Privacy in Q2 2022: US, Canada, and the UK | The State of Security

Looking at the US

Connecticut kicked off Q2 in style, becoming the fifth state to enact a privacy law. Adding to the ever-expanding patchwork of U.S. privacy laws, An Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA), provides consumers with access, deletion, rectification and certain opt-out rights; includes provisions prohibiting “dark patterns”; and requires companies to honor a global opt-out mechanism. Effective July 1, 2023, CTDPA is considered to be operable with other state laws, following trends presented in previously enacted state laws and offering little divergence.

The second quarter has offered the most exciting time for federal privacy in recent history. While lawmakers have filed countless bills in the past years, none have captured the attention of the privacy community quite like the bipartisan, bicameral proposal called the American Data Privacy and Protection Act (ADPPA). Offered by three of the four committee leaders that handle privacy matters, the ADPPA presents a compromise on two intractable obstacles to passing legislation in the US — preemption of state laws and the private right of action.

The success of the bill will rest in the fourth and final committee leader, Senate Committee Chair Maria Cantwell (D-Wash), who has signaled at the end of June that she is not close to supporting the bill due to enforcement gaps and, in her view, its inability to adequately address preemption. On June 23, ADPPA advanced from the House Energy and Commerce subcommittee markup and now goes to the full Committee.

Should ADPPA fail to progress, it seems there is a second option for privacy in the U.S. — the FTC has once again initiated rulemaking. The FTC refiled an Advanced Notice of Proposed Rulemaking with the Office of Management and Budget for a potential rulemaking on privacy and artificial intelligence this June. The key difference between the filing from December and the current filing is that Chair Lina Khan now has a Democratic majority — thanks to Alvaro Bedoya’s long-awaited confirmation as FTC commissioner on May 11 — meaning a rulemaking package could succeed despite Republican opposition.

The EU’s reflection phase

In Europe, the second quarter marks the end of the French Presidency of the Council of the European Union. As leadership transfers to the Czech Republic on July 1, the Council can chalk up many achievements in France’s six-month reign — most notably the Digital Services Act and the Digital Markets Act. With text now being finalized, it is expected that the two will be adopted in the coming months. Together, the sister acts will advance the EU’s digital strategy, putting the EU ahead of the curve yet again.

Also noteworthy is the European Data Protection Supervisor’s (EDPS) conference “The Future of Data Protection: Effective enforcement in the digital world.” Exploring a longstanding criticism that enforcement of the GDPR is lacking and misguided, the conference identified three main issues: the unequal burden-sharing of enforcement, a lack of cooperation due to differences in procedural law, and the fact that the European Data Protection Board is often involved too little and too late.

EDPS Wojciech Wiewiórowski said enforcement of the GDPR had failed to rein in data protection abuses by big companies, focusing too often on smaller grievances, and said that he would like to go one step further on cooperation among regulators and move towards centralization of enforcement.

Meanwhile, the UK continued to move forward with anticipated changes to its data protection scheme. On May 11, the UK government declared its intentions to reform the country’s data protection regime by way of the Data Reform Bill announced during the Queen’s Speech. The government is expected to issue draft legislation in July.

What we are looking forward to in the third quarter:

Next steps for the EU-U.S. data sharing agreement.
Will ADPPA get consensus before the August Recess?
What happens with FTC rulemaking should ADPPA fail.
The UK’s new, business-friendly approach to privacy.

About the Authors: Molly Hulefeld is a Privacy Content Analyst with Ethos Privacy. Molly entered the world of privacy through the International Association of Privacy Professionals (IAPP), where she worked as Associate Editor for the publications team. Now she works to develop Sentinel’s privacy program management technology, Ethos, making it easier for businesses to meet their obligations and develop a culture of privacy.

Emily Leach is the privacy content director at Ethos Privacy, overseeing framework analysis and creation for the company’s privacy program management technology. Emily has been working in data privacy for 14 years, spending 11 years at the IAPP as manager of its online resource center and editor of the Privacy Tracker, among other responsibilities. Emily holds both CIPP/US and CIPP/E certifications from the IAPP.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.