To be sent January 2021

The world will remember 2020 as a year of major events of drastic consequences in so many respects. While the Covid pandemic affected so directly and so massively people, minds, families and economies, it also prompted the adoption of new laws or regulations, including some that touched directly on the collection and use of personal data.  Several of the chapter supplements provided today describe those new rules, adopted throughout the world, to address the many ways in which the pandemic changed the way in which we live, work, or communicate. These changes affected the protection of the privacy and security of personal and business data in so many ways.

There was more than just the tsunami of tragedies and disruptions caused by the pandemic. The global Data Privacy and Security legal framework was also significantly rattled and shattered. The consequences of certain events that occurred in 2020 will be felt for many years to come. 

Several initiatives centered in the European Union are toughening the conditions for access to, and exchange of personal data, hampering the movement of people, goods and services, creating uncertainty and havoc in global business, and causing unnecessary compliance expenses. The July 2020 decision of the Court of Justice of the European Union in the Schrems II case did not just shatter the EU US Privacy Shield program. It is also drastically changing the way in which personal data may be transferred out of the European Economic Area to most of the rest of world.  The uncertainty and havoc created by, or expected from, the ripple effects of the EUCJ Schrems II decision and its aftermaths will be felt for several months or years until a new balance can be developed.

2020 also saw ripple effects of other initiatives of the European Union in the domain of the protection of personal data.  As you recall, the adoption of the 1995 EU Data Protection Directive (95/46/EC) and its implementation in the national laws of the EU and EEA member states caused a dozen of countries, over time, to request to be recognized as providing “adequate protection” to personal data, meaning a protection similar to that which was offered to EU/EEA citizens in accordance with the principles defined in Directive 95/46/EC. With the adoption of the EU General Data Protection Regulation (GDPR), which significantly modifies the concepts laid down in Directive 95/46/EC, those countries that have been recognized as providing “adequate protection” are now adopting or preparing to adopt new laws or amendments to their existing privacy and data protection laws so that they can ensure that they will also be deemed to provide “adequate protection” when their laws are compared against GDPR, the new EU/EEA base data protection law. This is the case for Argentina, Uruguay, New Zealand, Switzerland, Japan, and Canada, for example. Some of these new laws or bills are described in this supplement, and the remainder will be provided in the next supplements.

In the United States, California continues to lead the development of personal data protection laws, and has again been in the limelight for its attempt to increase the protection of consumers’ personal data.  After the chaotic adoption of the controversial California Consumer Privacy Act of 2018 (CCPA) by the California legislature, in November 2020, California citizens voted to adopt a ballot whose ultimate effect with be the replacement of CCPA by a new law, effective as of January 1, 2023, the CPRA or California Privacy Rights Act.  CPRA will expand and toughen the CCPA. Like CCPA, the CPRA has some common elements with GDPR and other data protection laws of the world but takes a drastically different approach. WARNING:  Compliance with GDPR does not mean that all aspects of CCPA or CPRA are covered.  To meet CCPA or CPRA, companies must go back to the drawing board and conduct a careful gap analysis.

This Global Privacy and Security Law treatise is now over 5,000-page long.  While the number of data protection laws has drastically increased over the years, are consumers receiving better protection for their personal data? While the length of privacy and cookie notices has also significantly increased, and new laws grant consumers a wide variety of “privacy rights”, does the average consumer, in any country blessed with a 50- to 150- page privacy or data protection law, understand his/her rights or take advantage of the options offered to them?  Is there a better way to raise consumers’ awareness of the uses and misuses of their personal data? Are there better means to prevent data hogs and unscrupulous entities from misusing or monetizing the details of an individual’s life?