January 2020

2019 saw continued growth and change in data protection and cyber-security across the Asia-Pacific. Following the implementation of the GDPR in May, 2018, many jurisdictions moved to review and strengthen existing data privacy and cyber-security laws. In addition, 2019 saw regulators publishing findings in respect of some of the largest data incidents of 2018. We have set out below the key highlights of the year and what to look out for in 2020.

On New Year’s Day, you may have received emails from numerous companies saying their privacy policies have changed, or noticed a link at the bottom of many companies’ homepages stating “Do Not Sell My Info.” These are two of the more visible requirements of the California Consumer Protection Act (CCPA) and companies are still in the process of rolling out other requirements. For those of you that are in the EU or doing business with companies that offer products or services to EU residents, this might have felt like the movie “Groundhog Day.”

To understand the various approaches to CCPA compliance, we reviewed the websites of 50 companies in the Fortune 500® and noticed a few trends:

1. Brace yourself (for export turbulence)

2020 could well be a year of data export turmoil – so brace yourself.

The Court of Justice of the European Union (CJEU) will determine the validity of the EU Standard Contractual Clauses (SCCs) (Data Protection Commissioner v Facebook Ireland Limited, Maximillan Schrems) whilst the General Court of the EU will consider the future of Privacy Shield (La Quadrature du Net v Commission).

The Advocate General (AG) delivered his non-binding opinion on the SCCs just before Christmas (see our blog post).  Although the AG’s view was that the SCCs are valid, he suggested that those using them would need to examine the national security laws of the data importer’s jurisdiction to determine whether they can in fact comply with the terms of the SCCs.  He also raised serious doubts over the validity of the Privacy Shield.  If the CJEU shares these doubts, it could influence the outcome of La Quadrature du Net.

Data localisation issues are also set to resurface during 2020.  China’s requirements are tricky, the Russian Data Localisation law now has monetary penalties and the draft Indian data protection bill also imposes localisation requirements in certain circumstances.