It has been a busy year for privacy and cybersecurity. Here is a look back at the highlights of 2018 and a preview of what 2019 may have in store in the United States, Europe, and China:
Privacy: This year saw a proliferation of several state and federal legislative proposals aimed at protecting consumer privacy and bolstering cybersecurity protections. Notably, California passed the most sweeping privacy law in the country thus far (the California Consumer Privacy Act of 2018), and amendments to the law will continue well into next year until the law enters into force in 2020. Following the CCPA, many members of Congress and the administration began proposing their own, federal-level privacy laws (including Senators Ron Wyden (D-OR) and Brian Schatz (D-HI)). It is unclear which of these proposals stands the greatest chance of moving forward in 2019, or how many additional proposals will be introduced by members of the new Congress.
Cybersecurity: As of 2018, all 50 states (plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands) have their own state breach notification laws. In addition, Ohio Senate Bill 220 entered into force in November. The new law creates a “safe harbor” from certain types of tort-based liability for any “covered entity” that implements a cybersecurity program that satisfies certain requirements. These new laws were enacted against the backdrop continually increasing frequency of and costs associated with cyber incidents.
Federal Trade Commission: The year 2018 ushered in a brand new Federal Trade Commission, which began to signal its enforcement priorities through the “Hearings on Competition and Consumer Protection in the 21st Century.” The hearings suggest that the FTC will continue to focus on privacy, and may pay closer attention to the intersection of privacy and competition. 2019 may be a particularly interesting year for the agency, as many federal privacy legislative proposals include provisions that would expand the scope of the agency’s authority and provide the agency with rulemaking authority and/or the ability to levy civil penalties.
Surveillance Law: The CLOUD Act, which was signed into law in March 2018, created a framework for government access to data held by tech companies worldwide. Next year, we may see that framework be put into action as the United States considers how to approach entering into bilateral executive agreements with certain countries. In addition, the Supreme Court’s decision in Carpenter vs. United States held that law enforcement must get a warrant in order to obtain cell cite location information from cell phone providers. Going into 2019, debate over the scope of the decision will continue as federal courts consider what, if any, additional types of information held by third parties may require a warrant.
Privacy in the Courts: In October 2018, a New Jersey federal court dismissed an eight-count class action complaint against smart TV makers, which included a complaint that the makers allegedly violated the Video Privacy Protection Act (VPPA). In addition, in 2019 the Illinois Supreme Court will decide the statutory standing requirements under the Illinois Biometric Information Privacy Act (BIPA)—the only state biometric law that contains a private right of action.
Of course, the story of the year was the General Data Protection Regulation (GDPR) entering into force on May 25, 2018. The law radically overhauled the European Union’s data protection framework, and may have inspired similar laws and legislative proposals in countries such as Brazil and India. European regulators already are intensifying their enforcement of the GDPR, with several investigations launched and fines levied in the past few months alone.
In addition, in December 2018 the European Commission published its report on the second annual review of the EU-U.S. Privacy Shield. The report concluded that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States. Separately, the International Trade Administration’s Privacy Shield Team released new guidance regarding how a Privacy Shield participant may rely on the Privacy Shield to receive personal data from the United Kingdom following its planned withdrawal from the EU. In particular, the guidance advised that companies that wish to receive data from the United Kingdom will need to update their privacy policies to do so.
The EU also continued to consider the privacy implications of next-generation technologies such as artificial intelligence. The Declaration on Ethics and Protection in Artificial Intelligence was issued at the 40th Annual Data Protection and Privacy Commissioner’s Conference in Brussels in October 2018, and in December 2018 the EU High-Level Expert Group on AI published new draft guidance on “AI Ethics”. The non-binding guidance stresses that AI must be developed and implemented with a “human-centric approach” that results in “Trustworthy AI,” including by respecting privacy.
In 2019, the story of the year will likely be Brexit, with the United Kingdom scheduled to leave the European Union. As of the date of this post, we are unsure whether there will be a transition period, or whether the departure will be a “hard” Brexit. However, on December 13, 2018, the Information Commissioner’s Office (ICO) issued guidance on the state of UK data protection law in the event of a “hard” Brexit.
In 2018, China issued the national standard on protection of personal information (GB/T 35273-2017 Information Technology – Personal Information Security Specification), which entered into force on May 1, 2018. This standard (although not legally binding) effectively sets out “best practices” that will be expected by regulators who audit companies and enforce China’s existing data protection rules.
In addition, China’s Ministry of Public Security (MPS) issued the Draft Regulation on Cybersecurity Multi-Level Protection Scheme, which provides guidance for network operators to comply with obligations relating to the Multi-Level Protection Scheme (MLPS), as required by China’s Cybersecurity Law. Once the Draft is finalized, enforcement actions by the MPS are expected.
MPS also released the Regulation on the Internet Security Supervision and Inspection by Public Security Organs, which took effect on November 1, 2018. This regulation provides detailed procedural guidance with respect to how public security bureaus (China’s police force, the “PSB”) conduct cybersecurity inspections of companies that provide a broad range of “Internet services” in China. This regulation will likely pave the way for more cybersecurity enforcement actions from PSBs in the future.
In 2019, the Regulation for the protection of Critical Information Infrastructure (CII Regulation) will likely be finalized. The CII Regulation will clarify how CII operators are expected to protect their networks against cyber threats. It will also set out additional obligations that CII operators may face, including allowing officials to perform cybersecurity inspections. In addition, cross-border transfer rules for personal information and other important data are expected to be finalized. Under the latest draft version released on May 19, 2017, companies could face a general obligation to assess the security of their cross-border transfers and potentially undergo security assessments for such transfers by the Chinese government.
* * *
We look forward to continuing to monitor these and other developments in the new year.