We participated in this year’s Privacy Law Salon: Privacy Roundtable, a unique meeting where the most experienced privacy leaders engage in candid roundtable discussions about today’s most pressing privacy issues, under the Chatham House Rule. We share below our main takeaways from the Roundtable in a high-level, non-attribution format.
On the CCPA & Other State Privacy Laws
Privacy leaders commiserated on the CCPA, citing the uncertainty stemming from vague definitions, unauthenticated individual rights requests, the lack of harmony in compliance approaches, and the anticipated lawsuits from the data breach private right of action. The uncertainty is compounded by the “copycat” laws introduced by some states that have chosen the CCPA (instead of the GDPR) as its model. The slew of uncertainties aside, participants criticized the CCPA for adding consumer confusion and for not furthering consumer privacy, instead identifying the emerging copycat laws as the CCPA’s real impact.
Some were particularly concerned by the impending enforcement actions by the California Attorney General and the accompanying CCPA regulations that the AG was tasked to promulgate. But others noted the AG’s pragmatic history as a privacy enforcer, citing its record under California’s existing “Shine the Light” law, which gave consumers the right to obtain an accounting of how, and to whom, their personal information had been sold in the past year.
The Roundtable participants brainstormed ideas to tackle the CCPA and growing number of state privacy laws. Some had gotten involved in task forces to establish compliance approaches, norms, and best practices, but others were hesitant to direct energy and resources towards these initiatives given the CCPA Regulations are still in draft and in light of the new ballot initiative, the CPRA, that Alastair Mactaggart introduced for the November 2020 ballot.
Given the uncertainties, practitioners are in favor of taking an incremental (versus long-term) approach to CCPA compliance. Privacy resources are scarce and expensive. Instead of investing in long-term and expensive technology solutions, some are putting up process-based defenses in the meantime, in case they are placed in a position to defend their compliance approach.
It was the perfect setting to debate the privacy law model that privacy practitioners believe ought to be in place, comparing the GDPR, the CCPA, and the data fiduciary models that different states like New York have proposed. A participant highlighted Oregon’s thoughtful approach, which involves a task force and dialogues with different stakeholders. The questions in everyone’s mind were: How do we come up with a better privacy law that protects consumers where they actually care? How do we rise above the “silly” minutia and tackle the real and important issues in privacy? (More on the latter under the Hot Topics section towards the end of this post.)
On a Federal Privacy Law
As many US privacy professionals know, the two main sticking points for a federal privacy law are: preemption and a private right of action. Industry wants broad preemption to address the state uncertainties and a narrow privacy right of action, if any.
For preemption, the question that legislators, lobbyists, and consumer protection groups will have to negotiate is the level of preemption. Should we have field preemption or a HIPAA-like floor?
For a private right of action, participants noted that Congress would need to define injury, class action applicability, and removal rules.
Several federal privacy bills have been introduced, some of which are summarized below. And although they all differ in substance, they all have one thing lacking: the regulation of government to address governmental privacy abuses. In light of this, the main sentiment is that the US will not have a robust omnibus privacy law.
Other issues that were highlighted from the proposed bills are:
- Algorithmic impact assessments – What would these even look like?
- The duty of care, loyalty, and confidential – Some of the bills seem to conflate these different duties.
- A data protection agency (DPA) separate from the FTC – The practitioners seemed to be split on either side of this. At PIX, we recognize the FTC’s robust experience as a privacy and security regulator in the US, while also acknowledging its limitations in authority and resources. Some practitioners argued out that we need a DPA that has congressional independence, pointing out that the FTC can never regulate government abuse. Others commented that there is no will, no path, and no incentive for legislators to create a separate DPA.
COPRA was introduced by Senator Cantwell and other Democrats. Some supporters have signaled leaving. Some of its features are:
- Obtain affirmative express consent from individuals prior to processing sensitive covered data;
- Provide transparent privacy policies;
- Maintain reasonable data security practices;
- Conduct privacy/risk assessments;
- Provide individuals rights to access, correction, deletion and data portability.
- Limited applicability to FTC-covered jurisdiction;
- Individual private right of action;
- Leaves state laws in place;
- Duty of loyalty/care; and
- Algorithmic impact assessments
The CDPA was introduced by Senator Wicker and other Republicans. Its features are:
- Affirmative express consent from individuals prior to processing sensitive covered data
- Transparent privacy policies
- Reasonable data security practices
- Privacy/risk assessments
- Individuals rights to access, correction, deletion and data portability
- Preemption of state data privacy and security laws (except data breach notification laws)
- Duty of loyalty
The bipartisan draft does not address the controversial issues of preemption and a private right of action, but it does include the following consensus points:
- New administrative unit within the FTC called the Bureau of Privacy to administer and enforce the law
- Establish a privacy program with designated privacy protection officers
- Provide individuals the right to access, delete and correct their information
- Abide by requirements derived from principles of data minimization and use limitation
- Implement reasonable security measures
- Registration requirements for “information brokers”
This bill would authorize the FTC to create regulations requiring covered entities that use, store, or share personal information to conduct impact assessments of new and existing artificial intelligence and machine learning (AI/ML) “high-risk” automated decision systems (“ADS”) and information systems.
