2020 is set to become a momentous year for data protection legislation across the globe, with the enforcement of the California Consumer Privacy Act (CCPA) likely to grab headlines and set the tone for further US legislation at the state and federal level. New data protection legislation will also come into force in Brazil and Thailand as countries such as India and South Korea join the global movement for stricter data protection laws. Let’s take a closer look at what companies can expect from the data protection legal scene in 2020!
The CCPA is here
The year kicked off with a bang on 1 January as the CCPA officially came into force. While the CCPA cannot be enforced by the California Attorney General (AG) except six months after he promulgates the final regulations or as of 1 July 2020, whichever comes first, Attorney General Xavier Becerra has stated that the CCPA compliance deadline remains 1 January. This means that enforcement will be applied retroactively by the AG, covering violations dating back to 1 January 2020.
That being said, the AG also stressed that his office will look kindly on companies that can demonstrate an effort to comply. The civil penalties the AG can issue under the CCPA range from up to $2500/unintentional violation or up to $7500/intentional violation assessed on a per consumer basis.
The CCPA also gives consumers a private right of action and statutory damages against businesses that suffer data breaches due to a failure on their part to implement and maintain reasonable security procedures and practices. The private right of action, however, applies only to a number of categories of personal information as defined under California’s breach notification statute, not the CCPA.
Statutory damages range from $100 to $750 per consumer per incident. Consumers wishing to initiate litigation must give businesses notice of the breach and 30 days to rectify the violation. If the company manages to resolve the violation within that time, the consumer cannot pursue statutory damages in the litigation. California consumers can exercise their private right of action as of 1 January 2020.
Data Protection Laws Coming into Force in 2020
The LGPD, closely modeled after the EU’s General Data Protection Regulation (GDPR), will come into force on 15 August 2020 and will apply to all companies that handle the personal information of Brazilian residents, whether they are physically located within the country or not. With the provisions providing for the creation of the Autoridade Nacional de Proteção de Dados (ANPD), the body tasked with enforcing the new legislation, finally promulgated in 2019, the LGPD is now set to follow in the steps of the GDPR.
The LGPD compels companies to adopt security, technical, and administrative measures able to protect personal data from unauthorized access, taking into account the current state of technology or face fines of up to 2% of their total revenue in Brazil in the previous year or up to 50,000,000 Brazilian Reals (approximately $12,300,000), whichever is higher.
Thailand’s PDPA, a law twenty years in the making, was finally passed by the National Legislative Assembly in early 2019 and, after receiving a royal endorsement and being published in the Government Gazette, is now due to come into effect on 27 May 2020. The PDPA includes some of the GDPR’s stricter requirements, including the need for the appointment of data protection officers, greater protection for especially sensitive categories of data and an extraterritorial reach. However, it’s worth noting that PDPA violators face the risk not only of fines but the possibility of criminal prosecution and imprisonment for up to one year.
New Data Protection Laws in 2020
Several data protection legislation initiatives are likely to go through the final approval stages in 2020. Most prominent among these is India’s Personal Data Protection Bill 2018 (PDPB), a draft of which was published in July 2018 by the Srikrishna Committee. The bill was revised and submitted to the Indian Parliament’s lower house, the Lok Sabha, on 11 December 2019, but was sent to a joint parliamentary committee for further deliberations before being taken up for passing.
The Bill has proven controversial from the first draft, with international businesses contesting its data localization policy which would require any company processing the personal data of an Indian data subject to store a copy of that data on Indian territory. Its revised version sparked fears that the PDPB would give the government unrestricted access to all citizen’s data for national security purposes, but also a number of other sets of circumstances. While the PDPB is likely to suffer further changes in the approval process, it is expected to pass in 2020.
Meanwhile, South Korea is aligning its existing data privacy laws to the GDPR in hopes of receiving an adequacy decision from the European Commission in the coming year. A positive ruling would mean that data could travel freely between the European bloc and South Korea, facilitating cross-border data transfers and business operations. In 2019, among others, South Korea strengthened its child data protection laws, making it mandatory for companies to get consent from parents or legal guardians to collect data from consumers under the age of 14.
In 2020, South Korea may make further amends, with three data protection bills awaiting approval in the National Assembly. Among them is a revision of the Personal Information Protection Act (PIPA) that would upgrade the existing Private Information Promotion Commission, an advisory body, to an independent enforcement authority, effectively establishing a unified enforcement agency to handle all privacy issues.
As 2018 was the year of the GDPR, 2020 will be the year of the CCPA. Its enforcement is likely to set an example for other US states and may serve as a secondary blueprint for international data protection legislation looking for an alternative to the strict model of the GDPR.
At the same time, countries looking to establish a free flow of data between them and the European bloc through adequacy decisions from the European Commission will continue to push for new or updated data protection legislation in line with the GDPR.