Global data privacy laws and regulations have been evolving for several years. These privacy laws have come a long way from sectoral guidelines, local regulations, and laws to comprehensive national-level legislation that applies extraterritorially. Many of these laws are enforceable by dedicated regulatory agencies (Attorney general of California enforcing the CCPA), which can levy significant fines and other penalties (such as class action lawsuits) for non-compliance.
In the United States, there is a patchwork of state laws, industry-led guidelines, and sectoral legislation that govern data privacy. Some of these laws include the CCPA, Nevada Senate Bill 220, the Maine Act, NYCRR, and many more.
In the last three years, The three most notable additions/changes to data privacy laws in the U.S. were:
- CCPA goes into effect
- CPRA amendments
- SCHREMS-II verdict
However, without an overarching federal data privacy law, average citizens’ data continues to be at risk.
Is a Federal Data Privacy Law a Potential Reality?
It is anticipated that the new administration could pursue a federal privacy regulation. Vice President-elect Kamala Harris has shown interest in privacy-related topics during her career as California Attorney General and U.S. Senator. Being a strong proponent of data privacy, Vice-President Harris is expected to encourage President Biden to sign a federal data privacy bill if it gets passed in the House and Senate. With a single party leading the government’s legislative and executive branches, a Federal Privacy bill could soon become law.
As mentioned in the National Law Review article, during her tenure as California Attorney General, Kamala Harris actively promoted data privacy in California. In January 2013, her office issued a report named (Privacy on the Go: Recommendations for the Mobile Ecosystem). This report encourages tech giants like Amazon, Apple, Google, Hewlett-Packard, Microsoft, Research In Motion, and Facebook, that process vast amounts of consumer data, to be responsible custodians of this data. Ms. Harris also created the Privacy Enforcement and Protection Unit of the California Attorney General’s Office. This unit was tasked to enforce identity theft, cybersecurity, and data breach laws. Currently, the Privacy Enforcement and Protection Unit (PEPU) is responsible for enforcing the California Consumer Privacy Act.
Federal-level legislation covering all U.S. states will help close any loopholes that individual state laws might have open. A federal privacy law would also make it easier for data processors to organize and consolidate compliance efforts as they won’t be required to follow different state regulations.
The new administration will also take steps to address the EU and U.S.’s transatlantic data transfers after the EU-U.S. Privacy Shield was invalidated by the CJEU last year. The SCHREMS-II decision was in light of U.S. intelligence agencies’ expansive and unaccountable data surveillance practices. Experts predict that the new administration will negotiate with the EU to deliver a revised cross-border data transfer law. Since the Federal Trade Commission is responsible for enforcing data privacy laws, experts believe that the Biden Administration will empower the Federal Trade Commission (FTC) to enforce privacy regulations.
In addition to data privacy, cybersecurity is also a significant topic of discussion among the new administration officials. In light of the recent cyber-attacks on the U.S. government, the new administration is expected to prioritize measures to prevent future cyber attacks.
Are States taking steps to enact their own Data Privacy Legislation?
In case the federal government fails to enact a Federal Privacy law, U.S. states are likely to implement their own data privacy legislation. The National Law Review has extracted a few quotes from Pollyanna Sanderson, policy counsel with the Future of Privacy Forum, an organization lobbying for more robust data privacy protections.
"In the states, we've seen a huge acceleration in understanding and interest in how privacy works in a technical sense and a willingness to do more," said Sanderson.
U.S. states such as Washington and New York are taking a cue from California to craft their own state data privacy laws. It is expected that even if a federal data privacy law is implemented, it may not preempt stricter state laws - allowing state legislation to continue to remain relevant.
"Nearly half of the states introduced privacy bills in the first half of 2020. That was all put on hold due to COVID-19. But these laws are likely to return into consideration as the vaccine begins to roll out and the world returns to business as usual," said Sanderson.
Conclusion
A federal data privacy law will bring a stronger foundation for managing data privacy in the U.S. and safeguard consumers’ personal information. A few predictions for the next four years:
- A Federal level Data Privacy legislation is signed into law.
- There will be stricter regulations and enforcement of regulations on data privacy.
- There will be Privacy law enforcement by an empowered FTC.
- Updates to SCHREMS-II decision, making transatlantic data transfers easier.
- Cyber Security Leaders will improve cybersecurity processes that safeguard critical data at public and private institutions.