The DASHBOARD Act was proposed by Senate Democrats. It would require data harvesters like social medial platforms to inform consumers and financial regulations of the data they are collecting and if the data is being leveraged by the platform for profit.
Sponsored by Senate Republicans, the ADD Act seeks to protect both consumers and the innovative capabilities of the internet economies, placing much of the regulatory burden on the FTC. It would restrict a provider from disclosing a user’s records, provide a user with the right to access and correct records maintained by a provider, establish practices for the collection and maintenance of records, and exempt certain small providers from the regulations’ requirements.
This Act is a bipartisan proposal that would grant individuals certain privacy rights. It would also allow covered entities to deny certain services if an individual’s request to opt out makes the service inoperable.
This proposal was introduced by Senator Market and would combine GDPR-like terms (including “consent prior to collection of personal information”) with the CCPA’s broad definition of “personal information.”
This act would impose duties of care, loyalty, and confidentiality on online service providers with respect to processing and securing user data.
On International Privacy Laws
The Roundtable participants represented international jurisdictions, which made discussions on international privacy law particularly robust. Some were surprised by the following developments: privacy becoming a ballot issue; the lack of privacy knowledge outside the privacy industry; the lack of consistency in global approaches (which signals a road to extreme fragmentation); and the importation of GDPR standards all over the world, when some were of the opinion that we still don’t know enough about the GDPR’s implications.
Regarding GDPR, some Roundtable participants were surprised by the use of data subject requests as backdoors to obtaining data, a development that was less surprising to our CEO given her background in cybersecurity. Others raised the various DPAs’ “schizophrenic” approach to enforcing the GDPR. Some explained the lack of harmonization as expected given the number of DPAs involved: 27. The overall sentiment is that it will likely take years to achieve the GPDR’s purpose of harmonizing data protection within the EU.
The German vs. Irish DPA controversy came up, of course. (The German DPA had likened Ireland’s approach to enforcing GDPR with the German automotive regulator’s go-slow approach on diesel emissions fraud.) Some participants commented that this behavior highlights the DPAs’ adolescent qualities: they are still growing into their new responsibilities as GDPR enforcers, versus mere local DPAs. It will take time to develop a common sense of ownership amongst the DPAs. The controversy also highlights the imbalance of responsibilities amongst the DPAs, with Ireland getting a huge bulk of it. While we know that it takes time to investigate complaints, it bears noting that the procedure for investigations is not harmonized by GDPR. Instead, it is governed by local law, and Irish procedural law is particularly complex. Someone noted that EU law could be triggered if the effectiveness of the GDPR is affected.
Other GDPR issues that came up included a possible adequacy status for California in light of the CCPA. And participants also commented that it looks like Model Clauses are staying for now.
Brazil’s LGDP is largely modeled after the GDPR and takes effect later in August. We were surprised to hear that this has not stopped attempts at enforcement ahead its effective date, particularly on the requirement to conduct data protection impact assessments. Many were relived to see that the data localization proposal–supposedly prompted by US spying on the Brazilian president–was abandoned.
While India has historically followed the US’s sector-specific privacy model, its current privacy bill proposal was inspired by the EU’s GDPR. It is also inspired by China’s and Russia’s localization requirements. The inclusion of localization in the Indian privacy bill has garnered much pushback across the world. We learned India’s localization requirement is driven by protectionism, not surveillance (China) or populism (Canada).
The bill also includes the concept of digital sovereignty, which is a state’s right to ask for non-personal data, a term that remains undefined.
Canada’s approach to privacy cane be described as a balance between consumer protection (US) and human rights (EU). While a Canadian federal data breach law recently took effect in 2018, practitioners anticipate a comprehensive federal privacy law this year, to be followed by provincial versions.
On Hot Topics in Privacy
Some of the privacy hot topics that were discussed at the Roundtable include: AI/ML, facial recognition, data ownership, and brain-to-computer and brain-to-brain communications.
Regarding facial recognition, practitioners discussed its pervasiveness and ambient characteristics as the underlying challenges. The issue of government access to facial recognition data and the potential scope creep from initial use cases also came up as serious concerns. Two of the most pressing challenges raised were biased data and biased algorithms, particularly the explainability and justifiability of the resulting decisions made.
On the emerging technologies involving brain-to-computer and brain-to-brain communications, practitioners raised the issue of free will and the possibility of manipulation. The FPF’s draft paper on brain-to-computer communication came up as a potential resource on this nascent privacy issue.
In discussing these hot topics, the question of ethics–specifically whether privacy practitioners need additional training on ethics–also came up. Practitioners also highlighted the FIPPs’ inadequacy in handling these cutting edge issues.
The Roundtable provides a forum for privacy leaders to share insights, resources, and solutions to today’s most pressing privacy problems. Its agenda builds in ample time to both (re)connect with other privacy leaders (in addition to the kickoff reception, it included lunches, cocktail hours, and dinners) and time to catch up on work (sessions ended at 2 or 3 pm and the networking didn’t restart until 6pm). There are no sales pitches or vendor booths, although firms and vendors are able to sponsor the event. It is also usually held at the Four Seasons in Miami in February, which is not a terrible location for a privacy conference. With its unparalleled content, attendees, and location, it’s not a surprise that privacy leaders pick it as the one event to go to.