Top Data Privacy Trends to Watch For in 2021
By ERMProtect Staff
The events of 2020 underlined the need for data privacy in a major way. With countries employing intrusive location-tracking apps to slow down the spread of Covid-19, tech giants like Microsoft, Google and Facebook being involved in massive data breach scandals, and our increasing reliance on digital forms of communication, the importance of strong privacy legislation became glaringly obvious.
Here are some of the top data privacy trends and issues that could emerge or accelerate in 2021.
1. The U.S. Could Get a GDPR-Inspired Federal Privacy Law
There is clearly growing agreement in the U.S. in favor of an all-encompassing comprehensive data protection law. In September 2020, the U.S. Senate convened a hearing on the need for Federal Data Privacy Legislation and examined how Covid-19 has affected privacy.
Historically, the U.S. has operated under a patchwork of state laws and sector-specific legislation, including the Health Insurance Portability and Accountability Act (HIPAA) (for health data), the Gramm-Leach-Bliley Act (for financial data), and the Family Educational Rights and Privacy Act of 1974 (to protect student data).
But recent developments could spark change. These include foreign countries gaining access to increasing amounts of data on U.S. citizens, the rising use of facial recognition technology, and the rising number of data breaches in 2020. A strong federal privacy law could become a national security imperative and bring about more conclusive developments in 2021.
2. The Growing Threat of Disinformation
With a deadly pandemic raging across the world, stay-at-home orders were initiated in most countries in 2020. People turned to the internet as their primary source of information, and this served as fertile grounds for the spread of false information and “fake news.”
Mark Eggleston, privacy evangelist and CISO at Health Partners Plans in Philadelphia, told ERMProtect: “For this year, in the U.S., I'm seeing deep fakes and disinformation campaigns at an all-time high. Disinformation is blatant, politicized and unabashed.”
These disinformation campaigns are fueled by the data we give tech companies when we like a Facebook post, post a tweet, or buy on-line. “A dynamic that started with a purely commercial marketplace is producing technologies that can be weaponized and used for the purposes of influencing the people of the United States to do things other than just buy products,” said Joseph E. Brendler, a civilian consultant who worked with Cyber Command as an Army major general, at a December tech conference. “Absent the appropriate forms of regulation, we really have an unregulated arms market here.”
Expect more discussion in 2021 about the security risks posed by data collection and its misuse.
3. The Trend of Employee Monitoring Exposes Employers to Legal Risks
As most businesses turned virtual, and employees got used to the idea of working from home in 2020, many employers grew uncomfortable with the idea of not being able to monitor how much ‘work’ their employees were putting in. The use of employee monitoring software was up 51% in 2020, compared to the previous year.
Saikiran Kannan, digital consultant at CapGemini in Singapore, says, “I see an increase in employee monitoring as one of the top data privacy trends for 2021.” Eggleston, the privacy evangelist, predicted that new regulations will “limit employee monitoring and compel new attention to consumer privacy.”
But employers are slowly waking up to the legal risks that come with monitoring. States such as California and Illinois require all parties to consent to communication being tracked, which means companies that track emails being sent from an employee to a friend, for example, risk violating state laws.
4. The Role of a Privacy Leader or a Chief Data Officer Will Become More Important
With an increasing number of privacy and data-related laws and regulations coming into effect, companies will naturally come to rely heavily on internal privacy managers. CDOs (Chief Data Officers), data scientists, and privacy executives will play a crucial role in keeping businesses compliant and ethical, with regard to data collection.
A 2020 report by Gartner predicted that by the end of 2022, more than one million organizations will have appointed a privacy officer (or data protection officer).
5. Legal Ambiguity Around International Data Transfers May Nudge U.S. Companies Toward More Local Data Processing
On July 16, 2020, the European Court of Justice (ECJ) struck down the EU-U.S. Privacy Shield, a framework that facilitated the transfer of data between EU and U.S. businesses. The decision to strike down the Privacy Shield stemmed from concerns over U.S. surveillance systems.
This inability to transfer data internationally could hit some U.S. businesses hard and would compound the blow Covid-19 has already dealt. Considering the huge amount of ambiguity regarding international data transfers, and the impact on businesses, the Biden administration will certainly be under pressure to solve the Privacy Shield issue and could make this a priority.
In addition, businesses may question how necessary international data transfers are and move toward more localized data processing.
6. More Privacy Executives will Report to the CEO in 2021
Forbes recently reported that 84% of C-level executives have been targeted by cyberattacks in the past year. Increased awareness around the risk and potential liability posed by data breaches, is causing cybersecurity and data privacy to become a top-level concern.
A recent report by Forrester predicted that 40% of privacy leaders will report to the CEO in 2021, up from 23% in 2019.
In response to whether privacy will be a bigger concern for organizations in 2021, John Correlli, California-based privacy attorney said: “It will be for more forward-thinking companies, while other companies will continue to relegate the privacy positions to Finance, IT security, Compliance, etc.”
7. Potential for Legal Liability Will Lead to Companies Collecting Less Data
Typically, most for-profit businesses default to collecting and storing the maximum amount of data, in the interests of business growth and a better understanding of the target market. However, as the many data breaches in 2020 have made clear - data equals liability.
Businesses globally are more aware and cognizant of the liability posed by collecting excessive amounts of data, whether that’s customer data or data on employees. They are beginning to examine the processes and applications that collect data from customers and employees, retaining only the most important ones. This inclination toward reduced data collection is likely to continue in 2021 and beyond.
Some experts also argue that companies are already aware of this liability. “Companies have always been aware of the liability, that is why they have lobbied vigorously to ensure lawmakers are reluctant to pass any laws attributing liability to these companies,” said Correlli, the California-based privacy attorney.
But stronger data collection laws will ensure organizations limit data collection to pertinent, relevant information only.
8. The Legal Battle Over End-to-End Encryption Will Continue
In October 2020, the U.S. Department of Justice released an international statement making the point that end-to-end encryption poses significant challenges to public safety, including to highly vulnerable members of our societies such as sexually exploited children. The DOJ called upon technology companies to come up with a feasible solution.
Privacy advocates such as the Electronic Frontier Foundation and GlobalSign continue to oppose any attempts to weaken encryption, or allow law enforcement access to communication data between individuals. 2021 is likely to see further attempts by U.S. and global lawmakers to weaken encryption policies, in the interests of public safety. This would be the source of vigorous debate and be strongly opposed by privacy advocates.
- Mark Eggleston, VP and CISO at Health Partners Plans, Greater Philadelphia Area
- Saikiran Kannan, Digital Consultant at CapGemini, Singapore
- John Correlli, Esq., CIPP, HCISPP, Thousand Oaks, California
Get a curated briefing of the week's biggest cyber news every Friday.