The rest of 2019 will be a busy time for companies in the thriving ecosystem built on the collection, use, transfer and storage of personal data. After years of repetitive debate in the U.S. over the need for balance between privacy and innovation, between protection and the free flow of data, the balance has tipped. Although specifics of a new paradigm are under intense discussion in statehouses and in Washington, it appears all but inevitable that some form of comprehensive privacy legislation will soon be a reality. This legislation would fill in the gaps or completely inundate the carefully engineered "sectoral" rules for specific industries that have dominated the American landscape for decades.
The wave began in Europe, with the 2016 passage of the EU's General Data Protection Directive (GDPR), which went into effect in May 2018. Non-EU companies with European customers or data-related activity have been obliged to bring at least part of their operations into compliance, at a massive cost in effort and expense. The GDPR's values, principles and individual-centric perspective now percolate through everything from artificial intelligence to anti-trust enforcement to connected cars, 'smart' healthcare devices and the Internet of Things.
In California last year, sheer popular pressure caused the issue to burst forth in a ballot initiative, leading to the hurried passage of the California Consumer Privacy Act (CCPA) which promises GDPR-like protections for the state's citizens starting from Jan. 1, 2020. In short order, California's example inspired a ripple of similar proposals in state legislatures across the country.
Now federal legislators, alarmed by the prospect of a patchwork of rigorous state privacy with potentially dire effects on interstate commerce, have scheduled hearings before House and Senate committees for February 26 and 27, in part with a view to seek bipartisan consensus on a federal law that would preempt the rapidly proliferating state initiatives. Providing a further push, a GAO report released on February 13 recommends comprehensive federal privacy legislation that would designate the Federal Trade Commission as lead agency with APA rule-making authority, pre-event enforcement powers, and the ability to impose civil penalties.
With full recognition that the final shape of any new legislation will be the product of lively debate (albeit within a highly compressed time frame), there are nevertheless a number of common principles and themes that appear in various forms in the GDPR, the CCPA, bills pending in various state legislatures, and in the voluminous literature on the subject. Here is a partial list, with some preliminary thoughts on how their manifestation in forthcoming regulatory regimes may affect U.S. companies.
Change in this sector has been a long time coming, but the current pace calls to mind the reply of Hemingway's character who is asked how he went bankrupt: "Two ways," he says, "Gradually and then suddenly." (The Sun Also Rises, Ernest Hemingway, 1926). The sea-change in privacy protection, long debated, forestalled, ignored, dreaded, or welcomed, has arrived.
Holland & Knight's Outsourcing and Technology Transactions attorneys represent clients in all aspects of strategic outsourcing and technology transactions and have extensive experience in a wide range of categories including information technology outsourcing, enterprise resource planning, and cloud computing transactions, including software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). The firm's cybersecurity, privacy and public policy professionals have extensive experience counseling companies in developing data security and privacy compliance programs and advocating on federal, state and local privacy matters, as well as in emergency data breach coaching, response, investigation and assistance, liability mitigation and crisis communications.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.