Top 10 for 2021 – Happy Data Privacy Day!
In honor of Data Privacy Day, we provide the following “Top 10 for 2021.” While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2021.
COVID-19 privacy and security considerations.
During 2020, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. This will continue in 2021 with the addition of vaccination programs. So, for 2021, ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.
Several laws apply to data the organizations may collect. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.
Many employees will continue to telework during 2021. A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.
As organizations work to create safe environments for the return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.
Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:
Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
Complying with contractual agreements regarding data collection; and
Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
On January 1, 2020, the CCPA ushered in a range of new rights for consumers, including:
The right to request deletion of personal information;
The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
The right to opt-out of sale of personal information; and
The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”
The CCPA carves-out (albeit not entirely) employment-related personal information from the CCPA’s provisions. It limits employee rights to notice of the categories of personal information collected by the business and the purpose for doing so, and the right to bring a private right of action against a business that experiences a data breach affecting their personal information.
In November, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights. The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements.
In 2021, businesses can expect various states, including Washington, New York, and Minnesota to propose or enact CCPA-like legislation.
There was a continued influx of biometric privacy class action litigation in 2020 and this will likely continue in 2021. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.
Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.
Like many aspects of 2020, biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law. More class action lawsuits of this nature are likely on the horizon.
The law in this area is still lagging behind the technology but starting to catch up. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.
Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2021.
A report released by Global Market Insights, Inc. in November 2020 estimates the global market valuation for voice recognition technology will reach approximately $7 billion by 2026, in main part due to the surge of AI and machine learning across a wide array of devices including smartphones, healthcare apps, banking apps and connected cars, just to name a few. Voice recognition is generally classified as a biometric technology which allows the identification of a unique human characteristic (e.g. voice, speech, gait, fingerprints, iris or retina patterns), and as a result voice related data qualifies biometric information and in turn personal information under various privacy and security laws. For businesses exploring the use of voice recognition technology, whether for use by their employees to access systems or when manufacturing a smart device for consumers or patients, there are a number of privacy and security compliance obligations to consider including the CCPA, GDPR, state data breach notification laws, BIPA, COPPA, vendor contract statutes, statutory and common law safeguarding mandates.
During 2020, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services was active in enforcing HIPAA regulations. The past year saw more than $13.3 million recorded by OCR in total resolution agreements. OCR settlements have impacted a wide array of health industry-related businesses, including hospitals, health insurers, business associates, physician clinics and mental health/substance abuse providers. Twelve of these settlements where under the OCR’s Right to Access Initiative, which enforces patients’ rights to timely access of medical records at reasonable cost. It is likely this level of enforcement activity will continue in 2021.
The past year produced a significant amount of OCR-issued guidance relating to HIPAA. In March OCR issued back-to-back guidance on COVID-19-related issues, first regarding the provision of protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions: “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” Finally in September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after it issued updated guidance on HIPAA for mobile health technology.
In December, Congress amended the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determination, and for other purposes. In 2021, businesses will want to review their information security practices in light of applicable recognized security practices in an effort to demonstrate reasonable safeguards and potentially minimize penalties in the event of a cybersecurity incident.
The past year was marked by an escalation in ransomware attacks, sophisticated phishing emails, and business email compromises. Since many of these attacks were fueled in part by vulnerabilities due to an increased remote workforce, 2021 will likely be more of the same.
We also saw more aggressive methods from certain ransomware groups. Historically, few ransomware groups exfiltrated or stole data from victims’ systems. Instead, the attacks encrypted data in an effort to extort money in exchange for decryption keys. Beginning in 2019 and during 2020, several ransomware groups shifted tactics and began exfiltrating data as well, demanding payment for return of the stolen data or to prevent publication on the dark web. These attacks can cause significant disruption and financial harm to a business. Organizations of all sizes should perform a comprehensive risk assessment to identify vulnerabilities, with particular attention to remote access and back up procedures.
The courts issued two back-to-back significant Telephone Consumer Privacy Act (TCPA) class action litigation rulings in 2020. Both the Eleventh and Seventh Circuit Courts held that the TCPA’s definition of automatic telephone dialing system (ATDS) only includes equipment that is capable of storing or producing numbers using a random or sequential number generator, excluding most smartphone age dialers. Each court expressly rejected the Ninth Circuit’s more expansive interpretation from a ruling in 2018, concluding that the TCPA covers any dialer that calls from a stored list of numbers automatically. These decisions were significant because most technologies in use today only dial numbers from predetermined lists of numbers.
The U.S. Supreme Court later weighed in on the constitutionality of the TCPA in a July 2020 ruling which concluded that Congress impermissibly favored government debt collection speech over political and other speech in violation of the First Amendment and thus must invalidate the government debt collection exception of the TCPA and sever it from the remainder of the statute. Despite concerns that the Court would address the constitutionality of the TCPA in its entirety, the Court left untouched the TCPA’s general restriction on calls made with an ATDS.
Finally, in November 2020, federal courts in both Louisiana and Ohio ruled that in light of the Supreme Court’s July ruling, the TCPA provision prohibiting calls (and messages) made using an ATDS to any cellular telephone number is unenforceable retroactively for the five-year period between November 2015, when Congress amended the TCPA to include an exemption for government debt, until July 2020, when the Supreme Court ruled the government debt exception was unconstitutional.
In 2021, the Supreme Court will weigh in on another petition it accepted for review in July 020, addressing the Ninth Circuit ruling on the issue of whether the definition of ATDS in the TCPA encompasses any device that can store and automatically dial telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Supreme Court’s decision should help resolve the circuit split and provide greater clarity and certainty for parties facing TCPA class action litigation.
