The Data Day: World Data Protection Day and 2023 Trends & Hot Topics
Tune in to the first episode of Ropes & Gray's new podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series will focus on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and will feature a range of guests, including clients, regulators and colleagues. This edition celebrates World Data Protection Day, which took place on January 28, by answering questions submitted by our clients and contacts about the landscape of the data, privacy and cybersecurity field of law. Join your hosts Fran Faircloth, a partner in Ropes & Gray's data, privacy & cybersecurity practice based in Washington, D.C., and Edward Machin, a London-based associate in the same group, as they explore topics including the proposed adequacy decision for EU-U.S. data transfers, the likelihood of a U.S. federal privacy law, ransomware demands and other strange and interesting privacy trends as we look ahead into 2023.
Fran Faircloth: Welcome, and thank you for joining us on our first installment of The Data Day from Ropes & Gray, a podcast series brought to you by the data, privacy & cybersecurity practice at Ropes. In this podcast, we'll discuss exciting and interesting developments in the world of data. We feature attorneys at Ropes & Gray as well as clients, regulators, and other industry leaders in conversations about what is new in the world of data. I'm Fran Faircloth, a partner in Ropes & Gray’s data, privacy & cybersecurity practice, and I'm based in our Washington, D.C. office. I'm joined by my colleague and co-host, Edward Machin, who's based in our London office.
Edward Machin: Thanks, Fran, and thanks to everyone who's tuned in. So, for our first episode, we're going to do things a little differently from what we expect will be our normal programming, and that is to celebrate World Data Protection Day, which takes place on Saturday the 28th of January. We thought it would be fun to ask our clients, contacts, and colleagues to send us their questions and comments to answer, the things they didn't want to ask, or didn’t know they needed to ask. We're not going to be able to answer them all, so we've chosen four of the questions that we were asked more than once to discuss on this episode. And then, we'll finish up with the first entry in what will be a regular feature of the podcast—that is, sharing the most interesting, the best, or even the strangest things in privacy, data protection, and security that Fran and I have seen or heard about recently.
Fran Faircloth: Before we jump in, we want to say a few words on the name of our podcast, The Data Day. Even though it's called The Data Day, it will not be daily I'm afraid, but we will be discussing the day-to-day effects data is having—particularly as data is now firmly a part of all of our daily lives. We're kicking it off, as Edward said, in honor of World Data Protection Day, which happens annually, but we don't think once a year is enough, so we're making “Data Day” a monthly event. The purpose of these podcasts is going to be to provide updates on the data protection issues that come up all around us every day.
Edward Machin: So, Fran, why don't you kick things off with our first question?
Fran Faircloth: Great. Let's start with everyone's desire for mere adequacy. I'd never have thought adequacy would be everyone's legal goal, but for businesses in the U.S. that want to do business or collect data from the EU, adequacy is now the golden ticket. Last December, we saw the European Commission issue its proposed adequacy decision for the U.S. based on President Biden's Executive Order that implemented the new U.S.-EU data transfer framework, but we're not quite over the line yet, are we? What are the steps left before the U.S. is adequate? And how likely do you think it is we're going to cross that line?
Edward Machin: As you mentioned, Fran, the Commission issued its long-awaited adequacy decision in December 2022, and that will now go through a review process, including from the European Data Protection Board, EU Member States, and the European Parliament. We think that will take, or at least we hope it will take about six months, so we may have a finalized adequacy decision some point during the summer of this year. Will that be approved? We think yes, although the decision will inevitably be driven both by legal and political considerations.
Fran Faircloth: Do you think there will be a Schrems III? I do love a trilogy.
Edward Machin: I do think that's an inevitability at this point, but unless the case is fast-tracked to the European Court, businesses will likely have a couple of years hopefully of relative safety before they go through the whole process again. And I do think it’s worth saying that the Schrems saga that’s now been rumbling on for a number of years shows that the current system of countries granting each other unilateral adequacy really isn't fit for purpose in the long run, but that's a conversation, I think, for another episode.
Fran Faircloth: Indeed.
Edward Machin: Now, Fran, we've received a number of questions on the same theme. Firstly: "How should companies comply with the patchwork of U.S. privacy laws that are going into effect this year?" And secondly, the $64 million question: "Will we see a federal privacy law passed in 2023?"
