms of data protection. While the best antivirus software often has privacy settings that allow consumers to better control information shared with businesses, businesses themselves must grapple with more regulations in the years to come.
Global privacy legislation has changed significantly in 2019, and 2020 will be another busy year for data protection. In fact, at the beginning of the New Year (January 1, 2020), the California Consumer Privacy Act (CCPA) will go into effect in California.
On Friday, October 11, 2019, California Governor Xavier Becerra signed the five amendments to the California Consumer Privacy Act awaiting signature, as well as an amendment to California law on data protection.
The focus is now on the draft regulation proposed by the California Attorney General. A public consultation period, including several public hearings, will be held until December 6, 2019 and several proposals have already been tabled to make the legislation even stricter in 2020. This includes the Mactaggart ballot initiative, which proposes that a data protection authority be established in California to enforce the legislation on an ongoing basis.
About the AuthorPaul Brietbarth is Director of European Strategy and Operations at Nymity.
Focus on consumer rights.
Although the CACP legislation may not be omnibus like the GDPR, it has been inspired by it, particularly with regard to the rights of the individuals involved. The CACP focuses on the rights of individual consumers; The right to request information, the right to cancel, the right to reject the data sold and the obligation of companies to inform consumers and employees of their personal data that will be collected and for what purpose. at the time of collection or before it takes place.
However, the influence of the GDPR was not felt solely in the United States. Many other countries in the world are reviewing and discussing privacy legislation before 2020.
This includes South Korea, which is updating its regulations in hopes of achieving compliance in the next year. The country's multiple data privacy laws could be combined into a single law that could be considered "substantially equivalent" to the GDPR. In South America, the LGPD, Brazil's first general data protection law, will enter into force on August 15, 2020. Like the GDPR, it is a general law that covers many data protection principles.
The most common aspect of the GDPR that is replicated around the world concerns instructions on data subject rights, data breaches, and liability requirements. More and more countries are enforcing regulations to facilitate international data exchange, and we can expect to see more laws incorporating RGP elements in the next year.
Privacy Policy
Another development that we could see in 2020 is the EU Regulation on privacy and electronic communications, which will replace the current Directive 2002/58 on privacy and electronic communications, entered into force in the UK in 2003. The new law was designed to the GDPR, taking into account the definitions of privacy and data and seeking to improve them in areas such as cookies, unsolicited marketing and privacy for online privacy (something that Linux distributions for privacy have already developed).
The latest discussions in the Council of Ministers suggest moving forward and advancing the current negotiations. A common position of governments on the bill looks promising, with a view to aligning it with the GDPR next year. That is, if an agreement can be reached with the European Parliament, which seems to aim for much higher standards than government officials.
Much of the progress has been made following the decision of the Court of Justice of the European Union last October on what was called the Planet 49 case. The need for explicit explicit consent to place cookies on users' devices while browsing online in connection with a case involving the online gaming company Planet 49.
The company was sued as part of a lawsuit filed by the German Federation of Consumer Organizations, a non-governmental consumer protection organization, which sought the consent of people who wish to participate in an online lottery. access to previously marked cookie sets. . The Court confirmed in its decision that the previously verified forms for cookies did not constitute free and informed consent and that the consent provided in this way was therefore invalid.
Although it is a historic decision, we can certainly expect to see other similar cases related to cookie laws in 2020, with many others, including about the legality of what is called cookie walls, still pending trial.
Meanwhile, consumers who want to protect their online presence are increasingly turning to browser plug-ins and even VPN software to anonymize their data.
Compliance still lags
Regarding the GDPR, the first comprehensive assessment of the legislation and its impact is expected to be completed next year. The European Commission will already propose major changes to the law, although minor changes to the governance of data protection may be envisaged. We can expect data protection authorities to apply more enforcement measures, while many investigations are still in progress, although many DPAs still face the problem of data protection. Insufficient staff and budget.
What is certain is that we will not see everyone comply with GDPR in 2020. Unfortunately, many companies do not want to invest in confidentiality or simply ignore respect for privacy. confidentiality.
Meanwhile, consumers can use free confidentiality software to try to protect their data.
Transfer of personal data.
To return to the Court of Justice of the European Union, another area under review concerns the transfer of personal data to the United States, both through standard contractual clauses and in the context of the EU-US Privacy Shield. Which regulates the exchange of personal data for commercial use between companies in the EU and the US.
One case (Schrems II) is currently pending before the Court to decide whether any of the transfer mechanisms offer sufficient guarantees to protect personal data originating in the Czech Republic. EU, particularly in light of extensive US surveillance legislation. A decision on this issue is expected in February or March next year. If the judgment indicates that things need to change, it could have a significant impact on international data flows, but it is too early to tell.
Mobile users currently have several options to control their data. For example, some privacy apps for Android are proving to be increasingly popular on the Google Play store.
Legislate on the role of AI
Finally, another area that will be interesting to monitor in 2020 is the impact of the new President of the European Commission on privacy legislation. One of the new regime's commitments is to propose new legislation in the first 2020 days of the mandate on how to deal with artificial intelligence. The impact of this on the processing of personal data through AI technologies is inevitably an essential topic of discussion in XNUMX.
Paul Brietbarth is Director of European Strategy and Operations at Nymity.