The Morrison & Foerster Privacy + Data Security team is unmatched in its ability to provide creative and practical advice concerning all stages of the information life cycle: from compliance with complex privacy to breach to litigating privacy and data security claims and defending enforcement actions. With 2019 behind us, we have tapped our privacy team - thought leaders in the field – and to get their opinions on what is likely to happen in the privacy and data security sector in 2020.
General Privacy
Miriam Wugmeister’s prediction for the year ahead:
- We are likely to see more data localization laws around the world including in countries such as India. This will cause continued tension with the global markets and the desire of organizations in the public and private sectors to have increased global visibility and global markets.
- We are also likely to see an increase in fines in the European Union and more “dawn raids” relating to data protection in the New Year.
Marian Waldmann’s predictions for the year ahead:
- Development of do-not-sell requirements will result in changes in the data market, causing some businesses to discontinue selling personal information as not profitable enough to justify the costs of meeting legal obligations and resulting in the cost of personal information increasing as companies seek to add compliance structures to their selling practices.
- As we see the development and proposal of privacy-related bills in other states, more U.S.-centric businesses will begin considering their use and development of privacy and data protection programs at an early stage, resulting in more mid-sized “local” companies developing privacy programs that cover all personal information (not just information for a specific state).
- Russia’s bill establishing the Roskomnadzor’s right to issue fines for data localization violations will encourage the Roskomnadzor to increase activity in this area and will push more companies, particularly companies acting as service providers to a Russian client base, to seek ways of assisting and enabling their clients’ compliance with the law. This may happen, for example, by vendors establishing or leasing local data centers in Russia or by structuring services in a way to take advantage of existing client compliance structures.
Alja Poler De Zwart’s prediction for the year ahead:
- The EU will finally manage to find a pragmatic approach to and an agreement on the ePrivacy Regulation. The ePrivacy Regulation will harmonize the marketing and cookies rules (among others) across the EU, and hopefully reduce overly extensive EU Member States’ rights to deviate from the rules. The consent exception for the analytics cookies should remain in the adopted draft, so the regulators whose guidelines currently require such consent will need to revise their overly strict approach. The infamous Article 10 (Information and options for privacy settings) should remain stricken from the adopted draft, and a practical solution (that will not be the death of the whole industry) will be found for third-party marketing cookies. And then we will hopefully not wake up to find out it was all just a nice dream.
Suhna Pierce’s prediction for the year ahead:
- We may see more jurisdictions adding an extraterritorial hook for application of their data protection laws, such that the laws apply to businesses outside of the country processing personal information of individuals in the country under specific conditions.
Cybercrime
Miriam Wugmeister’s prediction for the year ahead:
- Ransomware attacks will likely increase due to the rise in organizations paying extortion amounts. Absent action by the government, there will be increased pressure on insurance companies to cover ransom payments and for organizations to pay.
Suhna Pierce’s predictions for the year ahead:
- Phishing and spear-phishing will continue to be a primary avenue of attack leading to security breaches, including phishing combined with a two-or-more-step “watering hole” approach, in which an attacker seeks to first compromise an ancillary victim with the aim of leveraging the victim’s access to better position an attack on a primary target.
- We will see increased use of big data and analytics platforms by cybercriminals for targeting and optimizing phishing campaigns, online scams, and other types of attacks. For example, this would include using social media analytic engines to target selected demographics that are most likely to respond to a certain financial scam, or using email response analytics to refine phishing campaigns.
Alex Iftimie’s prediction for the year ahead:
- In 2020, false flag operations and breaches relying on deepfakes will become mainstream. As law enforcement and forensic firms have gotten better at attribution, nation states and other sophisticated actors have done more to cover their tracks, including pointing the blame elsewhere. Although by no means a new strategy (among other examples, we saw the Russian government seek to lay blame for the 2016 DNC hack at Guccifer 2.0’s feet), the proliferation of new technology that makes misdirection easier will increase its prevalence.
