Global privacy laws have proliferated and adapted over the past decade, and the influx of new regulations is not likely to slow anytime soon. It is essential that legal professionals stay attuned to these changes so that they fully understand requirements and can prepare their organizations to mitigate risk.
At Relativity Fest 2022, Beth Kallet-Neuman, vice president of legal at Relativity, led a discussion with Erik Jones, then a partner in Venable’s Privacy and Security Practice Group (now at the Federal Trade Commission), and Syd Terry, chief of staff to Congresswoman Jan Schakowsky, on new and pending privacy and data transfer requirements. The panelists explored privacy regulations at various levels, from contested trans-Atlantic data transfers to individual consumers’ concerns with biometric data.
In this session recap, let’s dive into the complex, ever-evolving privacy landscape impacting our world today.
Challenges to Trans-Atlantic Data Transfer
“Data transfers between countries have to happen for business to function,” asserted Erik Jones. “But there is a question of how that is going to look.”
This statement highlights the importance of establishing appropriate data transfer mechanisms between the European Union and the United States, a top-of-mind topic for legal and privacy professionals given regulatory developments over the past two years. The EU’s General Data Protection Regulation (GDPR) has set the gold standard for most other countries, but it has also created a lot of complications for international data transfers.
For context, a judgment from the Court of Justice of the European Union (CJEU), published in July 2020, threw into question how data transfer between the EU and US will continue moving forward. In Data Protection Comm’r v. Facebook Ireland, Ltd. and Schrems, C-311/18 (also referred to as Schrems II), the CJEU declared the EU-US Privacy Shield Framework to be invalid. It was one of the primary data transfer mechanisms for the safe and free flow of data between the EU and US organizations. The CJEU ruled that the provisions of certain US laws, the resulting potential access and use of EU personal data by US public authorities, and the lack of an adequate remedy for affected EU data subjects do not satisfy requirements set by the GDPR.
US President Joe Biden responded to this development in October 2022, signing an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities. The Order intends to reestablish a legal privacy framework to govern data transfers from the EU to the US.
During the Fest session, Erik suggested that the long-term sustainability of this new framework is still up in the air: “I think this Order is clearly in the authority of the president, but there are weaknesses. If President Biden is no longer in office in 2025, the new president could take another approach. Plus, while I think the European Commission is trying to make this work, in the end, it is up to the courts. Max Schrems has already said he will challenge the order, so we will see what happens.”
Editor’s Note: Since this Fest session took place, the Irish Data Protection Commissioner ruled that Meta had been unlawfully transferring personal data from Ireland to the US. Not only was the fine of $1.3 billion astronomical, but the decision raised additional questions on the legality of data transfers from the EU to the US. Read more about the decision here and here.
A State-based Approach
Lacking definitive guidance at the federal level, states have taken matters into their own hands. “California, Colorado, Utah, Connecticut, Virginia ... these states have proposed comprehensive privacy laws for their citizens,” explained Beth. “With CCPA and CPRA, California is leading the pack. Do we think they will continue to do so?”
Erik felt strongly that California would continue as the leader, highlighting the difficulty of developing legislation from the ground up.
“It’s very hard to create legislation from scratch,” he explained. “You need to sell it, you need to get advocates to support it, and then you also come up against those that are against it. California got it done, and whether right or wrong, that is the starting point across the country. You’ll continue to see a similar approach from other states.”
Within the growing trend of state-specific data privacy laws, Syd Terry had concerns regarding enforcement: “I feel that most of the state laws have failed to address enforceability, in a way that leaves a lot to be desired.”
The frequency and enforcement of these state-specific privacy laws remains an open question as the trend continues to develop. But organizations working across state lines will need to stay vigilant and ensure they understand the nuances of conducting business and collecting data in the regions in which they operate.
Protecting Biometric Data
Legal professionals are not the only ones concerned with privacy these days. The individual is becoming more and more interested in protecting his or her information, particularly when it comes to biometric data. The Relativity Fest panel discussion, which took place in a Chicago hotel, ventured close to home with a deep dive on the Illinois Biometric Information Privacy Act, or BIPA.
In 2008, Illinois enacted BIPA, a state law to establish standards for the collection, use, and sharing of individuals’ biometric data by companies, and the potential penalties for violating the statute. Earlier this year, the first biometric privacy class-action suit under this law came to a close. Truck driver Richard Rogers had sued BNSF Railway on behalf of 45,000+ fellow drivers whose fingerprints were scanned for identity verification when visiting rail yards to pick up and drop off loads.
“It’s an interesting case. BNSF said they weren’t at fault because they were using a third-party vendor,” explained Beth. “But the court found that BNSF was the one that made the data collection happen. They were in control and decided the data should be collected. They were responsible.”
The result? A federal jury awarded plaintiffs $228 million for the violation, underlining the significant consequences of violating privacy laws and drawing attention to the importance of limiting collection of, and protecting, biometric data in business practices.
An Ever-Evolving Landscape
Despite the numerous changes and challenges to global data protection laws, one thing is certain: the privacy landscape is complex. And the ever-changing nature of data only adds to that complexity.
“We are riding a wave of technological development,” stated Erik. “While we might be getting closer to finding a solution to these issues, the work will never be finished.”
“I’ll second that,” agreed Syd. “The work is never done.”