Each year, the world observes Data Privacy Day on January 28th. This international effort recognizes how organizations might be using, collecting or sharing an individual’s personal information. It also considers how some businesses might not be taking the privacy of their corporate or customer data seriously. In response, Data Privacy Day seeks to inspire dialogue surrounding the importance of privacy for all of us in this digital age.
The theme for Data Privacy Day 2021 is “Own Your Privacy.” Its aim is to help consumers learn how they can protect their privacy as well as hold organizations responsible for respecting the privacy of their customers. This message gives consumers and organizations alike an opportunity to look back on the events that shaped privacy in 2020 with an eye towards the future.
Let’s look back on a few events in particular – California Consumer Privacy Act, California Privacy Rights Act, Schrems II and General Data Protection Regulation.
CCPA Takes Effect…and Is Expanded Through CPRA
On January 1, 2020, the California Consumer Privacy Act (CCPA) of 2018 took full effect. Like GDPR, the CCPA has inspired other jurisdictions—Hawaii, Massachusetts, New Jersey, Pennsylvania, Puerto Rico, Rhode Island and Washington—to propose privacy bills. The Office of the Attorney General for the State of California explains that the CCPA gives California residents more control over their personal information. It specifically upholds California consumers’ right to know about the types of information that businesses are collecting about them and how those entities are sharing/using that data, the right to delete that collected information, the right to opt-out of businesses selling that information and the right to non-discrimination when exercising their rights enshrined by CCPA. Under this legislation, businesses, data brokers and other in-scope entities must provide consumers with notices that explain their privacy practices.
To strengthen CCPA, California voters passed Proposition 24, the California Privacy Rights Act (CPRA) on November 3rd of last year. The purpose of CPRA is to amend CCPA in several ways. As noted in a recent post on our blog, “CPRA Becomes the New Standard. Are You Ready?,” CPRA’s changes help to further protect California consumers’ personal information and highlight the importance of specifically safeguarding children’s privacy.
CPRA also includes two other notable changes for businesses that collect California consumers’ information. First, it provides a comprehensive, specific and historically more wide-reaching definition for Sensitive Personal Information (SPI), a category of data which comes with certain rights for consumers and certain compliance burdens for organizations. Second, it creates the California Privacy Protection Agency (CalPPA), an agency charged with enforcing CPRA by imposing fines and penalties on those who violate the law. It is the first agency in the United States whose sole mission is to uphold consumers’ privacy rights.
The World Moves Beyond Privacy Shield
Over the summer of 2020, the Court of Justice for the European Union issued what’s come to be known as the “Schrems II decision.” This ruling found that the EU-U.S. Privacy Shield framework did not uphold EU citizens’ privacy rights. In doing so, the Schrems II decision made it difficult for organizations outside of the EU to guarantee the safeguarding of EU citizen’s data.
The European Data Protection Board (EDPB) took up this issue in November when it adopted recommendations on supplemental measures for securing transatlantic data transfers. One point stood out to Thales in this blog post, “A Solution to Schrems II and the Security to Transatlantic Data Flows”: the need for encryption to prevent public authorities from gaining access to personal data. Using that technical measure and others like it, organizations could build a new privacy framework for transatlantic data flows. This agenda would enable organizations to discover and classify their data, use encryption to protect it in motion and at rest as well as securely store those encryption keys while controlling access to that data.
GDPR Fines Increase
DLA Piper recently reported that regulators had imposed $332.4 million in response to organizations’ infringements of Europe’s data protection requirements including the General Data Protection Regulation (GDPR). The multinational law firm went on to say that regulators had received 281,000 data breach notifications since GDPR took effect in May 2018. Over the course of 2020, these regulators received an aggregate 331 data breach notifications per day—up 19% compared to the previous year.
How Organizations and Consumers Can Defend Their Privacy
The events of 2020 will no doubt shape privacy for the months and years to come. Regulatory and industry mandates are not new, but worldwide they seem to change daily. And for most organizations, the pressure, cost, and effort required to protect data privacy have never been higher. The National Cyber Security Alliance (NCSA) recommends that individuals be careful about whether they want to share their data with certain businesses and weigh this against the benefits of what they might receive in return. They also need to exercise caution around apps that request an unnecessary amount of information as well as manage their privacy and security settings to keep their data safe.
Overall, the theme “Own Your Privacy” encourages everyone to do their part to promote a culture of privacy. It’s our responsibility to own our data, not the application, cloud service provider or company, but we also all share a responsibility to respect the privacy of our customers, partners and employees. Remember, data privacy is a continuous effort. Be sure to regularly update your apps, software and connected devices throughout the year, not just on Data Privacy Day. Fortunately, CCPA, CPRA, GDPR and all the other privacy standards have many of the same controls. By leveraging data security best practices, and using flexible data security platforms, you can protect regulated data and comply with hundreds of global privacy laws and regulations. Together, as responsible and vigilant digital users, we can better manage our data and privacy by working with organizations that treat privacy as a top priority.
How Thales Can Help Organizations Maintain Privacy
Thales’s CipherTrust Data Security Platform can help organizations comply with global data privacy regulations that took effect in 2020. This platform enables organizations to discover, protect and control their data while implementing access control and managing their keys within a single platform. Find out more in our CipherTrust Data Security Platform white paper.