Privacy + Data Security Predictions for 2021

The Morrison & Foerster Privacy + Data Security team is unmatched in its ability to provide creative and practical advice concerning all stages of the information life cycle: from compliance with complex privacy, to breach, to litigating privacy and data security claims and defending enforcement actions. With the unprecedented year of 2020 almost behind us, we have tapped our privacy team – thought leaders in the field – to get their opinions on what is likely to happen in the privacy and data security sector in 2021.

General Privacy

Miriam Wugmeister’s predictions for the year ahead:

• Cross-border transfers will continue to become more complex as additional countries require that companies store data locally in country and require specific data transfer agreements.
• With the development of viable COVID-19 vaccines, employers will struggle with the privacy issues associated with requiring employees to be vaccinated, collecting information about who has been vaccinated, and managing the intersection of the rules between employment and privacy when employees return to work.

Alja Poler de Zwart’s prediction for the year ahead:

• Regulatory supervision and enforcement activities relating to cookies and similar technologies have picked up this year, and the trend will likely continue in 2021. We will see more companies amending their approach to cookie compliance and seeking service providers who can provide flexible and easy-to-use cookie tools containing functionalities that can ensure compliance with the ePrivacy consent requirements.

Julie O’Neill’s predictions for the year ahead:

• There will be a continued trend away from the use of third-party cookies for targeted advertising. While it is not yet clear how the industry will respond, we may see such solutions as a new form of unique persistent identifier to collect data or the use of “clean rooms” to enhance first-party data.
• Regardless of the shift to Democratic makeup of leadership, the Federal Trade Commission (FTC) will continue to actively bring privacy and data security-related enforcement actions. We can expect the FTC to continue its general trend in consumer protection matters of seeking significant penalties or equitable monetary relief, as well as holding individuals, and not just their companies, accountable.

Lokke Moerel’s prediction for the year ahead:

• The year 2021 may well bring fundamental changes to the digital economy as we know it. The European Commission is scheduled to publish a suite of a new sweeping standard setting laws for the internet, including new rules regulating platforms that act as gatekeepers and a new completion tool allowing the Commission to impose remedies on market players to address structural competition problems. Data driven business models and data privacy practices will likely be impacted by stricter rules for targeted advertising, including restricting the data used for this practice, more user controls, and transparency reporting.

Christine Lyon’s predictions for the year ahead:

• As remote work becomes a permanent option for many employees, companies will seek new technology tools to foster better communication, collaboration, and engagement. Although many workers will welcome better tools for remote collaboration, we are also likely to see concerns about potential “Big Brother” monitoring by employers, as well as concerns about employers using these systems to assess worker productivity and performance.
• Companies will face greater scrutiny of their use of artificial intelligence (AI) technologies to process personal information and/or to make decisions affecting individuals. The focus will expand beyond automated decision making that results in legal or other significant effects on individuals, to consider as well smaller automated decisions that may have a cumulative impact on individuals over time, by shaping the information they receive or the opportunities they are offered. In the United States particularly, these issues are likely to intersect with larger public policy concerns about societal inequity and bias, requiring companies to be prepared to defend not only the lawfulness but the fairness of their AI and other automated data processing activities.

Kristen Mathews' prediction for the year ahead:

• Data Clean Rooms: For the most part, burdensome data protection laws do not encumber data that is not personally identifiable to a natural person. To enable businesses to make more use of data, while not being encumbered by these laws, businesses are increasingly turning to “data clean rooms” that, in themselves, do not contain personal information but were derived from personal information. As data protection laws continue to be enacted and strengthened, businesses will increasingly test the legal boundaries of data clean rooms, and clean rooms will be tested in the courts as well.

Yukihiro Terazawa’s prediction for the year ahead:

• Japanese Regulatory supervision and enforcement activities are likely to increase in 2021 because of the scope of the data covered and the increased fining power of the regulator. Breach notification will be mandatory to the PIPC (Personal Information Protection Committee), and the extraterritoriality provisions of the law will be operational. The penalties for violating administrative order will be hugely increased in 2021.  

Cybersecurity and Ransomware

John Carlin’s predictions for the year ahead:

• Ransomware attacks will continue to rise as hackers are bolstered by their successes and continue to evolve. We saw an alarming increase of ransomware attacks in 2020, particularly on the healthcare sector, with attackers threatening to release stolen sensitive data, the intersection between cybersecurity and data privacy regarding ransomware attacks is clear. We expect law enforcement to continue to increase pressure on victims not to pay the ransom, or if they plan to pay, to alert law enforcement first. We also expect increased multilateral approaches to combat the rise of ransomware as it becomes an increasingly global problem and not just a domestic one.
• Cybercriminals will continue to exploit the remote working environment, which will continue throughout 2021. Individual home networks are considerably less secure than their business counterparts. Businesses will need to increase investment in cybersecurity training for their employees to ingrain awareness of common and growing hacking techniques, such as phishing.

