OneTrust DataGuidance Privacy Review: Q4 2020
The end of 2020 delivered notable privacy developments on a global scale. 2020 was dominated by Schrems II headlines, and in Q4, both the European Commission and the European Data Protection Board released significant documents for public consultation as a response to the case.
Furthermore, we saw further significant privacy developments in California, New Zealand, China, Singapore, Canada, Switzerland, and Israel. Late 2020 also played host to several important international trade agreements and a trend in enforcement actions, notably so in the Americas.
Things do not look to be slowing down as we head into the first quarter of 2021: increasing calls for a federal US privacy law, the potential of an adequacy decision for the UK, and legislative progression in China, India, and Pakistan, all begin to appear on the horizon.
Enforcement actions across the Americas, CPRA, CPPA, and HIPAA
In the Americas, there were several critical developments as part of ongoing privacy discussions during Q4. On 3 November 2020, the CPRA was passed by the Californian electorate, which sought to strengthen consumer rights. Shortly after, significant changes were also proposed in Canada through Bill C-11 for the Digital Charter Implementation Act, 2020, which would enact the Consumer Privacy Protection Act ('CPPA'). In turn, it would introduce a new privacy regime in Canada.
Enforcement actions across the region continued to grab headlines, with several authorities in the US issuing fines or settlements for privacy-related violations, and notable fines being issued in Colombia for direct marketing related offenses. The last three months of 2020 also saw the third set of modifications to the CCPA, amendments proposed to the HIPAA Privacy Rule, and the ANPD in Brazil hiring public officials and issuing its first guidance.
Legislative reform in China, New Zealand, Singapore, and South Korea
Discussions of significant legislative reform continued across the APAC region with notable developments in China – where a draft personal information protection law was released for public consultation – and in Australia – where the government announced a review into the Privacy Act 1988. Furthermore, there were several developments in Ukraine, Singapore, South Korea, and New Zealand – where the Privacy Act 2020 entered into effect.
A key focus across the region in the last quarter was the issuance of standards and guidance, specifically in relation to artificial intelligence, the financial sector, and cybersecurity. While Movement on the data protection bills in China, Indonesia, Pakistan, and India look set to make the first quarter of 2021 a busy one for privacy in the APAC region.
Brexit, Privacy Developments in Africa, and EDPB Schrems II Guidance
As with the third quarter of 2020, one of the most significant developments of this quarter involved the fallout from the Schrems II case. In November, the EDPB adopted recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, while the European Commission launched a public consultation on a set of revised Standard Contractual Clauses.
In December, the UK and the EU announced that they had reached a draft EU-UK Trade and Cooperation Agreement with provisions included that provides for the continued free flow of personal data from the EU and EEA to the UK until adequacy decisions are adopted. In addition, several authorities have published guidance for organizations to consider in light of Brexit.
The final quarter of 2020 was a significant one for the development of data protection laws in Africa. In October, a draft data protection bill was approved in Rwanda, while an initiative for harmonizing privacy legislation was introduced in November by the African Union, and a new data protection authority, the IPDCP, created in Togo in December.