Kristen J. Mathews’ prediction for the year ahead:
- In the U.S., we will see more whistleblowing on cybersecurity-related vulnerabilities and breaches. Whenever a business suffers a cybersecurity vulnerability or an actual security breach, there may be opportunities for whistleblowing, and, on top of that, there are incentives to both whistleblowers and their lawyers by bringing such claims. Read more.
CCPA
Miriam Wugmeister’s prediction for the year ahead:
- We anticipate litigation both from plaintiff’s lawyers who are seeking to test the provisions of the CCPA and the limitations on the private right of action and from the first companies that are found by the AG to have violated the CCPA.
Marian Waldmann’s prediction for the year ahead:
- Growth in transparency about the different ways that companies are using and profiting from personal information following CCPA entering into effect will result in more educated and sophisticated consumers. These consumers will have high expectations regarding control and value of their own personal information and may not be as willing to surrender personal information for a quick discount or newsletter.
GDPR
Alja Poler De Zwart’s prediction for the year ahead:
- Slovenia—the last EU Member State “holdout”—will finally adopt its GDPR implementing law. Slovenia might be more than a year late, but better late than never. We hear that the Slovenian government is under pressure to get this done soon and is aiming for the first quarter of 2020. So if this tiny EU Member State is relevant for your business, keep your ears open.
Lokke Moerel’s predictions for the year ahead:
- In 2020, we will see a flurry of new EU legislation on artificial intelligence (AI) in order to ensure a coordinated EU approach to the human and ethical implications of AI because GDPR is not considered sufficient to address all concerns. Look forward to:
- legislation on transparency of decision-making systems, specifying explainability requirements and setting specific liability and certifications regimes;
- sector-specific legislation in the health sector ensuring rigorous implementation of the ethical rules;
- legislation on facial recognition technology as the GDPR framework is considered insufficient to address all issues created by the growing use of AI-based facial recognition technology; and
- creation of regulatory bodies for review of algorithmic decision-making.
- In 2020, we will see an exceptionally large number of EU Binding Corporate Rules (BCRs) applications being filed and approved. BCRs have become increasingly attractive for companies as a mechanism for cross-border transfers of personal data from the EEA, due to continuing legal challenges to the validity of EU standard contractual clauses (SCCs) as a transfer mechanism. We also expect approvals of BCR applications that have been pending since the GDPR came into force to be forthcoming now that the European Data Protection Board (EDPB) and national supervisory authorities seem to have aligned on how to implement the updated BCR requirements due to GDPR.
- We will see a renewed debate on the merits and viability of the One Stop Shop enforcement mechanism under GDPR, as certain jurisdictions have proven to be a bottleneck in enforcement due to the sheer volume of companies with EU headquarters in these jurisdictions. The backlog will be increased by the UK leaving the EU, resulting in one less heavy-hitting supervisory authority being able to share the workload.
Annabel Gillham's predictions for the year ahead:
Data transfers: It is now more certain than ever that the UK will leave the EU with an approved deal on January 31, 2020. A priority for the future relationship between the UK and its “friends and partners in the EU” (to coin Boris Johnson’s phrase) will be to ensure uninterrupted flows of personal data. Having pledged not to seek an extension of the transitional period beyond December 31, 2020, the UK will press the European Commission to act on its commitment to start adequacy assessments with respect to the UK “as soon as possible.” The UK GDPR is already drafted—but watch out for the UK tracking the draft ePrivacy Regulation in its quest for adequacy status.
Enforcement: The UK government is likely to reinforce its request to play some part in the EU’s One Stop Shop of data protection regulators, arguing that this will reduce the risk to businesses of over-regulation and double jeopardy in terms of fines. Note that the UK GDPR provides for fines of up to UK£17.5 million or up to 4% of annual worldwide turnover, whichever is the greater. The current political pledge between the EU and the UK is, at best, aspirational; it states simply that the EU and UK “should also make arrangements for appropriate cooperation between regulators.” There is a lot of work to do in 2020 to improve this position for businesses.