CCPA/CPRA

Christine Lyon’s prediction for the year ahead:

• More states will develop expansive data privacy laws that show the influence not only of the current California Consumer Privacy Act (CCPA) but the new and expanded California Consumer Privacy Rights Act (CPRA) that will take effect in January 2023. We will see differing approaches by state, with some states following the CPRA’s lead in adopting GDPR-style principles such as purpose limitations and data minimization, while other states adopt more narrowly focused laws to give consumers specific rights such as opting out of the sale of their personal information. The differing state laws will lend more support to creating a federal data privacy law, although there will be significant conflict over whether a federal data privacy law should preempt more restrictive state laws like the CPRA.

Julie O’Neill’s prediction for the year ahead:

• Massachusetts voters recently passed ballot Question 1, which gives car owners greater control over the data that their cars collect and permits them to share the data with repair shops they select. The CCPA also recognizes this right to “data portability.” We may see other states propose laws that give consumers similar rights, either generally or only in connection with certain types of products and services.

GDPR and ePrivacy

Alja Poler de Zwart’s prediction for the year ahead:

• Regulatory supervision and enforcement activities related to employee privacy will increase in 2021. Management of the COVID-19 pandemic will continue to drive organizations to invest more into innovative solutions to enable remote working (where possible), ensure security of such remote access to company systems, and at the same time try to collect more (potentially sensitive health information) about their employees and onsite visitors in order to ensure security of its other employees on company premises.   

Alex van der Wolk’s prediction for the year ahead:

• As the EU has firmed up its Collective Redress Directive, we will see more avenues of private and class action enforcement actions of the GDPR.

Vincent Schroder’s prediction for the year ahead:

• EU Member States will continue their negotiations of the draft Regulation on Privacy and Electronic Communications (“ePrivacy Regulation”) that was originally supposed to enter into force and effect together with the GDPR (EU) 679/2016. The ePrivacy Regulation will control how providers of telephone, email, webmail, VoIP, instant messaging, online chat, and other electronic communication services can use electronic communication content and metadata.

IoT Security

Alex Iftimie’s prediction for the year ahead:

• As the 5G begins to roll out in earnest in 2021 and a tsunami of new IoT devices come online, we’ll see criminal groups and nation-state actors alike experimenting with new forms of distributed denial of service attacks that take advantage of the billions of new devices and 5G-fueled bandwidth. Some groups will seek to inflict economic harm on our society. Others will use these attacks as part of extortion campaigns, looking to emulate the success of ransomware attacks.

HIPAA

Melissa Crespo’s predictions for the year ahead:

• The United States Department of Health and Human Services will continue its focus on enhancing coordinated care, with additional rulemaking and enforcement around the HIPAA patient right of access. Any amendments to HIPAA to address an enhanced right of access and further integrated care will need to carefully balance patient interests with potential privacy risks.

Biometrics

Vincent Schroder’s prediction for the year ahead:

• Regulatory restrictions on the collection, retention, and use of biometric information will intensify as new business models and use cases involving facial recognition and other processing of biometric identifiers continue to spark privacy concerns. Besides the introduction of The National Biometric Information Privacy Act of 2020 in the Senate in August 2020, various states have plans to implement specific legislation governing the processing of biometric information or address it as part of sensitive information protected under broader privacy laws. Key differences among legislative proposals include the definition of what constitutes biometric information and whether violations can be enforced by affected individuals based on a private right of action.

Whistleblowing Hotlines

Alja Poler de Zwart’s prediction for the year ahead:

• The EU Members States will come under immense pressure to adopt their implementing laws for the new Whistleblowing Directive well before the Directive’s deadline of December 17, 2021. This will, in turn, put the pressure on the organizations that will be required to implement such local rules into their whistleblowing hotlines. The summer of 2021 will be the time to take stock of the possible problematic jurisdictions that might not make the abovementioned deadline. The European Data Protection Board is hoped to provide additional guidelines on whistleblowing compliance in 2021.

For more insights, visit our Privacy + Data Security page for links to our privacy library and resource centers on the CCPA, the GDPR, and cybersecurity. Be sure to bookmark and visit regularly, as new insights will be added frequently.