With Druva as an official champion of Data Privacy Day 2022, this blog describes our thoughts on how data privacy will evolve in the new year, aided by laws and technological advances to help you as a consumer best protect yourself online.
Data privacy rules, regulations, and fines will expand globally
In 2022, businesses will be preparing for CPRA, the CCPA amendment, which begins enforcement on January 1, 2023. The CPRA significantly strengthens the CCPA by expanding on consumer rights, creating an enforcement agency (the California Privacy Protection Agency), and eliminating the cure period previously allowed under CCPA. While California may have taken the strictest stance on privacy, Colorado and Virginia have also enacted comprehensive privacy laws and other states have enacted privacy laws related to specific sectors or individuals (i.e., children, finance, breach reporting requirements, etc). We anticipate seeing more U.S. states passing comprehensive privacy laws more closely aligned with those in California and the European Union (EU).
On an international level, we continue to see more and more countries jumping on the “Privacy wagon”. The China Personal Information Protection Law (PIPL) went into effect on November 1, 2021, so we will see enforcement actions taken over the next year, which will likely result in large fines. In India, On Dec. 16, 2021, the Joint Parliamentary Committee submitted its long-awaited report on the Personal Data Protection Bill 2019, to the Indian Parliament after nearly two years of deliberations. The Bill is now likely to be passed by Parliament in its next session in February 2022, and likely will enter into force in the first half of 2022. Finally, the ICO in the UK intends to publish updated Standard Contractual Clauses similar to those we saw out of the EU in June, resulting in required contractual updates for any company transferring data outside the UK to another country.
Because companies continue to have more and more data on individuals at their disposal, the number of individuals and the volume of data impacted by data breaches will continue to grow. An obvious outcome of larger data breaches is increased fines and decreased consumer trust. And, with more data privacy laws being passed, there is a greater likelihood that organizations experiencing a violation will be fined in multiple jurisdictions. For example, a single data breach could result in fines in the EU, UK, California, Brazil, etc.
A U.S. Federal data privacy bill will be introduced
In September, the U.S. House Energy and Commerce Committee passed a proposal to provide $1 billion over 10 years to support the creation and staffing of a new privacy and data security division. This funding suggests a shift in priorities toward data privacy and security, indicating a federal bill that could be on the horizon. Although comprehensive federal privacy legislation similar to GDPR hasn’t yet been proposed by U.S. lawmakers, eyes are on the proposed American Innovation and Choice Online Act. The bill would prohibit platforms from preventing interoperability with other services and from leveraging another company’s data on the platform to compete against them. It would also prohibit tech platforms from “favoring their own products or services, disadvantaging rivals, or discriminating among businesses that use their platforms in a manner that would materially harm competition on the platform.” It would seemingly give consumers more transparency about how their information is shared while providing them with greater choice of who they give their business to online. There’s significant pushback from tech giants, so it will be interesting to see how the bill progresses
Privacy laws will evolve as use of emerging technologies increases
We will see an expansion of consumer privacy rights and can expect to see the majority of new laws being passed to include privacy rights for individuals (i.e., right to access, delete, transfer, etc.), limits on data sharing practices, and requirements around consent. Additionally, with the increased use of biometric data, AI, and IoT, we can expect to see privacy laws evolving to account for new technologies.
The cloud’s influence will expand on companies’ privacy and compliance postures
Increased use of SaaS platforms means increased exposure with data being sent to multiple platforms and technologies. Migrating data protection to the cloud helps centralize these tools so businesses can ideally catalog and map where all of the data is being stored so it can be easily located to fulfill subject requests.
Compliance legislation can catalyze data management processes
Compliance legislation is an opportunity for businesses to build trust. Whether they’re B2B or interacting directly with consumers, it’s a great time to highlight your privacy program and how your company is protecting data. Whitepapers, webinars, dedicated compliance webpages, etc, will be great marketing materials to help build that trust by outlining the organization’s data protection practices.
Data is a precious asset. Individuals providing it and companies collecting it need to treat it with the level of care it deserves, because we all benefit from the responsible use of data. Although Data Privacy Day only comes once a year, let’s use it as an opportunity to start taking steps toward improving data protection for all. At Druva, we’re committed to protecting the data we process and educating our customers on safe data best practices.
In honor of Data Privacy Day, Druva hosted a recent podcast with W. Curtis Preston, Chief Technical Evangelist, and Stephen Manley, CTO, exploring data privacy in depth. If you found today’s blog interesting, we invite you to listen to the session and join our data protection experts to learn more about keeping your data safe and secure online in 2022.