Eversheds Sutherland (International) LLP
The company and law firm names shown above are generated automatically based on the text of the article. We are improving this feature as we continue to test and develop in beta. We welcome feedback, which you can provide using the feedback tab on the right of the page.
January 19, 2022 – The relentless rate of change in the threat and regulatory environments for cybersecurity and data privacy did not abate in 2021, and we should expect increasing volatility in 2022, necessitating more than ever a forward-looking, risk-based and increasingly globalized strategy. At the same time, exciting new technologies continue to mature and open up new opportunities — and risks.
Amidst this complexity and disruption, especially for companies operating in or looking to expand into new jurisdictions and markets around the world, the lessons of the past year can help chart the best course for the year ahead.
First, the bare minimum in privacy is not enough
Register now for FREE unlimited access to Reuters.com
The U.S. military has a tongue-in-cheek saying that, “they wouldn’t call it the minimum if it weren’t good enough.” Fair enough, but they often follow that with: “But never ask me what the minimum is.”
In 2022, as it was in 2021, it is often better to set a high mark for your privacy program if you operate in multiple U.S. or global jurisdictions. Aiming high is likely to better enable your organization to accommodate new laws or regulations, or new interpretations of them.
If 2021 is any indication, the number of enhanced U.S. and global privacy laws and regulations will continue to proliferate. During the past year or so:
•The Colorado Privacy Act (ColoPA) and the Virginia Consumer Data Protection Act (VCDPA) advanced into law (with effective dates of 2023);
•China’s Personal Information Protection Law took effect;
•The UAE released its new privacy law;
•South Africa’s privacy law came online;
•California voters passed the California Privacy Rights Act (CPRA); and
•The European Union, in response to the Schrems II decision, approved new Standard Contractual Clauses to enable (or discourage) cross-border data flows.
Next year, we should expect to see what the U.K.’s approach to cross border data flows will be, along with potentially further changes to simplify the U.K. GDPR, and we should expect U.S. states to resume efforts to pass their own enhanced privacy laws while California should release its much-anticipated regulations to the CPRA.
We may also see changes to Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) and Hong Kong’s Personal Data (Privacy) Ordinance, while Thailand’s privacy law will enter into force.
As we advised last year, Europe’s General Data Protection Regulation (GDPR) continues to be the emerging global standard, and compliance with it will make compliance with future privacy laws that much easier and more efficient.
Second, keep up your guard and fortify your defenses
While the tone of foreign affairs may have changed, geopolitical tensions continue to rise, indicating that the cybersecurity threat environment will continue to be hostile to many companies. Many cyber threat organizations, if not necessarily state-sponsored, are state tolerated or encouraged. There is also a lot of money to be made in cybercrime, especially using ransomware tools.
Accordingly, it is more critical than ever to maintain and regularly update cybersecurity plans and policies and ensure that cybersecurity becomes a part of your culture. Cybersecurity is not just about IT, it is about governance, planning, practice, training and individual accountability from the new starter to the CEO.
Consider updating plans and policies to address specific types of attacks, such as ransomware attacks, which come with a unique set of legal and practical considerations. With the 2021 increase in systemic attacks — i.e., attacks that target a common vulnerability in widely used software or devices — 2022 will also require ever more third-party due diligence.
Third, as the threat and opportunities goes, so do the regulators
Expect regulators globally to step up their efforts and expectations — and not just in the form of newly created privacy regulators. Also entering the data regulatory arena to display their armor will increasingly be sectoral regulators, and those with responsibilities for trade, competition, and consumer protection.
The pandemic has illustrated the power of data and its importance to the future economic health of nations, so it is no surprise that regulators charged with tempering power through anti-trust and competition routes, or those seeking to facilitate or protect digital trade or consumers, are entering the fray.
Meanwhile, existing privacy regulators will increasingly test their jurisdictional reach by taking action themselves rather than relying on other “lead” regulators to do so; while challenging the enforcement decisions of others for insufficient severity. Witness the debate within the EDPB member regulators on recent decisions, and the direct steps France’s CNIL has taken to enforce cookies rules (under the EU e-privacy rules).
Conversely, we can also expect that those on the receiving end of enforcement decisions will vigorously dispute them in 2022. As fines, other business impacts, and litigation tails increase, the balance is tipping in favor of challenging overreach, poor decision-making processes, and lack of jurisdiction through administrative and other court processes.
