2019 IAPP Global Privacy Summit: Lessons from GDPR, Plans for CCPA and the Future of U.S. Privacy Law

At the beginning of this month, more than 4,000 privacy professionals from around the globe gathered in Washington, D.C. for the International Association of Privacy Professionals’ Global Privacy Summit 2019. The conference focused on lessons learned from the first year of GDPR enforcement in Europe, the expansion of European-style rights to more jurisdictions around the world, plans for addressing new obligations imposed by the CCPA in California, and the future of privacy law in the United States including whether federal legislature is likely or desired – especially in light of the CCPA and similar proposed legislation in states throughout the nation.

We were there to take it all in, and offer these five key areas of emphasis and takeaways.

1. The First Year of GDPR Enforcement

The first anniversary of the European Union’s General Data Protection Regulation (GDPR) is just around the corner and, unsurprisingly, a number of sessions explored the lessons learned from the first year under the new European regime. The GDPR involved sweeping changes to Europe’s regulation of privacy and data protection, including extraterritorial applicability to any company that provides services to European residents, and potential fines of up to four percent (4%) of a company’s global gross revenue. Much of the emphasis this year turned to the tangible business impact of the GDPR on key operations such as marketing and customer relations, as well as the developing enforcement landscape in Europe.

Several European Data Protection Authorities engaged in the conversation, but one of the notable discussions was the Keynote Panel featuring Andrea Jelinek (Chairwoman of the European Data Protection Board and Austrian Data Protection Authority), Elizabeth Denham (United Kingdom Information Commissioner) and Helen Dixon (Commissioner of Data Protection in Ireland). The esteemed Panel noted that their focus over the last year had been primarily on the principle of fairness under the GDPR. The Panel also addressed the lack of large-scale enforcement activity over the last year by explaining that their offices received a large number of complaints in the early months of the GDPR and have been spending the necessary time to investigate the fact-specific claims before reaching conclusions about the proper enforcement action. The Panel foreshadowed that potentially significant and precedential enforcement activity in the form of fines is likely to materialize later this year once the fact-intensive investigations have concluded. We will watch this activity and continue to report on these and other developments in Europe.

2. The CCPA Is Coming!

As expected, the California Consumer Privacy Act of 2018 (CCPA) took center stage for much of the conference, as speakers and participants explored its various layers, ambiguities and potential impact. The CCPA regulates the collection, use, sale and disclosure of California residents’ personal information by qualifying businesses. This newly enacted legislation, set to become effective on January 1, 2020, introduces significant legal risks and considerations for companies across the United States due to its expansive scope, broad definition of personal information, increased disclosure obligations, enhanced consumer rights, non-insignificant statutory fines and its private right of action for consumers in relation to certain data breaches. We’ve written about the CCPA and its potential implications here and here.

Those who missed out on the great opportunity of building or retrofitting a compliance program for GDPR sought answers to one of the biggest questions businesses are facing: How do you begin to build a compliance program for a law riddled with ambiguity and contradictions that may or may not be addressed by pending amendments in the state legislature? Those who went through the GDPR battle over the last few years lamented having to reopen the work already performed to address yet another privacy law, particularly with the threat of additional legislation from other states or the federal government beginning to materialize. A consistent message was delivered to both categories of affected participants: strong preparation and early building of the program structure will best position a covered business for success under the new regime. However, businesses will need to be flexible over the next few months as potential changes to the law may affect its scope and impact, particularly in relation to the amendment proposing to carve out employee personal information from the statute’s reach. The conversation surrounding the CCPA will undoubtedly continue beyond the walls of the IAPP Global Privacy Summit; but if you are looking for a place to start, check out our CCPA Readiness Assessment Tool.

