In a recent online poll of members of The Privacy Collective, 63 percent of our participants predict that the most significant development in privacy over the next six months will be new regulations as a result of COVID-19 and 17 percent expect a dramatic increase in data breaches as a result of virus-related disruptions.
Their predictions were borne out by the experts in our recent virtual Q&A, “Privacy Regulations Now.” Ryan Blaney, partner and head of the privacy practice at Proskauer Rose LLP, and Laura Clark Fey, principal and privacy law specialist at Fey LLC, agree that privacy professionals must prepare for change to hit their organizations harder and faster.
But they also see a silver lining: the current storm shines a light on the importance of privacy to business processes of all kinds, throughout the organization.
COVID Adds to the Regulatory Maze
While COVID-19 is already increasing regulatory complexity, our experts said they don’t expect any new COVID privacy laws in the U.S. Blaney doesn’t expect competing G.O.P and Democratic proposals to survive inter-party wrangling. Fey agrees and points out the additional issue of pre-emption:
If a federal law layers on top rather than pre-empting state laws, then what’s the point of adding one more law. On the other hand, states such as California won’t accept a federal law that’s weaker than the one they already have.
The greater challenge for most organizations is the effect of the pandemic on existing laws. Blaney explains,
“There are already so many different regulators: state, city, and federal. They are all coming out with guidelines, best practices, and advice on the pandemic, and most of those touch, in some way, on privacy. That flurry of guidance and regulations will continue to be the biggest challenge for companies.”
Fey agrees that COVID issues add to an already complex maze of privacy regulations.
“One of my clients identified over 3,000 privacy and data-security-related regulations worldwide. And now COVID is affecting those. Brazil is delaying implementation of its new law, while California is marching ahead with the CCPA despite the pandemic. When you add all that together, it’s an extremely difficult time for companies figuring out how to comply.”
Fey recommends being strategic about compliance:
“The rational approach is to understand where the greatest risks lie and prioritize how to address any gaps.”
Blaney recommends that companies develop systems for tracking regulatory developments in real time. Proskauer Rose has set up a coronavirus task force that meets daily to review changes. Technology like the Radar incident response platform can also help, providing in-app announcements and regulatory watchlist updates when a new or amended breach notification law goes into effect.
Safe Returns Will Not Be Easy Returns
As the COVID crisis wears on, it’s clear that some workers may stay remote for a long time, while returning others safely to the workplace will raise new technical and privacy issues. And Fey points out that privacy issues are interwoven with other workplace regulations:
There will be personal information generated from temperature checking that will be required by certain states. There will be EEOC and ADA considerations around protecting those who are more vulnerable. It’s critical to know what aspects of these laws are important for privacy compliance. And, in privacy, often the devil is in the details.
Blaney points out that the return to work will involve new technologies and new vendors, all of which must be vetted for privacy and cybersecurity issues.
“There will be COVID tracking apps, screening technology, etc. It’s all being developed in real time, and there are inevitably going to be risks. We know from FBI alerts that these technologies are already being targeted by hackers. So, we will see significant concerns and, unfortunately, probably data breaches.”
Fey recommends being extra thorough in screening and contracting with new third-party vendors during the transition.
“Some laws are very specific about privacy obligations with respect to 3rd-party vendor selection, contracting, and auditing. So, it’s important those processes take account of applicable privacy laws. For example, a client recently asked us to look at an app they were considering using as they brought employees back to work. But after careful review of the vendor’s privacy policy and terms of service, it became clear that using that app was not advisable.”
Blaney points out that planning and communication are key to avoiding problems. “You need to update policies and procedures, creating a roadmap for dealing with events such as a positive COVID test. Then make sure your employees understand why and how you’re collecting this information, so they have security and comfort around it.” Fey adds:
Try to spot issues in advance, being aware that the privacy obligations lie at many different levels: when you collect data, how you use data, how you protect data. Be clear that when you use personal data for a new purpose, you may have to not only give notice but get explicit consent.
COVID, Compliance, and Civil Rights
Recently, the COVID crisis has shared the headlines with civil rights protests and policies. A heightened focus on civil rights and non-discrimination also raises urgent privacy concerns.
“Yesterday, Boston voted on an ordinance that would ban the use of facial recognition surveillance, specifically tying it to the risk of racial bias,” says Blaney. “When you see some cities banning those types of features because of potential discriminatory and racial issues, you know companies will also come up with a hodge-podge of policies around these information-gathering technologies.”
He also anticipates COVID will raise issues of equality in the workplace.
“Don’t overlook the real potential threat of discriminatory challenges around privacy. Once you start collecting all this health information, you may have to keep certain employees safe because they have higher risk, for example telling them to work from home. Yet that could lead to discriminatory claims. ‘You collected my private information about my health info, and you’re making decisions about how I can or can’t work.’ I think those are going to be real issues.”
Fey also sees COVID creating new surveillance risks in some parts of the world:
“In nation-states where citizens don’t have a lot of rights, COVID is becoming an excuse to collect new information on individuals. For example, a recent New York Times article described how China is collecting blood samples to test for COVID antibodies. But human rights advocates worry that those samples could also be used to identify and threaten relatives, say, of a political protestor. What are we doing to make sure data being collected for COVID-19 (biometrics, geo-location) won’t be used for inappropriate purposes down the line? There’s lots of guidance coming out in different countries, especially Europe, so multinational organizations need to keep up with that.”
The Upside: Privacy Takes Center Stage
If there is a silver lining to the COVID crisis, it’s that the importance of privacy is becoming clearer at all levels of our organizations. And in a poll during the online session, 70 percent of participants said they expect that shift will be permanent. For example, Blaney is seeing new levels of collaboration between privacy teams and HR departments.
“A lot of the attention right now is on figuring how to implement health screenings, questionnaire apps, COVID-19 tests, etc., as we open businesses. Obviously, there are lots of employment-related privacy questions that go along with that, and now HR is taking more of a lead on some of those issues. I also see corporate attorneys getting more involved in COVID-screening contracts with big lab companies. A lot of the negotiation focuses on privacy: data collection and protection.”
Fey agrees that privacy has moved front and center in the corporate consciousness with new global regulations plus increased awareness around the pandemic.
Pre-GDPR and CCPA, I used to be most engaged with in-house counsel. Now everyone from HR and marketing to procurement and the call center has to get involved in privacy. Which is great because it’s through cross-functional collaboration that you can develop a comprehensive privacy program that also takes business needs and goals into account.
Looking ahead, both Blaney and Fey see the pace of privacy change continuing to accelerate, as societal events like the pandemic and new technologies change create unforeseen issues. Fey points out that this isn’t new: laws and regulations often follow the introduction of new technology.
“For example, geo-location (now also being used for COVID contact tracing) and biometrics are capturing pretty sensitive data, and regulators are starting to take a closer look at that. The laws will be shifting constantly, and I don’t see that trend changing any time in the future. It’s an interesting time because there are so many exciting, legitimate uses of this data, but there are also so many risks for misuse.”