I recently got back from the IAPP Global Privacy Summit (the “Summit”), the world’s largest meeting of privacy professionals from around the world. The Summit always serves as a great opportunity to network and learn from colleagues, thought leaders, and regulators working in this important area of business, technology, and law. With that in mind, I want to share some reflections and themes from this year’s Summit.
- Here to Stay: The profession is bigger than ever. (And I am way older). I have been in privacy since 2003 and attended my first IAPP conference in 2004. I believe it was held in the basement ballroom of a much smaller D.C. hotel. Today, the IAPP is almost 75,000 members strong and comprised of individuals in every part of the data flows of industry: lawyers, technologists, business leaders, compliance personnel, legislators, and regulators. This past week’s summit saw more than 4,500 attendees in attendance. The conference filled the D.C. convention center and hotel, and was populated with more young professionals than older ones. So what does this tell you? Privacy and security issues are here for the duration and companies need expertise and leadership at all levels of their organization. And these individuals come from all walks of life and multiple generations. This is a good thing.
- The U.S. needs a federal privacy law. “Thanks, Captain Obvious.” What was a constant topic of discussion, to include a panel discussion with current Senate and House staffers, is the need for an omnibus, federal privacy law governing the use of personal data in all 50 states. I have been hearing this since 2003 and I am not optimistic. That being said, there is more optimism this year from others that a bill might get through. In particular, there is bipartisan support, including resolving the most persistent roadblocks: a private right of act and preemption of state law. I have discussed this with my esteemed Taft Government Relations partners in Taft’s D.C. office, and they see the same potential. So, maybe I am too cynical. We shall see.
- Concerns with a patchwork of U.S. state laws. Relatedly, there remain concerns with the states (three on the books so far) that have their own privacy laws and those not working together nicely. This concern is not limited to industry. Indeed, even the Colorado Attorney General, when speaking on his state’s new law (effective July 2023), reiterated numerous times the need for collaboration and sharing between state regulators to find an effective, risk-based, and reasonable framework that businesses of all sizes can implement. At a minimum, state attorneys general are discussing and working together to try and find a balance in how they can regulate and enforce the law.
- International collaboration on privacy law and cross-border transfers. On the global level, the message is the same. In effect, “We need to make this easier.” There were several discussions in the hallways and on the panel stages lamenting the complexity and time taken to effectuate secure yet reasonable transfers of personal data from one country with one set of requirements to another. With the new Standard Contractual Clauses for GDPR-related transfers, the UK’s new framework, as well as changes in Latin America, China and the Asia-Pacific region, international businesses are challenged, to say the least.And, of course, there is another attempt underway to find something acceptable for EU-US transfers (i.e. Privacy Shield, part 2). But, as Microsoft President Brad Smith shared during the Closing Session of the Summit, each iteration has taken longer than the first. Consider the following:
Safe Harbor: 4 months to finalize.
Privacy Shield: 18 months to finalize.
Currently, it has taken a year to agree “in principle” to the new Privacy Shield. How long until we can implement and what will “compliance” look like? Stay tuned…..
- Oh yeah, and there’s that security thing. Lastly, much like privacy, itself, a Summit of this size can’t happen without discussing security. Several panels tackled the topic of security, including risks related to hacking, ransomware, and cross border transfers, as well as ways to bake security into operational practices to reduce risk to personal data. At the Summit, we heard from leaders in government, including the Director of the DHS Cybersecurity and Infrastructure Security Agency (CISA). As you might imagine, there was a lot of interest in how the federal government is seeking to enforce and support industry in this highly volatile area, including what will be included in the regulations issued to meet the requirements of the Strengthening American Cybersecurity Act. As we wrote about earlier this month, there is a lot to be seen when it comes to how this Act will be regulated and enforced.
But, what is clear from being at the Summit, security in all forms (administrative, technical, and physical) requires attention and vigilance to not only protect the confidentiality of data but also to merely maintain access to it. Indeed, in our work supporting clients through data breaches, it is the operational risk that is as great, if not greater, than the confidentiality risk. If the confidentiality of your data is compromised, in total or in part, you might go out of business or endure significant legal consequences. If you cannot access your information or systems, you will go out of business.
So, in closing, we have lots to which to look forward to and lots more to do. Stay tuned to Privacy and Data Security Insights and download our free mobile app to get the latest on privacy and security matters.