GDPR and CCPA Uncertainty: What Should a Company Do?
Some companies don’t seem to care about privacy compliance.
They may not have the money to build a compliance regime. They may not believe in the laws or believe that the laws would ever be applied to them. They may just not have thought much about it.
However, many other companies care deeply about the privacy of their customers, their data protection regimes, and meeting legal and regulatory requirements in this space. And the data leaders at these companies are troubled right now.
If they had a wide geographic footprint, the data teams at these companies spent much – maybe all – of 2017-2018 preparing to comply with the GDPR and 2019-2020 assuring compliance with the CCPA. Various changes in the regulations, case law and enforcement of these laws, as well as changes in laws of Canada, Brazil and others have garnered compliance attention.
But now our do-your-homework, 10,000-steps-a-day, be-prepared companies are thrown into a tizzy. How can you meet your obligations on the most significant and most dangerous (to companies) privacy laws if the requirements from those governments are not clear? What do you do when certainty melts away, but your bosses still count on you to protect the company by assuring legal requirements are met?
How does a conscientious Chief Privacy Officer protect her company when the upcoming California Privacy Ballot Initiative threatens to change all of the rules internalized from the recent implementation of the CCPA and the Schrems II decision not only chucks out the US-EU Privacy Shield but may have made all data transfers from the EU to the US illegal? No amount of planning can assure that your U.S. based company is correctly following the EU or California privacy laws on January 1, 2021. What should your company do?
The two jurisdictions provide different types of uncertainty.
The EU privacy laws are longstanding and relatively consistent. However, the recent Schrems II decision has specifically invalidated a regime 5300 conscientious companies were using to establish compliance with those laws, and the reasoning behind the decision cast doubt on all of the other formerly-approved methods for companies to establish legal compliance for transferring data from the EU to the US. We have already discussed in this space some of the reasons for the uncertainty following the Schrems II decision. Official guidance in Europe run the spectrum from the UK’s privacy regulator, the ICO, which essentially told companies to keep calm and carry on with direct permissions and the statutorily prescribed contract clauses, to some of the German state privacy regulators, who both said that no private data should pass from the EU to the US and who seemed to believe the result was long overdue.
As a US Commerce Department official wrote after the decision, “The [Schrems II] ruling has generated significant legal and operational challenges for organizations around the world at a time when the ability to move, store, and process data seamlessly across borders has never been more crucial. Cross-border data flows have become indispensable to how citizens on both sides of the Atlantic live, work, and communicate. They power the international operations and growth of American and European businesses of every size and in every industry, and underpin the $7.1 trillion transatlantic economic relationship.”
So US companies with strong retail and commercial interests in Europe can no longer point to their approved method of transferring information in a protected fashion outside of Europe, even for their own companies’ employee data within their own companies’ servers. It may cost tens of millions of Euros for many of these companies to localize the storage and processing of their European personal data – if it is even possible for them to do so. Localization is not a great option for most, especially based on a court decision that is being interpreted many ways.
So if your company is not intending to localize its European data, and it is unwilling or unable to simply stop collecting or moving EU personal data, it should place itself into the best possible light for the EU Data Privacy Authorities. This means 1) protecting EU in a manner that comports with EU data protection laws, and 2) finding cover in binding corporate rules, approved contract clauses or documented permissions from the EU resident data subjects.
Will this give an assurance of protection from the data regulator’s wrath? No, but then again, nothing will at this point. Will this action provide the best possible protection for this unfortunate predicament? Yes. Short of strict localization of storage and processing or withdrawal from Europe, this is about as much assurance as your U.S. company. Even companies not named Facebook will be evaluated for their treatment of data, and those that care to comply should try to comport to the rules that seem to apply.
California is a different animal. Its omnibus privacy act is less than a year old and enforcement started at the beginning of last quarter. So this is new for all of us, and no such law existed before in the US, so the diligent corporate privacy office can be excused for not knowing exactly how it will be enforced and what its effect will be on her company. All we know for sure is that the California AG will be watching, likely targeting scofflaws, and that the CCPA’s statutory damage provision just ushered in the era of non-stop class action suits against victims of hacks and ransomware attacks.
And yet, even this level of certainty will likely be defenestrated in a month. A new ballot initiative, called the CPRA, is expected to overwhelmingly pass in California this fall, and it will add more rights and requirements to the privacy landscape, in addition to being nearly impossible to revise due to its nature as a ballot initiative rather than an action of the legislature. So all over breadth, vagueness and ambiguity will be puzzled over by businesses and possibly ironed out through regulations off in the future. In the meantime, affected companies will need to continue complying with the CCPA as we know it, and simply keep an eye on changes in the law, knowing that they will force behavioral changes in the near future. Once again, where certainty is impossible, coping under the current regime is the best we can muster.
This is a deeply uncertain time for international companies who care about data protection and legal compliance. The way forward is clear, but so are the risks of proceeding in any direction at all.