As we move forward into the new year, it’s always good to take a look back at where we came from. Reviewing data privacy 2021 milestones not only gives us an accurate picture of the privacy industry right now but also gives us a good indication of what 2022 might hold. Let’s review several of the major privacy news stories of 2021.
Privacy experts around the world were caught off guard by sudden challenges to the GDPR, the gold standard of privacy laws since its adoption in 2018. EU authorities disagreed on how to practically enforce many of the far-reaching law’s requirements, and whether it unintentionally singled out particular countries for violations. There’s no reason yet to believe that the GDPR will collapse or be completely rewritten. However, this is a situation to monitor closely as time passes. Any changes to GDPR requirements or enforcement have far-reaching implications for laws inspired by it.
In November 2021, China began enforcing the PIPL. This law, heavily inspired by the GDPR, covers all internet users living in China—nearly one-fifth of all internet users worldwide. While enforcement is still in its early stages, this law has the potential to have an extensive impact on companies worldwide with the huge number of people it covers.
In a move from the EU that shocked the privacy world, the IAB Framework—a system designed specifically to make advertising within GDPR requirements easier—was found to potentially violate the very law it was designed to work with. No significant conclusions have been reached as of yet, but this decision will significantly impact any business that relies on the IAB or similar setups for online marketing.
News sites in 2021 broke a story of a significant hacking in 2016. Booking.com, a popular vacation planning site, was hacked and a significant amount of vacation information was compromised. Some former employees allege that pin numbers were also stolen, indicating a more significant breach than Booking.com cares to admit.
But why did this story go unreported for multiple years? Because relevant privacy laws only required Booking.com to inform their client base of the breach if adverse effects occurred as a direct result of the breach—something the company claims to have found no direct evidence of. GDPR authorities disagreed with Booking.com’s decision and fined the company a significant amount for their failure to report the breach in a timely manner.
The claims of no adverse effects resulting from the breach are certainly up for debate. But whether they hold any truth or not, this story illustrates the importance of being upfront with your clients about any possible risks to their data.
Continuing the trend of companies handling customer data poorly, Amazon found itself under fire in 2021 as well. EU privacy authorities levelled one of the biggest fines in GDPR history against Amazon following an alleged data breach. Amazon, unsurprisingly, pushed back against this ruling. This potentially precedent-setting case is still ongoing.
WhatsApp also found itself in trouble for GDPR violations. Following an investigation beginning in 2018, the app’s privacy policies were found to be unclear and not in compliance with the GDPR, leading to the second largest fine in GDPR history after Amazon’s fine. WhatsApp plans to appeal.
Following concerns over facial recognition technology in public spaces, the EU passed several laws restricting its usage. Both government authorities and private businesses are subject to these new regulations.
Every year, representatives in Washington, D.C. introduce a national data privacy bill, and 2021 was no exception. The Online Privacy Act went before Congress again last November. It remains to be seen if the bill will pass this time.
The EU Cloud Code of Conduct, a list of suggested guidelines designed to help companies follow the GDPR, has been around for a while. But in 2021, it was officially adopted by the EU government. Companies can now pursue special certification from the CoC Committee to show their dedication to following the GDPR.
In perhaps the biggest privacy news story of 2021, the GDPR itself came under fire. Recent enforcement difficulties sparked a conversation on long-term GDPR implementation. While some EU authorities want to reform the GDPR entirely, others want to focus more on centralizing and streamlining enforcement without rewriting the law. The debate is nowhere near over. While the GDPR itself is unlikely to be overturned, the future of GDPR enforcement is unsure for now.
Virginia passed its own privacy law, the Consumer Data Protection Act (CDPA), in 2021. Like many other privacy laws, the CDPA takes significant inspiration from the GDPR while applying its principles on a much smaller scale. It remains to be seen how this law will work with various other state privacy laws long-term.
Data privacy and all laws associated with it present a constantly shifting landscape of ideas and regulations. 2021 was certainly an eventful year in the privacy field. As we move forward into 2022, make sure you’re ready to stay on top of future developments.
For more information on data privacy in 2021, predicted privacy law changes, and how you can keep up, contact us today.