The consulting team at The Data Privacy Group is constantly reviewing the challenges and effects of privacy legislation, in Europe, North America and beyond.
A long list of high profile privacy and protection incidents hit the headlines during the last 24 months – and we have every reason to believe that we’re heading for another tumultuous year.
The first big event of 2020 (which hardly needs a reminder) arrives on New Year’s Day. It is, of course, the enactment of the California Consumer Privacy Act (CCPA).
Last month, California Attorney General Xavier Becerra, signed off the last five CCPA amendments of 2019, including an amendment to California’s data breach legislation. California has now entered the public consultation phase, with a number of public hearings taking place up to December 6.
Various proposals have already been tabled to strengthen the CCPA to make it much stricter. These include the Mactaggart Ballot, an initiative that proposes the establishment of a data protection authority in California, to enforce the golden state’s legislation. The “California Privacy Protection Agency,” will be an independent body, tasked with protecting consumer privacy, to ensure that California consumers are properly informed about their rights and obligation, and enforcing CCPA law in cases where businesses are found to have violated consumers’ privacy rights.
The initiative provides for a hand-over process from the California Attorney General to the new agency. (Currently, the AG is responsible for CCPA rulemaking and enforcement.)
Also included in The California Privacy Rights and Enforcement Act of 2020 ballot initiative are:
the addition of a new category of personal information called: “sensitive information,” which includes; precise geolocation information, social security number, passport number, customer account log-in, financial account, personal information that reveals a consumer’s race or ethnic origin, religion, union membership, and sexual orientation.
Consumers are granted new rights over “sensitive information” such as the right to opt-out, at any time, from a business disclosing or using sensitive personal information for advertising and marketing or disclosing this information to a service provider or contractor for these purposes.
Businesses shall provide a separate link for users to exercise this opt-out right.
Businesses must obtain opt-in consent prior to the sale of a consumer’s sensitive personal information. A consumer who opted-in to the sale of sensitive personal information can revoke this authorization at any time.
the creation a new right to correct inaccurate personal information.
required opt-in consent for the collection of personal information about children under the age of 16, and increased penalties for violations of children’s privacy.
provision that a consumer may request that a business disclose personal information collected beyond the currently-required 12-month period, and that the business must provide such information unless doing so would be unduly burdensome or involve a disproportionate amount of information.
requirement that a business must notify the consumer and state, when using a consumer’s personal information to advance the business’s political interests on their own behalf, or influence the outcome of an election.
enactment of additional notice requirements for businesses, including but not limited to, specific requirements for “third parties.”
amendment of the definition of a “business” as having 100,000 or more consumers or households, rather than the CCPA’s 50,000 or more consumers, households, or devices.
amendment of the definition of “business purpose” to include new elements such as: “non-personalized advertising” (not based on a profile or predictions derived from a consumer’s past behavior) provided the information is not disclosed to a third party, used to build a profile of the consumer, or alter the consumer’s experience with the business.
amendment of the definition of “deidentified” to: “information that cannot reasonably be used to infer information about, or otherwise be linked to, an identifiable consumer,” if the business meets certain requirements. The Attorney General will provide additional regulations related to the definition of “deidentified.”
“household” to be defined as “a group, however identified, of consumers who cohabitate with one another at the same residential address and share access to common device(s) or service(s) provided by a business.”
Provide that the provisions of the ballot initiative may be amended after it is approved by voters by a statute that was passed by a majority of members of the California State Legislature, and signed by the governor if the amendments are “consistent with and further the purpose and intent” of the Act.
This proposal allows for amendments after it is signed by the governor, if the amendments are “consistent with and further the purpose and intent” of the Act.
Interestingly, this approach appears to suggest a willingness to pass new amendments, enabling the law to keep pace with emerging technologies. The standard process for amending ballot initiatives requires a super-majority vote of the legislature.
In 2003, the Electronic Communications Directive 2002/58 was implemented in the UK. In 2020 this will be replaced by the European Union’s ePrivacy Regulation. Designed to work alongside the GDPR, the new law will take on board the definitions of privacy and data, with a view to making enhancements to areas such as cookies, unsolicited marketing and confidentiality for online privacy.
Recent discussions in the Council of Ministers point to potential progress being made in ongoing negotiations. In terms of aligning the legislation with the GDPR next year, a joint government position on the draft legislation is beginning to look hopeful, as long as agreement can be reached with the European Parliament, which appears to be focusing on much stricter rules than the government representatives.
It is thought that a great deal of the progress made has been driven by the ruling last month by the European Court of Justice (CJEU) in relation to a case involving online gaming company, Planet 49.
The company ran a promotional lottery on its website, whereby the lottery users were presented with two tick-boxes. The first was an unchecked tick-box to receive third party advertising. In order to enter the competition, users needed to tick this box. The second was a pre-ticked box allowing Planet49 to set cookies to track the user’s behaviour online.
The German Federation of Consumer Organisations (GFCO) claimed that these two check-boxes did not satisfy German legal requirements, and sought an injunction requiring Planet49 to cease using them. The case ultimately reached the Bundesgerichtshof (German Federal Court of Justice), which referred the case to the CJEU for preliminary ruling.
The key points from the judgment include:
Where consent is required for cookies under the e-Privacy Directive, the GDPR standard of consent applies.
It does not matter whether the cookies constitute personal data or not – Article 5(3) of the e-Privacy Directive (i.e. the cookie consent rule) applies to any information installed or accessed from an individual’s device.
Website users must be provided with information on the duration of the cookies, and whether third parties will have access to the cookies.
The Court confirmed in its ruling that pre-ticked forms for cookies do not constitute a free and informed consent, and that consent provided in such a way is therefore not valid.
Meanwhile, consumers who are looking for ways to protect themselves online are increasingly using VPN (Virtual Private Network) services, which enable users to send and receive data across shared or public networks as if their devices are directly connected to the private network.
Personal Data Transfers
Another area which is undergoing review, concerns the transfer of consumers’ personal information from European Union countries to the United States. This applies to the use of standard contractual clauses, as well as trasfers via the EU-US Privacy Shield.
Schrems II is currently pending with the Court to decide if either transfer mechanism offers sufficient and adequate safeguards to protect personal data originating in the EU, especially in light of the extensive US surveillance legislation. A decision is expected on this in February or March of next year. If the judgement states that things need to change it could have a big impact on international data flows, but it is too soon to tell on that currently.
Mobile users currently have various options for controlling their data. For example, there are privacy apps for Android which are proving increasingly popular in the Google Play store.
Meanwhile, online security remains the biggest concern for businesses and consumers alike, particularly when it comes to protecting personal data. We believe businesses will be facing much tougher regulations over the next year.
GDPR Compliance Still Lagging
Next year, the first comprehensive review of the impact of GDPR legislation is expected to be undertaken.
However, is is unlikely that the European Commission will propose any significant changes to the law at that time, even though there could be some small changes regarding data protection governance forthcoming.
We can reasonably expect to see stronger enforcement proposals from data protection authorities, although the biggest challenge facing many DPAs is that they are understaffed and under funded.
One certainty we can rely on in 2020 is that there will not be a sudden increase in companies becoming compliant with the GDPR. Far too many businesses are still avoiding the time and financial investment involved – or they simply don’t give due care and consideration to achieving GDPR compliance.
Meantime, privacy-savvy consumers will increasingly tuirn to free privacy software, as a means to protect their personal data as best they can.