Data Privacy Developments, 2018 Year-In-Review Part 2

A year-end round-up of the biggest industry news stories, most useful publications, and most notable cases of which you should be aware from 2018

In “Because You Need to Know What You Need to Know,” we reviewed the year in our educational program and previewed the topics for this series.  In this Part, we review the major data privacy developments of 2018.

As we noted in the first Part, our review of our monthly news round-ups from 2018 revealed that data privacy issues were one of the two most frequently occurring topics.  In this Part, we review those data privacy developments, including: the advent of the GDPR and its challenges, the second review of the EU-US Privacy Shield, and new state-level data privacy laws in the US.

The GDPR

Beginning on May 25, 2018, the European Union’s General Data Protection Regulation (“GDPR”) went into effect.  This regulation built upon the EU’s 1995 Data Protection Directive.  That directive had led to a patchwork of differing implementations and enforcement levels across the EU member states, which the GDPR attempts to replace with a single, standardized framework applicable across the EU.  The GDPR protects individual’s data privacy rights through the application of six core principles to all personal data collection and processing:

1. “lawfulness, fairness and transparency” – base requirements for collection/processing
2. “purpose limitation” – purpose must be specified explicitly and other uses not okay
3. “data minimization” – must collect/process no more data than needed for purpose
4. “accuracy” – personal data maintained must be accurate
5. “storage limitation” – personal data must not be kept longer than necessary
6. “integrity and confidentiality” – personal data must be kept secure and private

These principles are backed up by a seventh: “accountability.”  Data controllers are obligated to “be responsible for, and be able to demonstrate compliance with” these principles.

Companies’ GDPR compliance challenges have been a recurring news topic throughout 2018.  One recent survey found that 56% of respondents “said they are far from compliant or will never fully comply.”  Another recent survey found that “just 35 percent felt they could demonstrate a ‘defensible position’ on GDPR compliance.”  The Irish Data Protection Commission has already begun the first major data breach investigation since the GDPR became effective.

Questions of Consent

For US organizations, some of the compliance challenges associated with the GDPR stem from differences in legal perspective between the EU and the US.  One of the most significant differences in this context is a difference in the meaning of “consent” as a lawful basis for data collection or processing.  In the US, consent through passive notice and acceptance has been acceptable, but that is not sufficient under the GDPR.

In Article 7, the GDPR sets out specific conditions for consent to be valid.  To be lawful basis for data collection or processing, consent must be freely given, specific, unambiguous, and informed.  It cannot be buried among lots of other boilerplate in a license agreement:

…the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.  [emphasis added]

Consent must also be revocable as easily as it is grantable.  And, to be considered “freely given,” consent cannot be made a condition of using a service or be the result of a power imbalance (such as in an employer-employee relationship).

Privacy Shield Updates

The EU-US Privacy Shield is a legal framework by which US organizations can certify compliance with certain data privacy protections so that they may receive transfers of personal data from the EU.  It has been in place since 2016, when it was adopted to replace the invalidated EU-US Safe Harbor program that had preceded it.

This summer, ahead of the program’s second annual review, the European Parliament passed a non-binding recommendation that the Privacy Shield program be suspended pending updates for GDPR compliance and other improvements to ensure adequate protections within the US.  In the US, the FTC emphasized that renewal of the program was a top priority and stepped up enforcement actions related to the program, including settling claims against four companies for misrepresenting their compliance.

The results of the second annual review were released on December 19, 2018, and while it does require the US to “nominate a permanent Ombudsperson by 28 February 2019 to replace the one that is currently acting,” the findings were generally positive:

This year’s report shows that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield from the EU to participating companies in the U.S. The steps taken by the U.S. authorities to implement the recommendations made by the Commission in last year’s report have improved the functioning of the framework.

Concerns are expressed throughout, however, about both the “Facebook/Cambridge Analytica case and other revelations” and about various limitations of the US legal framework.  The report notes numerous points on which the Commission plans to “closely monitor” or “closely follow” to see if future action is required.

State-Level Data Privacy Laws

In addition to these international data privacy developments, this year also saw two new state-level data privacy laws in the US:

• Colorado’s “Protections for Consumer Data Privacy” law went into effect on September 1, 2018 and requires companies to have plans for securing and disposing of personally identifying data on Colorado residents.
• The “California Consumer Privacy Act” was signed into law in June 2018, but its requirements do not become effective until 2020. It creates rights, protections, oversight, and enforcement similar to that imposed by the GDPR.  Some adjustments may be implemented before the effective data, however, as some issues with the law as written have already been identified.

Upcoming in this Series

In the next Part of this series, we will review the other top news topic from 2018: challenging source developments, including social media, mobile devices, ephemeral messaging, and more.