Internet of Things (“IoT”)
The Internet of Things, or IoT, refers to physical objects that are capable of directly or indirectly connecting to the Internet and have an assigned IP address or Bluetooth address. “Connected devices” include objects that not typically considered to be a “device” such as cars, copy machines, televisions, smart household appliances, medical devices, and personal fitness or health monitors. These devices pose certain cybersecurity risks due to their ability to collect large amounts of data, communicate that data to other devices, and to store it in the cloud.
The California Internet of Things (IoT) Security Law, effective January 1, 2020, requires all connected devices sold or offered for sale in California to include “reasonable security” measures that are appropriate to its nature and function. Oregon passed a similar law, effective January 2020.
In November 2020, the House of Representatives and Senate passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, signed into law by President Trump in mid-December. The Act requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines on federal government agencies’ use of IoT devices. The Act states that the Office of Management and Budget is to review government policies to ensure they are in line with NIST guidelines. Federal agencies would be prohibited from procuring IoT devices or renewing contracts for such devices if they do not comply with the security requirements.
2021 will see a continued growth and integration of IoT devices and it is likely that additional states will review their privacy and security implications. Organizations will want to review their use of connected devices in their businesses, better understand their privacy and security risks, and implement safeguards to minimize those rights. Using IoT devices may also necessitate reviewing vendor agreements and contractually obligating vendors who may access or collect certain personal information from the business to safeguard that data.
Federal Consumer Privacy Law
Numerous comprehensive data protection laws were proposed at the federal level in recent years. These laws have generally stalled due to bipartisan debate over federal preemption and a private right of action. It is possible that COVID-19 related privacy issues, news of the SolarWinds hack, and the new political landscape may help prioritize passing a comprehensive federal data protection law in 2021.
There are currently a few proposed federal bills worth noting:
In March 2020, Senator Jerry Moran (R-Kansas) Chairman of the Senate Commerce Subcommittee on Consumer Protection, introduced the Consumer Data Privacy and Security Act of 2020, (CDPSA). If passed, the CDPSA would provide consumers with a broad set of rights over their personal information as well as significant privacy and security compliance obligations for companies.
Last spring, U.S. Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, introduced the COVID-19 Consumer Data Protection Act. The bill aims to provide consumers with greater “transparency, choice, and control” over their health, geolocation and proximity data. Further, the bill would impose data privacy and security requirements on businesses that handle personal data related to COVID-19. Although the bill focuses exclusively on data related to the spread of COVID-19, its consumer protections are similar in kind to those provided for in CCPA, including, for example, notice requirements, a consumer’s right to opt out, data security obligations and more.
GDPR and Cross Border Transfers of Data
In July, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield in the Schrems II decision on grounds that it failed to provide an adequate level of protection to personal data transferred from the EEA to the U.S. As of the date of the decision, data exporters and U.S. data importers can no longer rely on EU-US Privacy Shield certification as an adequate mechanism to transfer personal data from the EEA to the U.S. The decision affirmed the continued use of Standard Contractual Clauses (SCCs) as an adequate mechanism for transferring personal data from the EEA, subject to heightened scrutiny. In affirming the validity of SCCs, the CJEU highlighted three stakeholder obligations:
the data exporter’s responsibility to verify the importer’s ability to provide an essentially equivalent level of protection in the third country;
the data importer’s responsibility to notify the exporter immediately if it cannot comply with the SCCs, including situations where it is compelled to produce EEA data at the request of law enforcement; and
the data exporter’s responsibility to immediately suspend or terminate the transfer upon notice from the importer that it cannot comply with the SCCs.
In November, the European Data Protection Board published recommendations for reviewing data transfers from the EEA, post-Schrems II, for purposes of appropriate safeguards. This was joined by the European Commission’s release of draft new Standard Contractual Clauses and a draft implementing decision. The draft SCCs cover controller to control, controller to processor, processor to processor, and processor to controller transfers. These drafts are currently under review and businesses may see additional commentary and perhaps approval of the SCCs in 2021.
The transfer or receipt of data from the EEA in 2021, including HR data, will continue to pose challenges for U.S. companies. Businesses will want to review their data transfers including the mechanism used, the appropriate safeguards in place, whether there is an onward transfer of data, and whether member state law applies. With the potential for new SCC templates, businesses will also want to determine which existing SCCs will need to be updated.
In September 2020, Switzerland invalidated the Swiss-U.S. Privacy Shield framework, on grounds similar to the CJEU’s Schrems II decision, finding that it did not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP).
The GDPR has significantly impacted data protection practices across the globe. Over 130 countries now have comprehensive data protection laws and numerous others have proposed legislation. In 2020, new or updated data protection laws became operative in several countries including Brazil, Dubai, South Africa, and New Zealand. Other countries, such as India, China, and Canada currently have new or updated bills pending.
In 2021, U.S. organizations may face increased data protection obligations as a result of where they have offices, facilities, or employees; whose data they collect; where the data is stored; whether it is received from outside the U.S.; and how it is processed or shared. These factors may trigger country-specific data protection obligations such as notice and consent requirements, vendor contractual obligations, data localization or storage concerns, and safeguarding requirements. Some of these laws may apply to data collection activities in a country regardless of whether the U.S. business is located there.
No doubt, 2021 will be another significant year for privacy and security developments. Organizations constantly should be assessing their privacy and data security risks and implementing policies and procedures to protect the personal information and data they maintain. This is particularly important as the law and industry best practices change and evolve to keep up with technological advancements.