The 2021 edition of BakerHostetler’s annual Data Security Incident Response Report highlights some regulatory enforcement trends we saw from the European Union (EU) data protection authorities (DPAs) during the past year. EU DPA enforcement actions increased significantly in 2020, as DPAs followed up on personal data breach notices and individual complaints and also launched investigations into other issues of interest. In particular, companies should be aware that a personal data breach notification in the EU may expose its entire General Data Protection Regulation (GDPR) compliance program to a DPA examination, which can uncover areas of noncompliance that result in even larger fines. For example, fines related to the lack of an appropriate legal basis – particularly consent when it is required – for a company’s use of EU personal data have been among the largest fines issued by EU DPAs.
The 2021 Data Security Incident Response Report identifies other DPA personal data breach enforcement trends, such as enforcement of the GDPR’s 72-hour breach notification deadline and DPAs taking a more active role in reviewing the content of individual data breach notifications and providing unofficial orders in the form of suggested actions. We also discuss some of the mitigating factors DPAs have cited for lowering GDPR enforcement fines, including, in some instances, economic hardship caused by the COVID-19 pandemic.
One key trend that does not get a lot of focus in the 2021 Data Security Incident Response Report is the now global aspect to regulatory enforcement for personal data breaches. The EU may have set a notice requirement and enforcement standard, but other countries are rapidly catching up.
Mandatory Personal Data Breach Notification Is Now a Global Standard. The number of countries that have recently passed or that have pending legislation requiring mandatory personal data breach notification continues to expand. Significantly, the list includes economic powerhouses in the Asia-Pacific region. Japan and Singapore, for example, recently amended their existing data protection statutes to impose GDPR-like data breach notification requirements. New Zealand’s recent Privacy Act and Thailand’s new Personal Data Protection Act, which will be enforced beginning in 2022, both include personal data breach notification requirements. In China and India, which already have certain data breach notice obligations, broader requirements would be introduced by their pending general data protection laws. Of course, almost every new personal data breach notification requirement differs slightly in terms of what constitutes a data breach and triggers notice obligations, as well as when, how and whom to notify, adding further complexity to global companies’ data protection compliance efforts. As the trend toward mandatory breach notification accelerates, it becomes increasingly imperative for companies to have experienced counsel familiar with the ever-changing privacy and data security regulatory landscape to guide them both for proactive compliance planning and, when necessary, security incident response.
EU Is Not the Only Enforcement Game in Town. While many companies have, with good reason, focused their international compliance efforts on the EU, regulators in other countries have been intensifying the pressure on companies. Regulators in South Korea and Singapore have been cementing their reputations as among the most aggressive regulators, with several notable data security-related enforcement actions in the past few months (and many less notable ones). In 2020, Japan’s Personal Information Protection Commission issued its first privacy enforcement order since the enactment of its Personal Information Protection Act, signaling the potential for more enforcement actions to come. This month, New Zealand’s Office of the Privacy Commissioner issued a press release that it was taking a more proactive approach to statutory compliance with data breach notification obligations. Israel’s Privacy Protection Authority levied a fine in May for a data breach involving sensitive personal data, and Turkey’s Personal Data Protection Authority has been steadily increasing its action. Late last year, the Office of the Australian Information Commissioner asked for stronger enforcement powers under the country’s Privacy Act, which is currently under review. And China is looking to strengthen its cybersecurity and personal data regulatory regimes with new legislation, the pending Personal Information Protection Law and the newly passed Data Security Law, which becomes effective on September 1, 2021. Although monetary fines imposed by regulators from these countries have not reached the severity of those in the EU so far, many of these other data protection laws also include private rights of action and criminal liability for noncompliance.
Security Posture Under the Regulatory Microscope. In April 2021, the New York State Department of Financial Services (NYDFS), a leading cybersecurity regulator in the United States, settled an enforcement action against an insurance company for a $3 million penalty. Among other things, the consent order mentioned the company’s failure to implement multi-factor authentication – a specific requirement imposed by the NYDFS Cybersecurity Regulation – as one of the bases for the regulatory action. Similarly, some international regulators have begun to prescribe explicit technical and administrative safeguards through rulemaking and are using companies’ failures to implement them as a basis for enforcement action. With these new enforcement actions, we are perhaps starting to see a shift away from models that rely on the general “reasonable” or “appropriate” data security requirements without further specification. Companies must be prepared for the possibility of a broad regulatory audit of their technical and administrative data security safeguards when notifying data protection regulators about a data breach.
While the EU has for several years led the way in actively enforcing their data protection laws and levying the largest fines, prudent companies with an international presence will keep an eye on global data protection developments, evolving compliance obligations, and those non-EU data protection regulators whose enforcement efforts have been ramping up.