Fran Faircloth: I'm going to take the second part first. I'm not putting any money on a federal law passing in 2023. We've seen how hard it is for the House of Representatives just to figure out who is going to lead them—I don't think they're going to be able to pass a comprehensive data privacy law. I could be proven wrong, but I'm not putting any money on it. That said, I think the push for a federal law has really lit a fire for many states. We already have comprehensive data privacy laws that have passed in five states (California, Virginia, Colorado, Connecticut and Utah), and eight more states are now considering similar broad consumer data privacy bills (those are Indiana, Iowa, Kentucky, Mississippi, New York, Oklahoma, Oregon, and Tennessee). Most of those are bills that were filed last session and have now come back. Some other states are also considering more limited bills focused on topics like children's privacy, or we've even seen in Maryland and Mississippi, they are considering biometric privacy bills similar to Illinois' law that we've seen be the focus of so many lawsuits in the past year. States are also focused on things like health privacy and automated decision-making, so there is a lot of activity on the state front.
When it comes to complying with a patchwork of laws, there is a basic model starting to emerge that I think is helpful to clients, and the principles of this aren't that far off from GDPR—a lot of it is based on the 2021 Washington Privacy Act, which did look to GDPR as a model. And even though these other states haven't followed California's model yet, California does still cover more people than these other states. So, it will take a few more states before a clear model emerges, but to avoid the patchwork, I think there are some principles that businesses can apply. First of all, businesses can determine what laws actually apply to them. There are different thresholds for compliance under the different state laws like Virginia and California, and most of the states also have exclusions for compliance with certain federal laws like HIPAA and GLBA. Some of the core compliance projects that companies can pursue to get to 90% of compliance with the entire patchwork of laws are things like data mapping that companies that already did a big GDPR compliance project may have in place. In particular, companies need to be mapping what they're sharing, any data profiling they do, any high-risk activities, and they need to know who the vendors are that they're sharing with. And then, in terms of records retention, companies should be paying a lot of attention to revising their record retention programs, because these laws really focus on data minimization and revising vendor contracts—because, as I said, it's very important to know who you're sharing with and how they're using the data. And finally, making sure companies have assessed their opt-out and consent requirements. The linchpin of a lot of this patchwork of data law is making sure that people know what data is being collected about them, how it's being used, and have the opportunity to make decisions about that—so, that could require companies to do a pretty granular assessment of their opt-out and consent requirements.
Edward Machin: There's certainly a lot to digest there—it sounds like you and your fellow U.S. lawyers will be very busy in 2023. The next question we have is short and to the point, Fran: "Should businesses pay ransomware demands?"
Fran Faircloth: That is certainly what our clients are wanting to know, and they're wanting to know what other companies are doing. We saw a report just today that fewer companies that buy ransomware seem to be making the payments demanded by hackers—that's according to research from blockchain forensics firm Chainalysis, which estimates that ransom payments are down 40% (so that would be from $765.6 million in 2021 to $456.8 million in 2022). That's a huge drop, and it doesn't look like that decrease is a result of attacks being down, or at least not to that high of a percentage, but it may just be that fewer victim organizations are paying the ransom. This could be because more organizations are able to obtain the keys without paying ransom. There's been a lot of organizations fighting back and trying to figure out ransomware keys and sharing those. There's also been organizations that have had sufficient backup to just rebuild without needing the key, and so it really takes the sting out of the attacker's demands. So, threat actors are trying to get around this by doing a double extortion demand where they say that payment is required both to give you the key, but also that if you don't pay for the key, they'll release your data. And for some companies, you can imagine, like hospitals or companies that have very sensitive data like health data, that's a problem, and that will prompt them to pay because it can have really disastrous effects if that sensitive information was released widely. But some companies where the data's maybe slightly less sensitive, and they recognize that the data's already in the hands of an attacker and so may already need to be disclosed as a breach, that additional threat of publication for some of those companies may not be enough incentive for them to pay the ransom, so that may be why companies are more hesitant to pay the ransom these days.
