With 2020 coming to a close, SC Media is delivering through a series of articles our picks of the most high impact events and trends of the last year, which we predict will factor into community strategies in 2021 and beyond. This is the second in that series.
If 2019 was an opportunity for privacy advocates to push for preparation ahead of looming data protection deadlines, then 2020 was the year organizations were expected to prove themselves ready.
In retrospect, companies probably shouldn’t have gotten too comfortable with Privacy Shield anyway. Even though the pact, which took months for the U.S. and EU to hammer out, had been in place four years, the surveillance practices in the U.S. had always been a controversy likely to rear its head again. Western European countries view privacy and surveillance very differently – privacy is considered a right there. The U.S., by contrast, allows surveillance of foreign nationals.
The court’s decision should be a rallying call for the U.S. to finally cobble together a national privacy law.
The patchwork of privacy laws that make up the various rules governing personal data in the United States, as well as the failed attempts by states like Washington and New York to establish their own, “point to the long overdue need for a federal law on privacy that at least meets the same level of protection as the GDPR,” said Steve Durbin, managing director of the Information Security Forum.
Although the EJC ruling applies to transfers between the U.S. and EU, its implications spread well beyond the U.S. “Twice now the European Commission has tried to reach an agreement with the U.S. on data protection, only to have its efforts ruled unlawful,” Stewart Room, global head of data protection and cybersecurity at DWF, said at the time of the decision. “There needs to be a different mindset to how the challenges of international transfers to the U.S. are met, because failed schemes like this have significant impacts for individuals and for businesses.”
In the aftermath of the EJC ruling, Durbin doubts such national legislation will be forthcoming. “Federal lawmakers have traditionally shied away from such a move preferring to hand responsibility for enforcement to state attorneys general.”
But inspiration for a federal law may come from another piece of California legislation, the recently passed California Privacy Rights Act (CPRA), whose strong support of privacy rights is more in line with European privacy protections.
“The CPRA gives Californians some of the most stringent online privacy rights in the world. Californians now have the right to know about the personal information businesses collect and share, the right to delete personal information collected about them, and the right to opt-out of the sale of their personal information,” Charles Ragland, security engineer at Digital Shadows, said of the legislation, which applies to Californians even when they’re temporarily out of state.