The Covid-19 pandemic has ushered calls for extraordinary surveillance methods. The Israeli government, for example, approved a proposal to allow the Shin Bet security service to perform mass surveillance on Israelis’ phones without requiring a court order to mitigate the spread of COVID-19. But while this crisis may be testing sensibilities about privacy, data protection proposals and laws continue to hover over entities throughout the world. Companies are still navigating reactions to GDPR and CCPA consumer requests, and compliance with these laws generally. Sovereigns are responding differently when confronting implementation and enforcement of privacy legislation and laws.
More than 30 major California and national trade associations called on California Attorney General Xavier Becerra to provide a “temporary forbearance” until Jan. 2, 2021, of enforcement of the California Consumer Privacy Act (CCPA). They stated that COVID-19 has encumbered businesses in “their earnest efforts to operationalize the draft rules prior to July 1, 2020.”
Despite the Attorney General’s office remaining in the drafting and amending stage of regulations for CCPA, there is no plan to delay enforcement beyond July 1, 2020. Sarah Lovenheim, the California Attorney General’s spokesperson responded to the letter by saying “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first,” and stressing the importance of consumer privacy during this crisis.
The Stop Hacks and Improve Electronic Data Security Act, or SHIELD Act, updated New York’s laws concerning notification requirements and consumer data protection obligations. It also requires entities to maintain reasonable physical, technical and administrative safeguards over data. It was signed into law last July, and became effective on March 21, 2020. Despite New York bearing the brunt of COVID-19 to date, there is no indication from New York’s Attorney General that there will be any delay in enforcement.
On March 12, 2020, the Information Commissioner’s Office (ICO), the United Kingdom’s data protection authority (DPA), published guidance for data controllers on their data protection compliance obligations during the COVID-19 pandemic. In contrast to the California AG’s response, the ICO committed to telling “people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.” Further, they acknowledged that resources may be committed elsewhere during this crisis and will not penalize “organisations that we know need to prioritise other areas or adapt their usual approach during this extraordinary period.” The IAPP has provided a resource to track all COVID-19 guidance published by DPAs to date.
Two years ago, Brazil passed comprehensive data protection legislation: the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais - Law No. 13,709/2018, as amended) (LGPD). The substantive part of the legislation was set to take effect on August 16, 2020. However, on April 3, 2020, the Brazilian Senate approved Bill of Law (“PL 1179/2020”), which includes a number of emergency measures intended to address the COVID-19 pandemic. Among these provisions, included a section delaying the effective date LGPD until January 2021. Fines and sanctions for companies that fail to comply with the LGPD are now scheduled to become effective August 2021 “so as not to burden companies in the face of enormous technical economic difficulties arising from the pandemic.”
India’s Personal Data Protection Bill (“PDPB”) was introduced to the Parliament in early December of 2019 and was expected to be passed in 2020. In early March, the Joint Parliamentary Committee requested an extension for its report on the bill which would delay the passing of the bill to the Monsoon Session of Parliament, which runs from July to September.
COVID-19 has required global adjustment. People are working from home, businesses are under pressure, and the need for data increases. Some sovereigns seem to accept the reality of this hardship and are delaying the impact of privacy enforcement. Others believe that in times of emergency, the need to protect consumer information is greater.