Edward Machin: Yes, that makes sense. And as you say, there’s never a one-size-fits-all scenario—every breach is different, and the considerations also are rarely the same. Listeners may remember that the UK ICO recently told lawyers in the UK to advise their clients not to pay ransom payments, so it's going to be really interesting to see whether that position tracks through in the coming months and years.
Fran Faircloth: Yes, we'll certainly be watching that closely. Lastly, and notwithstanding that our excellent Chinese privacy colleagues aren't with us today, we've been asked whether we're seeing an increased awareness of the various PRC data and cyber laws among our clients and counterparties. What have you been seeing, Edward?
Edward Machin: The answer is that it really is still very early days. So, to give you an example, we often see when we're advising clients, either in China or with a Chinese presence, that their counterparties may not have thought as much about their ability to send data outside China, and what needs to be done to ensure compliance with PIPL. But rather than getting over my skis, if you do have questions, please reach out to the Ropes team in China who are regularly advising on this. The thing I do think though that it shows is that the days of the GDPR being the one global law and the main statute that folks are worried about or focused on are long gone. Even within the EU and the UK, we have the alphabet soup of laws that are either taking effect soon or are in negotiations—the DMA, the DSA, DORA, NIS—and that's just within Europe. So, there's a huge proliferation of laws that are coming both in 2023 and beyond, and I really do think that the GDPR at this stage will increasingly become distant in the wing mirror when taking into account all of these other laws.
Fran, now I get to ask you a question of my own: What's the strangest, most interesting, or the best thing that you've seen or heard about privacy in the last couple of weeks?
Fran Faircloth: I think I'm going to have to go with what is most strange or interesting and surprising. I have been frankly amazed by the way that plaintiffs have been using VPPA (the Video Privacy Protection Act) to file suits against companies that could not be farther from video rental services. So, by way of background for our listeners who aren't in the U.S. or who aren't as old as me and don't remember riding their bicycle to Blockbuster as a kid to get a video rental, the VPPA is definitely not a modern-day law. It was passed after then D.C. Circuit Judge Robert Bork's video rental history was actually published by a Washington, D.C. paper during his Supreme Court nomination. His Supreme Court nomination obviously failed then, but it did prompt Congress to pass this law, which was aimed at videotape rental store viewing records and protecting the privacy of those. But the businesses facing these lawsuits now are hardly those Blockbuster stores I rode my bike to as a kid. Just last month, we saw lawsuits filed against businesses like La-Z-Boy and American Girl Dolls. These are companies that have some video content (some commercial) on their website, but the lawsuits are alleging that because they also have tracking pixels on their website and transmit information to third parties about how users interact with their websites, that that transmission violates the Video Privacy Protection Act. It is a very strange use of this Act that I would never have seen coming last year. So it's interesting, and we'll be watching this area of the law closely where there haven't been many cases that have gone through the courts, and the cases are getting increasingly farther away from video content. So, I think these cases started with companies that were more focused on providing some kind of video content, but now we've gotten to things like recliners and dolls that don't really have a lot to do with videos at all, so it will be an interesting area to watch in the coming year.
Edward Machin: Yes, very interesting.
Fran Faircloth: How about you? What have you been finding the most interesting or strange in the world of data?
Edward Machin: So, as you probably know, most lawyers in the EU or the UK have their crazy "the GDPR should not apply in this type of scenario" story, and I had a good one last week when I spoke to an in-house lawyer contact at a toys business aimed at toddlers. She was telling me that at their business, they’ve recently had an internal discussion about whether a social media influencer needs to obtain consent from their child to appear in the video. Putting aside the fact that that’s not legally required, speaking from personal experience here, good luck getting your three-year-old to sit still and not to scribble on your consent form.
Fran Faircloth: Definitely. If you could see my passport, there are a couple of pages that my daughter scribbled on when she was three, so I completely agree with that. That feels like a good place to wrap things up, but before we finish, I'd like to say a big thank you to everyone who listened to our first episode of The Data Day from Ropes & Gray—we certainly had a lot of fun. You can subscribe and listen to this series wherever you regularly listen to podcasts, including on Apple, Google, and Spotify. And if you would like to join us for an episode, or you know somebody who we need to have on the show, please reach out to me or Edward via email or LinkedIn—we are here for your suggestions.
Edward Machin: Fully agreed—we would love to hear from you. And until next time, thank you for listening.