Class actions: We will see a steady increase in civil litigation for damages under the GDPR, as individuals become more aware of their data protection rights and of high-profile data breaches and regulatory fines. Published decisions by regulators are already starting to fuel private rights of action, and we expect this to continue. In the UK, where the larger fines to date have been issued, the civil litigation regime has started to permit “opt out” representative actions for damages under data protection legislation (similar to U.S.-style class actions), leading to group claims which, if successful, would dwarf GDPR fines. We predict that 2020 will bring further case law—and hopefully some certainty—on the necessary tests for launching representative actions under the GDPR.
IoT Security
Christine Lyon’s prediction for the year ahead:
- California’s new IoT data security law (see our client alert here) takes effect in January, and I predict that we will see more privacy laws geared toward protecting the privacy and data security of connected devices. Together with the CCPA, the California IoT data security law expands the types of device-related data that require privacy and data security protections. In 2020, we will continue to see privacy laws expanding beyond the realm of what traditionally has been considered personal information in the U.S.
Suhna Pierce’s prediction for the year ahead:
- IoT data security will continue to be a source of concern, with increased ransomware and other attacks resulting in loss of availability, unauthorized use of the device or acquisition of data, and establishment of footholds for further compromising a network.
Alex Iftimie’s prediction for the year ahead:
- In 2019, companies had just started to get a handle on endpoint management of devices at the edge of the network. In 2020, the adoption of 5G will enable a massive increase in internet-connected devices, outpacing the security controls of the past year and creating headaches for privacy and data security professionals. Companies’ approaches to IoT security in 2020 will set apart the security industry leaders from the rest.
Biometrics
Christine Lyon’s prediction for the year ahead:
- The new year will bring more privacy regulation of facial recognition and other biometric technologies, as the growing prevalence of these technologies will raise greater scrutiny of their privacy implications. At the same time, biometric data is increasingly recognized as a valuable tool for identity-verification purposes, creating a tension between the privacy risks and security-related advantages of biometric data. Legislators will struggle to balance the privacy and data security concerns and will take differing approaches, resulting in inconsistent laws from jurisdiction to jurisdiction.
Whistleblowing Hotlines
Alja Poler De Zwart’s prediction for the year ahead:
- The majority of the EU Member States will prepare and publish draft whistleblowing laws for the purpose of implementing the new Whistleblowing Directive well before the Directive’s compliance deadline imposed on the covered companies (December 2021). The recently adopted Directive requires Member States to create rules that mandate organizations with more than 50 workers in the EU to set up whistleblowing hotlines and accept reports about violations of the EU law. The new rules will give significant privacy rights and legal protections to the whistleblower and the accused, so organizations will need to tread carefully. We will begin our monitoring right after New Year’s and keep you informed!
HIPAA
Melissa Crespo’s prediction for the year ahead:
- There will be increased scrutiny on healthcare analytics in the HIPAA context, particularly in light of recent backlash regarding Google’s provision of analytics services to a large healthcare system. While generally the use of an analytics provider to perform analytics on the protected health information of a HIPAA-covered entity is permissible, this disclosure of health information to a third party may not align with patients’ privacy expectations and there are also concerns whether analytics providers are sufficiently limited in their ability to use the protected health information for providing the services, and not for their own purposes. There is a need to balance patient privacy with the tremendous benefit that health information can provide to improving patient healthcare outcomes. Expect that 2020 will involve careful thought from regulators and businesses on how to balance these interests.
Cyber Insurance
Alex Iftimie’s prediction for the year ahead:
- Public calls for a U.S. federal backstop to insure against catastrophic cyberattacks will increase in 2020. As Congress takes up the debate over whether to reauthorize the federal terrorism insurance backstop, the question will rightly be asked: why not catastrophic cyberattacks?