Privacy legislation and the impact of GDPR and CCPA [Q&A]
With the California Consumer Privacy Act (CCPA) coming into force in January and GDPR in Europe having been active for nearly two years, data privacy is something that's being taken more seriously than ever.
But what impact does legislation have on businesses and consumers? And how has GDPR influenced the drafting of CCPA? To find out we spoke to Sophie Stalla-Bourdillon, senior privacy counsel and legal engineer and Dan Wu, privacy counsel and legal engineer, from data governance specialist Immuta.
BN: What are the primary successes and failures since GDPR implementation in achieving desired regulation goals?
SSB/DW: The EU's General Data Protection Regulation has been applicable since May 25, 2018 and its actual impact is still controversial.
There is no doubt however that the GDPR has had a real impact on privacy and data protection awareness within organizations and the larger public eye. Many organizations in the EU, or outside the EU but targeting individuals located in the EU, have initiated a systematic review of their business processes and are looking for solutions to support their compliance journey. We have also seen the first enforcement actions, which are likely to become more frequent as the guidance produced by Supervisory Authorities is maturing and is more comprehensive.
With this said, plenty of organizations are still struggling. The complexity of the framework explains these struggles, at least in part. While risk assessment is at the core of the GDPR framework, it is hard for organizations to determine which method to use and implement. Some of the GDPR key requirements, such as data protection by design, are still poorly understood, and this is why the European Data Protection Board is still working hard more than 18 months after GDPR implementation to produce meaningful guidance.
Two sets of provisions in particular have raised concerns: de-identification or pseudonymization and anonymization provisions and research exemptions. Yet, as more and more organizations are considering re-using vast amounts of personal data, clarity around these provisions is much needed to create the right incentives.
BN: How has GDPR impacted the letter of CCPA law -- what has been adopted, what has not?
SSB/DW: The California Consumer Privacy Act was passed in June 2018, a month after GDPR implementation. While the number of GDPR provisions is much higher than CCPA's, there is a clear influence of the former over the latter. This is apparent looking at the types of rights granted to consumers: the right to deletion is the most prominent, which actually started with the EU Data Protection Directive, the predecessor of the GDPR. It is also interesting to note the introduction of the concept of data minimization in section 1798.140, which defines what legitimate businesses are and provides that, "the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed."
Some key definitions also appear reminiscent of the GDPR, such as the concept of covered businesses (which are said to be determining the purposes and the means of the processing activities) or pseudonymization (which refers to, "the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer").
The CCPA, however, is not a replica of the GDPR and key provisions such as data protection by design or data protection impact assessments are absent. The conditions for the exercise of the consumer rights are not identical to the conditions for the exercise of data subject rights. All in all, the CCPA still appears to be based upon the consent model (i.e. individual consent is seen as the main mechanism to protect consumers), while the GDPR is trying to move away from this approach.
BN: What are the differing compliance pain points organizations face with GDPR vs CCPA?
SSB/DW: The first important pain point organizations in the EU face is record-generation and keeping. Organizations operating in the EU or targeting individuals located in the EU are subject to the principle of accountability. This means that they should put themselves in a position to demonstrate compliance with the entire framework. It is thus essential for these organizations to know in real time what is happening to the data they are responsible for. Solutions that act as a single door to an organization's data and enable it to monitor and audit data access and data usage on the fly are crucial.
The second significant pain point with the GDPR is the ability to select appropriate controls, i.e. technical and organizational measures to meet all GDPR principles (including purpose limitation, data minimization, and integrity and confidentiality). Being able to implement a wide variety of data policies while data is being accessed, including masking and purpose-based restrictions becomes very handy at this stage.
When it comes to the CCPA, the main pain points relate to providing consumers assurances that data processing practices and information transmitted to consumers are fully aligned. This is also a GDPR pain point. Role-based and purpose-based access controls are again key safeguards, as well as monitoring and auditing capabilities.
BN: Will GDPR and CCPA have similar impact on SMB and data-driven startup innovation?
SSB/DW: The CCPA is clear in its attempts to favor small and medium size-businesses, as it only applies to businesses that satisfy one or more of the following thresholds:
- Businesses that have annual gross revenues in excess of twenty-five million dollars ($25,000,000).
- Businesses that process the personal information of 50,000 or more consumers, households, or devices.
- Businesses that derive 50 percent or more of their annual revenues from selling consumers’ personal information.
GDPR does not include comparable thresholds. This being said, the specific needs of micro, small and medium-sized enterprises are indirectly acknowledged in the GDPR, for example in Article 30, which includes a derogation for organizations with fewer than 250 employees with regard to record-keeping.
Article 40 on codes of conduct or Article 42 on certification also refer to the specific needs of micro, small and medium-sized enterprises.
Recital 13 should also be mentioned as it encourages supervisory authorities to take account of the specific needs of micro, small and medium-sized enterprises.
BN: How will these first two major data privacy regulations in the EU and US shape additional global data privacy regulations moving forward?
SSB/DW: The GDPR is influencing different parts of the world, the most topical example is perhaps the Brazilian General Data Protection Law (LGPD).
As demonstrating an equivalent level of protection is the most effective way to legitimize data transfers from the EU, countries such as Japan have been amending their national laws to come closer to the GDPR and be able to obtain an adequacy decision from the European Commission.
Unsurprisingly, given its strong privacy tradition, Canada was one of the first countries to modernize its framework to be able to maintain its adequacy status obtained in 2001. The EU will certainly continue its outreach effort moving forward.
Adequacy talks are ongoing with South Korea, and Brazil and Chile are likely to become candidates for an adequacy status in the non-to-distant future.
The current legislative situation in the US is still convoluted. It is therefore more difficult to predict what the actual impact of CCPA will be outside the US. One of the last initiatives in the US at the federal level is the Senate Democrats new digital privacy bill that aims to strengthen the FTC's enforcement powers. It will be a fierce battle!