3. The Future of U.S. Privacy Law

There was significant buzz throughout the Summit relating to the promise and/or specter of a comprehensive privacy regime across the United States, either at the federal level or by way of 50-state legislation. Only a day removed from Irish Data Protection Commissioner Helen Dixon’s meeting with Congress, Commissioner Dixon and the other visiting European Data Protection Authorities shared their recommendations for building an effective U.S. privacy law, including placing an emphasis on fairness, transparency and a strong enforcement mechanism. Federal Trade Commission Chairman Joseph Simons indicated that a federal privacy law preempting state laws, including the CCPA, is still on the table, but regardless of the outcome, the FTC is in favor of a statute that permits regulators to enforce the law with civil penalties. Despite a perceived interest in a federal privacy law on both sides of the aisle, speakers in several sessions discussed potentially irreconcilable differences in Congress that may prevent substantial progress on the topic this year. Although many states have introduced comprehensive privacy laws, speakers and participants had varying opinions on whether laws substantially similar to the CCPA would soon sweep the nation. Even so, there was general agreement that the CCPA is unlikely to be the only comprehensive privacy law we will see in the near future.

4. Privacy Considerations for Existing and Emerging Technology

A major focus of this Summit was on the legal and technical effects of privacy legislation, and shifting expectations of individual privacy in connection with existing and emerging technology. Several sessions explored the difficulty of incorporating key privacy requirements and best practices into artificial intelligence models. For example, one session explored the difficulty of trying to reconcile data minimization requirements imposed by laws like the GDPR with the need for large data sets in AI model training, including the difficulty in identifying which data is important for the integrity and accuracy of AI models. Many sessions recommended prioritizing concepts of fairness and ethical decision-making when designing and maintaining AI technologies, but the speakers also recognized the tension between these concepts and privacy laws. Speakers were particularly concerned with whether privacy laws restricting the use of sensitive personal information, such as race, in AI models would decrease the prevalence of bias in automated decision-making. The working theory is that by removing such variables from the model, there could be an increase in the prevalence of bias by allowing AI models to rely on statistical proxies, all while making it exceedingly difficult to audit the decisions made by the model for potential unfair outcomes.

Discussions relating to marketing technologies were equally popular among participants seeking to gain a better understanding of how to advertise to consumers under existing and pending privacy legislation. Heather Egan Sussman, Global Co-Chair of Orrick’s Cyber, Privacy & Data Innovation team, guided participants through the advertising technology ecosystem in a session that focused heavily on the evolution of online advertising to its current state. Other sessions focused on the technical aspects of complying with relevant privacy laws but emphasized the need to consider the consumer experience when implementing compliant advertising technologies. For example, industry approaches to the dreaded “Cookie Banner” took a lot of heat for failing to properly integrate the compliance measures with the overarching brand and message of strategic consumer interactions. Participants also commiserated over the likely impact on the advertising ecosystem of the “Do Not Sell My Personal Information” link created by the CCPA. For any company operating a website that is subject to the CCPA, we expect the CCPA will cause those operators to (1) evaluate the data collection activities happening on their sites, (2) update disclosures about those activities to meet CCPA requirements as needed, and (3) consider what CCPA opt-out requirements, if any, may apply to those activities and how to implement those requirements.

5. A Shifting Litigation Landscape

Privacy and cybersecurity litigation risks have been increasing steadily over the last decade, with plaintiffs having more success surviving the motion to dismiss threshold and new laws adding private rights of action combined with statutory damages, such as the CCPA and the Illinois Biometric Information Privacy Act. During the recording of a live podcast at the Summit, Orrick’s own Doug Meal emphasized that defendants continue to wield strong defenses in private litigation based on arguments against standing due to lack of harm and against class certification due to lack of commonality. However, Doug expressed concern that the risk posed to defendants increases exponentially as judges become more sympathetic to privacy and cybersecurity plaintiffs, and an increasing number of laws incorporate or consider private rights of action in combination with statutory damages that may one day shift privacy and cybersecurity to a strict liability regime.

Corporate entities are not the only defendants facing an increased risk for liability in privacy and cybersecurity litigation. Aravind Swaminathan, Global Co-Chair of Orrick’s Cyber, Privacy & Data Innovation team, met with an engaged audience to discuss the issue of personal liability for information security personnel within the organization, as these personnel are finding themselves named as direct defendants in litigation against their employer. Aravind explained that information security professionals need to understand the potential risk associated with their position and seek arrangements that mitigate the potential harm, including exploring the idea of indemnification by the employer or being added to the employer’s insurance policy to cover any potential litigation expenses. As the public continues to scramble to find someone to blame for incidents that all too often are perpetrated unlawfully by unknown and unauthorized actors, individuals may increasingly find themselves in the crosshairs of extensive privacy and cybersecurity litigation.