The world’s most important privacy law—Europe’s GDPR—went into force over two years ago, but 2021 may be the year that its shockwaves are fully felt across the globe.
GDPR copycat laws are now taking hold in some of the world’s most important jurisdictions. Brazil’s privacy law, modeled closely on the GDPR, finally took effect this past August, and both the Brazilian authorities and private sector are working feverishly to put it into practice. In the next year, expect the new Brazilian data protection authority to issue guidance, render “adequacy decisions” identifying countries to which data can be transferred with extra safeguards, and approve mechanisms to transfer personal data to remaining countries. South Africa’s law went into force this past July, and enforcement starts in July 2021. India continues to consider its comprehensive Personal Data Protection Bill, spurred by a landmark Supreme Court judgment declaring privacy to be a fundamental right. A number of controversial provisions and the COVID-19 crisis delayed the bill’s consideration in 2020, but if and when the crisis subsides, the bill may return to the table in 2021. And in late October, China began consultations on a GDPR-inspired Personal Data Protection Law. The enactment of these laws will complete the expansion of comprehensive private-sector privacy laws across the BRICS. Meanwhile, the California Consumer Privacy Act went into effect at the start of 2020, and now California citizens have adopted a supplemental law (the California Privacy Rights Act) that will bring California even closer to GDPR standards. It goes into effect in 2023, but the race to compliance starts now. And even the US Congress seems intent to consider stronger federal privacy measures, though it remains to be seen whether the parties can achieve a compromise over a private right of action and preemption. The bottom line is that companies need to plan for a world where privacy laws give individuals substantial rights over personal data that companies previously regarded as their proprietary business assets.
The world continues to grapple with this year’s Schrems II decision, in which the European Court of Justice applied GDPR to invalidate a key mechanism for moving personal data from Europe to the United States. The court simultaneously suggested new restrictions on other widely-used mechanisms. In 2021, expect the decision’s impact to be felt in two ways: First, other countries with GDPR-like laws may follow the Schrems II reasoning and similarly restrict transfers to the US. Switzerland, for example, quickly adopted the decision. Second, European jurisdictions may start looking at jurisdictions other than the US—in particular those with powerful surveillance authorities—and restrict transfers to those jurisdictions, too. Meanwhile, the US government’s orders against TikTok and WeChat show how even a country without a comprehensive privacy regime can use other laws like sanctions to restrict personal data flows.
Finally, expect greater activism by private individuals and organizations in the privacy space. Europe’s baby steps towards mass-claim regimes has created fertile ground for self-appointed privacy champions to bring large-scale litigation against privacy companies for perceived privacy failings. In the US, privacy advocates have succeeded in pushing laws like the CCPA and CPRA. Across the globe, these privacy advocates have rapidly garnered a popular following that gives them actual power. Although they are merely private organizations, when they expound their views on the law or issue guidance, companies listen.