2020 brought several major developments in the world of data protection legislation. Most notably, the California Consumer Privacy Act (CCPA) came into force in January in the United States and the Court of Justice of the European Union (CJEU) ruled in the Schrems II case that the European Commission’s adequacy decision in regards to the EU-US Privacy Shield was invalid, effectively putting an end to free data flows between the United States and the EU.
As we head into 2021, the shadow of these major developments looms large over the data privacy landscape as the CJEU’s Schrems II ruling has shown that legitimizing transfers of sensitive personal data outside of the EU is not just a paperwork exercise.
Meanwhile, China is set to adopt its first omnibus data protection legislation this year, with one of its main focus points also being cross-border transfers. Several other countries are set to enforce or review their data privacy laws in 2021 and the UK has lost its free data flow privileges in Europe. Let’s take a closer look at these developments and what we can expect from them in the year ahead.
New SCCs for EU cross-border transfers in 2021
The standardization and regularization of cross-border data transfers compliant with the EU’s General Data Protection Regulation (GDPR) seem to be on many European institutions’ agenda.
In November 2020, the European Data Protection Board (EDPB) issued draft recommendations for the rules businesses should follow to lawfully transfer sensitive personal data from the European Economic Area (EEA) to countries outside it. Based on the EDPB guidance, the European Commission released a draft set of new Standard Contractual Clauses (SCCs) and a draft implementing the decision, making important updates to the text of the clauses to bring them in line with the GDPR.
These changes, along with the Schrems II ruling, will impact many international companies collecting and processing the personal information of EU citizens, bringing stricter compliance requirements for cross-border data transfers.
China’s answer to the GDPR
China’s Standing Committee of the National People’s Congress published the first draft of its Personal Information Protection Law (PIPL) for public comment on 21 October 2020. Uniting existing Chinese data privacy laws under one umbrella, the PIPL also adds several significant new developments to the protection of personal data in China. Among them, steep fines, extraterritorial applicability, the need for data protection officers, and new rules governing cross-border transfers.
The PIPL will reinforce the new rights gained by data subjects residing in China, regardless of their nationalities, such as the right to deletion and the right to withdraw consent for data collection. Companies processing a high volume of personal information will also be required to appoint a data protection officer responsible for the processing of personal data. The processing of sensitive personal information across borders will be subject to a threshold under the PIPL. Should a company exceed it, it will need to localize its data processing activities.
Although the PIPL is likely to be further reviewed following public commentary, it is clear that China is determined to follow in the footsteps of the GDPR and enact a comprehensive new data protection legislation that will benefit data subjects first and foremost.
UK privacy protection post-Brexit
At the end of 2020, the transition period for the UK’s exit from the European Union came to an end and with it, the application of the GDPR in the country and the free flow of personal information from the UK to Europe. However, while the GDPR may no longer apply, its requirements were adopted into the UK’s national legislation through the Data Protection Act (DPA) in 2018.
The main consequence of Brexit is that the UK officially became a third-party country to all member states of the EEA which means it needs to apply for an adequacy decision from the European Commission before data can be transferred across borders freely again. Whether this will be a smooth process or the UK will fall short of an adequacy decision, businesses in the country need to ensure that appropriate data transfer mechanisms are in place between EEA member states and the UK in 2021.
New data protection laws coming into force in 2021
A number of new data protection laws across the world will be enforced starting in 2021. In a surprising turn of events, after a series of setbacks and delays, Brazil’s Lei Geral de Proteção de Dados (LGPD), Latin America’s first major data protection law, came into force in September 2020. However, its administrative sanctions are not expected to be enforced by regulators until August 2021. As Brazilian companies and service providers processing the sensitive information of Brazilian data subjects scramble to reach compliance, 2021 will be the testing ground for how Brazil’s data protection authority, the Autoridade Nacional de Proteção de Dados (ANPD), will enforce the LGPD.
At the end of 2020, Singapore amended its Personal Data Protection Act (PDPA), introducing, among others, mandatory data breach notifications, an expansion of its deemed consent framework, exceptions to consent for legitimate interests, and increased penalties for non-compliance. 2021 will see these changes applied in practice.
Data Protection Laws Under Review in 2021
An expansive review of Australia’s Privacy Act 1988 is expected to be completed in 2021. In response to the Australian Competition and Consumer Commission’s (ACCC) Digital Platforms Inquiry report, the Australian Government announced on 12 December 2019 that it would conduct a review of the Privacy Act. So far, it published an issues paper outlining and seeking feedback on the Privacy Act as well as other Australian laws protecting personal information. Submissions closed at the end of November, with the first draft of the review expected to be made public in 2021.
On 17 November 2020, the Digital Charter Implementation Act (DCIA) was introduced by the Canadian Minister of Information, Science, and Economic Development. Should it be passed, the DCIA will replace Canada’s current data protection law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA). DCIA would bring several interesting developments to privacy legislation in Canada, including a private right to action and fines that could exceed those of the General Data Protection Regulation. In 2021, the DCIA will be reviewed by committees and is expected to undergo consultations and hearings from stakeholders.
In the United States, California voters approved the California Privacy Rights Act (CPRA) through a ballot measure in November 2020. The CPRA will amend the CCPA, giving California residents additional control over their personal information and imposing further obligations on businesses falling under the incidence of the CCPA. While most of the CPRA’s provisions will only be enforced starting in July 2023, its passing is expected to trigger a new wave of legislative action in other states or at the federal level.
In conclusion
2021 is set to be an exciting one for privacy protection legislation as several notable privacy laws will begin enforcement, with several others falling in line to the new international standard set by the GDPR. Cross-border transfers are likely to be one of the big compliance issues being tackled by legislative bodies and data protection authorities to ensure a regularization and normalization of data transfers between countries.