The rest of 2019 will be a busy time for companies in the thriving ecosystem built on the collection, use, transfer and storage of personal data. After years of repetitive debate in the U.S. over the need for balance between privacy and innovation, between protection and the free flow of data, the balance has tipped. Although specifics of a new paradigm are under intense discussion in statehouses and in Washington, it appears all but inevitable that some form of comprehensive privacy legislation will soon be a reality. This legislation would fill in the gaps or completely inundate the carefully engineered "sectoral" rules for specific industries that have dominated the American landscape for decades.
The wave began in Europe, with the 2016 passage of the EU's General Data Protection Directive (GDPR), which went into effect in May 2018. Non-EU companies with European customers or data-related activity have been obliged to bring at least part of their operations into compliance, at a massive cost in effort and expense. The GDPR's values, principles and individual-centric perspective now percolate through everything from artificial intelligence to anti-trust enforcement to connected cars, 'smart' healthcare devices and the Internet of Things.
States Take the Plunge
In California last year, sheer popular pressure caused the issue to burst forth in a ballot initiative, leading to the hurried passage of the California Consumer Protection Act (CCPA) which promises GDPR-like protections for the state's citizens starting from Jan. 1, 2020. In short order, California's example inspired a ripple of similar proposals in state legislatures across the country.
Washington Floats on the Tide
Now federal legislators, alarmed by the prospect of a patchwork of rigorous state privacy with potentially dire effects on interstate commerce, have scheduled hearings before House and Senate committees for February 26 and 27, in part with a view to seek bipartisan consensus on a federal law that would preempt the rapidly proliferating state initiatives. Providing a further push, a GAO report released on February 13 recommends comprehensive federal privacy legislation that would designate the Federal Trade Commission as lead agency with APA rule-making authority, pre-event enforcement powers, and the ability to impose civil penalties.
The Edge of the Map
With full recognition that the final shape of any new legislation will be the product of lively debate (albeit within a highly compressed time frame), there are nevertheless a number of common principles and themes that appear in various forms in the GDPR, the CCPA, bills pending in various state legislatures, and in the voluminous literature on the subject. Here is a partial list, with some preliminary thoughts on how their manifestation in forthcoming regulatory regimes may affect U.S. companies.
- Collection of personal data will be permitted only with consents that will differ from current U.S., practice, and services may not be denied where the customer has declined to consent; opt-out seems likely to survive (with new consumer-friendly modifications), with opt-in only for some categories of users.
- New and expanded definitions of 'personal information' are all over the map but in final form will almost certainly be broader than those set out in current industry-specific regimes.
- Individuals will have a broad range of new rights, similar to those provided under the GDPR, including a right to be informed about collection, use, and transfer, a right of access, a right of rectification, and a right to object to data that is claimed to be inaccurate, together with deletion rights for information that a counterparty is no longer explicitly permitted to hold.
- An anticipated source of much disputation is likely to be individuals' rights to challenge data alleged to be discriminatory and data used for impermissible profiling. Cleaner, higher-quality data is a potential upside, but litigation challenges to customer data sets and allegedly biased algorithms are a near-certainty.
- New requirements for data minimization may reverse the long-standing U.S. presumption that 'anything that is not forbidden is permitted', and together with the broad range of customer rights will make rigorous and frequent data mapping a way of life for any business holding protected data.
- Private rights of action will greatly expand the risk of litigation, along with increased enforcement authority for state attorneys general and/or designated federal agencies. Heightened customer expectations are likely to lead to expanded reputational risk.
- New transparency and accountability requirements, together with more frequent third party audits, are likely to be features of any new regulatory scheme.
- Transfers of data from an original collector to data brokers, processors (including those employing big data for analysis by machine learning/AI systems) will likely be subject to GDPR-style prohibitions or limitations, possibly leading to fundamental changes in the business models for companies operating in the information ecosystem.
- This will be particularly true for operations in the cloud, where GDPR-style data localization requirements are likely to conflict with current practices in which physical geography is irrelevant, data is processed wherever a system has capacity at the moment, and major cloud service providers generally offer 'take it or leave it' contracts.
- Due diligence on vendors is about to get a lot more interesting, as companies face the obligation not only to have adequate contract provisions in place, but also to determine whether the provider in fact has the capacity to comply, and the ability to assist the primary collector if it is called to account under new rules.
- Evergreen vendor agreements with automatic renewal provisions will need to be examined, to see if the service providers are complying with the upgraded standards.
- Cyber liability insurance may come under massive strain, as the risk environment becomes more hazardous, even as simultaneously the coverage becomes an ever more critical component of good business practice.
- The increasing convergence of privacy/data protection with big data analytics, artificial intelligence, and the Internet of Things means that none of these matters can be considered in isolation.
Change in this sector has been a long time coming, but the current pace calls to mind the reply of Hemingway's character who is asked how he went bankrupt: "Two ways," he says, "Gradually and then suddenly." (The Sun Also Rises, Ernest Hemingway, 1926). The sea-change in privacy protection, long debated, forestalled, ignored, dreaded, or welcomed, has arrived.