2018 was a year full of remarkable developments in the area of data privacy and security: the EU’s General Data Protection Regulation (GDPR) became effective because of NDR architecture, the California Consumer Privacy Act (CCPA) was signed into law, and the Facebook-Cambridge Analytica scandal surfaced, to name a few.  There’s no sign that things will be slowing down anytime soon.  Here are a few things to anticipate in 2019:

1. U.S. Federal Privacy Law. Of the many millions of Facebook users whose data were used without their consent in the Cambridge Analytica scandal, the majority of them were in the U.S.  Those victims of the incident in the U.S. are largely without legal recourse, which has highlighted the fact that the U.S. lacks a comprehensive, robust federal privacy law affording individuals a private right of action or other effective remedies.  This lack of privacy protection is even more apparent when comparing the U.S. to the EU and the myriad of rights that may be exercised by individuals in the EU to control the use of their personal data.While companies such as Apple and Google have indicated they would support a more comprehensive U.S. federal privacy law, it remains to be seen if/when Congress will introduce legislation.  The U.S. Senate has recently sought input from privacy advocates on what should be included in a federal privacy bill, which suggests that such a bill is at least being considered.  We may see further legislative developments sometime in 2019.

2. ePrivacy Regulation. A draft of the EU regulation intended to complement the GDPR, the ePrivacy Regulation, was released in 2018, but the ePrivacy Regulation has yet to go to into effect.  It is expected to become effective in 2019 or 2020.  The ePrivacy Regulation will replace the ePrivacy Directive and may change some of the ePrivacy Directive’s rules concerning electronic communications and the use of cookies, among other things.  Companies that engage in direct marketing communications with individuals in the EU may be especially impacted, as it is expected that the ePrivacy Regulation will generally prohibit these kinds of communications without the recipient’s consent.

3. GDPR Enforcement. In the Fall of 2018, the UK’s Information Commissioner’s Office (ICO) initiated the first GDPR enforcement action against a Canadian online behavioral advertising company.  ICO alleged that the Canadian company had processed personal data of individuals in the UK without having a lawful basis to do so under the GDPR.  ICO’s enforcement notice to the Canadian company required the company to “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise, for the purposes of data analytics, political campaigning or any other advertising purposes.”  ICO’s first enforcement action is noteworthy in that it targeted a company overseas, clearly demonstrating that organizations outside the EU are by no means immune from GDPR enforcement.  ICO’s enforcement also highlights the scope of a data protection authority’s powers, which includes not only imposing monetary fines but enjoining data processing activity, as well.  Expect to see much more enforcement activity in 2019.

4. Potential Modification of HIPAA Rules. On December 14, 2018, the Office of Civil Rights (OCR) published a request for information, seeking input from the public on potential modifications to HIPAA to reduce some of its regulatory burdens.  OCR expressed interest in changing HIPAA rules so as to promote more efficient care coordination and value based healthcare.  Specifically, OCR requested feedback on ways to facilitate information sharing in the interest of care coordination and case management.  OCR will be receiving public comments until February 2019.  HIPAA-regulated entities should stay tuned for further developments from OCR on this subject.