Fast-changing privacy and data security risks and accompanying legal obligations can challenge many organizations and their legal counsel.
Throughout 2021, issues such as sophisticated cyberattacks and evolving state data privacy laws dominated the headlines. Further, cross-border data transfers between the European Union and the United States still lack a clear, streamlined mechanism while national authorities continue to negotiate an EU-US Privacy Shield replacement, although recent statements show promise.
The past year also showcased the ongoing cyber risks of remote and hybrid work environments and the rise of double-extortion ransomware attacks, which occur when hackers demand payment for decryption keys with (too often false) promises not to disclose compromised data.
Register now for FREE unlimited access to Reuters.com
In December 2021, we saw another cybersecurity development with news of a serious vulnerability in Log4j, a widely used, open-source logging library. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency offered its guidance on applying available patches. However, the high-risk exploit undoubtedly spurred attacks on vulnerable companies’ networks, prompting the Federal Trade Commission (FTC) to issue a January 2022 advisory reminding companies that its actively enforced reasonable data security measures standard requires them to appropriately patch their software.
2021 privacy & data security trends
To minimize exposure, organizations and their counsel must keep up with the dynamic and increasing legal obligations that govern privacy and data security, understand how they apply, monitor cyber risks and attack trends, and manage compliance.
Federal and state legislation, regulation & enforcement – At the federal level last year, the FTC made significant updates to its Safeguards Rule (16 CFR §§ 314.1 to 314.6) and issued a policy statement that arguably expands the application of its Health Breach Notification Rule.
Further, federal regulators – including the FTC, the US Department of Health and Human Services, the Securities and Exchange Commission, and a growing set of other agencies – issued guidance and took action against organizations with alleged privacy and cybersecurity lapses.
The US Congress again failed to pass comprehensive data privacy legislation, still disagreeing on the extent of federal preemption of state laws and the inclusion of a private right of action. In that absence, many states have shown their willingness to regulate consumer data privacy themselves.
For example, the California Attorney General issued updated regulations under the California Consumer Privacy Act of 2018 (CCPA), banning so-called “dark patterns” that delay or obscure consumers from opting out of the sale of personal information, among other changes. The California Privacy Protection Agency, newly formed in 2021 under the California Privacy Rights Act (CPRA), began its rulemaking process.
Also, Virginia and Colorado joined the club, with Virginia enacting its Consumer Data Protection Act that goes into effect on Jan. 1, 2023, and Colorado enacting its own Privacy Act that becomes effective on July 1, 2023. Other states enacted or updated their data breach notification, genetic information privacy, and other data privacy and cybersecurity-related laws, including new laws from Connecticut and Utah that incentivize cybersecurity program adoption.
Private litigation – Private litigation continued to play a crucial role in privacy and data security enforcement as well, with notable actions last year arising from data breaches, other data privacy lapses, robocalling allegations, and issues under state-specific biometric laws, most notably Illinois’s Biometric Information Privacy Act.
The US Supreme Court also issued several noteworthy data privacy-related decisions in 2021, further restricting plaintiffs’ abilities to bring certain cases in federal court, limiting the FTC’s enforcement powers, and narrowly interpreting key provisions under both the Computer Fraud and Abuse Act and the Telephone Consumer Protection Act.
International developments likely to affect multinationals – The global momentum for enacting and enforcing comprehensive data protection laws and regulations continued in 2021, with new or updated laws likely to affect multinationals in a variety of jurisdictions, including Quebec, China, the British Virgin Islands, El Salvador, Rwanda, Thailand, Saudi Arabia, Uganda, and the United Arab Emirates.
In the wake of the European Court of Justice decision in 2020 to invalidate the EU-US Privacy Shield, EU data protection authorities continued to act, including issuing new standard contractual clauses under the General Data Protection Regulation (GDPR) and offering further guidance. The European Commission adopted adequacy decisions regarding the UK in late June, allowing personal data to continue to flow freely from the EU to the UK, post-Brexit.
Issues likely to garner more attention in 2022
Data privacy compliance will remain a priority and a challenge for many organizations. The focus is on the GDPR, CCPA, and preparation for various compliance dates under new or updated state laws and regulations. Compliance professionals should be aware that while some state provisions do not go into effect until 2023, the CPRA contains a longer look-back requirement for consumer access requests, making compliance attention now a smart move.
Early 2022 activities already show that state legislatures will keep filling the gap left by the lack of federal data privacy regulation, with varying approaches likely to increase the burden of an already complex compliance regime.
Some other trends in this area to watch include:
- Consumers’ heightened privacy expectations, especially for sensitive financial, genetic, health, and location data.
- The FTC’s evolving priorities, including closer scrutiny of the relationship between market power and consumer data privacy harm.
- The continued and increasingly global attention on cross-border data transfers.
- Organizations’ ongoing need to manage their own and supply chain cyber-risks, including the growth of public / private cyber information sharing programs.
- Cybercriminals ‘increased targeting of digital assets such as non-fungible tokens and cryptocurrency holdings, forcing a keener security focus on organizations’ digital strategies.
Register now for FREE unlimited access to Reuters.com
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. The Thomson Reuters Institute is owned by Thomson Reuters and operates independently of Reuters News.