With the onslaught of systemic attacks, especially against critical infrastructure and the supply chain, U.S. and global cybersecurity regulators continue to step up their expectations in relation to cybersecurity. In May 2021, for example, President Biden made cybersecurity one of his top priorities, and federal departments and agencies are following suit.
For example, in response to the administration’s directive:
•The U.S. Department of Justice in October 2021 announced its Civil Cyber-Fraud initiative, which will use the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. The initiative leverages the buying power of the federal government to raise the bar on cybersecurity, with the hope that the standards adopted by government contractors will eventually be matched by the private industry.
•The U.S. Treasury’s Office of Foreign Assets Control (OFAC) issued updated ransomware guidance outlining defensive and response measures to take in the event of an attack, including actions that may help mitigate OFAC enforcement if a business pays a ransom. They also began sanctioning those cryptocurrency exchanges that are facilitating ransomware attacks.
•The U.S. Transportation Security Administration released a series of Security Directives aimed at pipeline operators detailing very specific and rigorous expectations and aggressive timelines for compliance.
•The Financial Crimes Enforcement Network (FinCEN) identified cybercrime as a top priority for anti-money laundering and countering the financing of terrorism policy and will release regulations to implement this policy in the very near future.
The Securities and Exchange Commission is also expected to release a new rule in 2022, and the U.S. Congress keeps working on a federal breach response law.
These U.S. examples are illustrative of movements we are anticipating will continue globally. Within Europe, there are proposals for a new EU National Infrastructure Directive (so called NIS Directive 2.0) as well as sector specific requirements appearing such as the Digital Operational Resilience Act for financial services, and new U.K. cybersecurity laws and international standards focusing on smart devices.
Importantly, global regulators (and increasingly sectoral regulators) continue to pay very close attention to cybersecurity preparedness, including subjecting companies that have suffered data breaches to heightened scrutiny, and they continue to adopt or enhance new minimum standards for data security programs.
Accordingly, it is more important than ever to stay abreast of the latest threats (including perhaps by participating in an Information Sharing and Analysis Center), and the latest expectations on reasonable or appropriate cybersecurity.
More and more jurisdictions are expecting to see multi-factor authentication and encryption used, for example, and most will expect to see an updated information security program, including third-party due diligence.
Fourth, embrace the metaverse
The metaverse and web3, including NFTs, smart contracts, DAOs and crypto (discussed below), will continue to evolve in new and exciting ways, raising novel and fascinating privacy, security, liability and IP issues, among others.
But in this rapidly unfolding environment, companies may not have time to wait for legal certainty before rolling out or adopting new technologies. Rather, they need to anticipate regulatory and legislative trends, and oftentimes incorporate global privacy and security standards at the earliest stages, while making risk-based, forward-looking decisions.
In the EU, the Digital Markets Act amongst a plethora of other proposals is demonstrating that regulators will continue to layer controls as they see technology pulling ahead of existing rules.
Fifth, expect increased scrutiny over the use of AI
As Artificial Intelligence (AI) technology continues to advance at a rapid pace, its real-world impact on major decisions in peoples’ lives will continue to grow, highlighting the importance of employing algorithms that produce fair and defensible outcomes.
Currently, automated decision-making can influence one’s ability to obtain employment, credit, housing and healthcare, among other things, and the way it is programmed and implemented carries the risk of bias, disparate impact and inequitable outcomes. Businesses that make use of this technology should consider focusing on not only developing AI that minimizes possible discrimination, but appropriately documenting its efforts and continuous oversight.
During the past year, the U.S. Congress, the Consumer Financial Protection Bureau (CFPB), the Federal Trade Commission (FTC), the National Association of Insurance Commissioners (NAIC), the Brazilian House of Representatives and Federal Senate, U.K. Government and the European Commission all indicated through various actions, regulators’ attention on this technology’s development — thus, putting forth the time and effort to get it right from the beginning will produce better outcomes for consumers as well as potentially prevent enforcement actions and/or litigation.
Sixth, continue to expect an active, high-tech plaintiff’s bar
In 2021, plaintiffs continued to file putative class action complaints arising not just from data breaches, but also challenging the use of new technologies. This trend is not just confined to the U.S., particularly as the momentum towards group claims picks up in key global jurisdictions as well, with plaintiffs’ counsel, consumer associations and privacy activists turning to exploring the boundaries of group actions and challenging existing privacy legislation. This trend will accelerate in the coming year, and it will put a premium on both proactive, documented compliance as well as on well-practiced response capabilities.
In particular, an energized U.S. plaintiffs bar in 2021 tested new theories of standing and liability under the CCPA and related consumer protection statutes, and they continued to advance new arguments under the Illinois Biometric Privacy Act (BIPA), which regulates the collection, use and storage of biometric information belonging to Illinois residents.
As new uses for facial recognition technology emerge, so too will lawsuits arising from that technology, especially as more U.S. states adopt BIPA-like laws that allow for statutory penalties and private rights of action.
In addition, the Federal Trade Commission and state attorneys general may continue to bring actions against companies that employ biometric technology.
Similarly, as the cryptocurrency market continues to grow and various centralized and decentralized exchanges and lending platforms cater to U.S. and international customers, 2021 saw a proliferation of crypto class actions, particularly in California.
This trend, too, will accelerate in 2022, with courts and arbitration tribunals facing a variety of novel contractual, consumer protection and securities claims related to crypto. Given the unsettled legal status of crypto, its decentralized and global reach, and the extreme volatility in those markets, these claims will become increasingly common.
Businesses operating in the crypto space should therefore consider closely reviewing the terms and conditions of their platform to ensure they are adequately protected, paying particular attention to governing law provisions and dispute resolution mechanisms (and considering whether arbitration may be the most protective).
In Europe, we are awaiting some key decisions from the Court of Justice of the European Union (ECJ) which will impact organizations in particular on their privacy litigation front. It is expected that the court will provide answers on foundational questions, such as: does immaterial damage have to be significant under the GDPR in order to grant compensation to the data subject?; does the amount of the immaterial damage have to be assessed also from a general prevention point of view?
Another question the ECJ must decide is whether minor fault or lack of fault on the part of the controller or the processor can be taken into account in its favor when assessing the amount of fines and damages.
Finally, an interesting question relates to whether persons other than harmed data subjects (e.g., consumer associations) may initiate judicial proceedings for GDPR breaches against the infringer. Depending on the ECJ’s answers, companies will need to adopt their privacy litigation strategy.
In the People’s Republic of China, we observed several proceedings being commenced against various “BigTech” organizations within days of the PIPL coming into effect — as the use of personal data on the mainland faces further increased scrutiny.
In 2021 we saw the significant “tech crackdown”, with the regulatory authorities in mainland China closely examining the operations of its technology firms in what emerged as a watershed moment for technology organizations. As we embark upon 2022, we are expecting to see the regulatory authorities continue their hard-line stance on tech giants as they come under further pressure to align with China’s national strategic priorities.
Seventh, employment law and privacy law will increasingly intersect
Key aspects of privacy and employment law will continue to merge. As in Europe, many of the privacy laws emerging globally extend protections to staff and job applicants. In the U.S., the California Privacy Rights Act rights go into effect on January 1, 2023, implicating human resources data.
With differing requirements on when consent or another legal basis is required or whether a notice is sufficient, globalizing an approach for this category of data is an operational as well as legal challenge facing organizations across most sectors, as they continue to grapple with the COVID-19 pandemic.
In particular, the pandemic has highlighted the importance of employee safety, employee monitoring and protection of confidential information. These workstreams potentially lead to the collection of sensitive employee data.
For example, an increasing number of employers now find themselves inclined toward employee monitoring to ascertain the security of business information and productivity. However, this is an area of contention in several jurisdictions as employees use company equipment to store personal data and as more employers institute “Bring Your Own Device” policies.
Further complicating the employee privacy landscape is the increased use of artificial intelligence, as employers grapple with consequent privacy law and employment law obligations. For example, a recent New York City Council measure, effective January 2023, requires employers to notify candidates if artificial intelligence is used to make hiring decisions and subjects such tools to an annual bias auditing.
Conclusion and outlook
The volatility and complexity within cybersecurity and data privacy will continue to increase in 2022, and new technologies will continue to provide tremendous promise, especially if lawyers are there on the front-end to incorporate privacy and security by design. With strategic preparation, foresight, and planning, companies will continue to reap the benefits while mitigating the risks.
Sarah Paul (New York), Rhys McWhirter (Hong Kong), Nils Mueller (Munich), Brandi Taylor (San Diego), Ian Shelton (Austin), Frank Nolan (New York), Deepa Menon (Washington, D.C.), and Alexander Sand (Austin) also contributed to this article.
Register now for FREE unlimited access to Reuters.com
Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.