While we’re still waiting on the final Presidential vote count, voters in California and Michigan approved ballot initiatives that expand data privacy rights, while those in Massachusetts approved a car data access provision that critics say endangers data privacy. California’s Proposition 24 expands data privacy protections contained in the California Consumer Protection Act. Michigan’s Proposition 2 requires a search warrant for police to access a person’s electronic data and communications. And Massachusetts’s Question 1 requires cars made in 2022 or later and sold in the state to have standard open-access telematics systems accessible to the owner and repair shops.

More:

• Some critics of Massachusetts Question 1 argued that the proposal would create opportunities for hackers to access consumer vehicle and personal data, including real-time location information.
• Missouri, New Hampshire, and some other states have approved laws similar to Michigan’s Proposition 2.
• The big picture: voters in 32 states decided 120 state ballot measures on Nov. 3.

A spotlight on California. Proposition 24, which amends the California Consumer Protection Act, was approved by 56% of the state’s voters. The ballot initiative creates a privacy enforcement agency, adds “share” to its “Do not sell” provision, and expands the data categories consumers could opt out of sharing with advertisers. At the same time, it enables law enforcement to direct business to retain consumer data for 90 days as part of an investigation.

More:

• The measure expands the type of data covered by existing law to include location, race, and health data.
• Former presidential candidate Andrew Yang, who chairs the advisory board for Proposition 24, praised passage, tweeting: “Way to go California – now for other states to follow suit!!”
• The measure was opposed by the American Civil Liberties Union, League of Women Voters of California, and the Consumer Federation of California.

Protecting data privacy during an election and beyond requires a cooperative effort between consumers, ad-tech companies, and the broader business community, argues Benjamin Brook, CEO and co-founder of Transcend. Consumers need to better manage their data footprint, ad-tech firms need to improve their business practices, and all companies should prioritize data privacy.

More:

Brook proposes five data privacy actions to take:

1. Better data privacy for everyone

2. Smart and accessible consumer education

3. Better suppression logic for when users opt out

4. More clearly drawn data privacy boundaries

5. A redefinition of “data privacy” to “data respect”

Now that the Court of Justice of the European Union (EU) has struck down the EU-US Privacy Shield framework, U.S. companies have two ways to comply with the General Data Protection Regulation. Either U.S. companies can strengthen the data protection provisions of the standard contractual clauses they sign with partners, or they can keep EU data in the EU. Large U.S. tech companies already have large data centers in Europe, but small and medium-sized companies will find it difficult if not impossible to store data in the EU.

More:

• In July 2020, the EU Court of Justice ruled that the EU-US Privacy Shield did not provide adequate data protection for EU residents. 
• Following the decision, U.S. and EU officials said they would negotiate a new agreement that complies with the court’s decision. 
• The EU-US Privacy Shield was a replacement for the EU-US Safe Harbor Framework, which was also struck down by the court. 

The outcome of the U.S. presidential election could have significant implications for data privacy and artificial intelligence regulations, as well as the U.S.-China technology relationship. On the data privacy front, Joe Biden is more likely to push for a national data privacy law along the lines of the California Consumer Protection Act, while President Trump is more likely to defer to the states about whether they want to regulate data privacy.

More:

• In 2017, President Trump repealed online privacy protections established by the Federal Communications Commission under the Obama administration.
• While Biden was vice president, President Obama pushed for a Privacy Bill of Rights that was never enacted. 
• President Trump is trying to ban the Chinese-owned TikTok app from the U.S. market or force its sale to U.S. firms due to data privacy and national security concerns. 

European Union (EU) officials and privacy advocates are hoping that the U.S. election will improve relations over data privacy, the Wall Street Journal reports. Relations have been strained over earlier reports that the U.S. intelligence agencies were getting access to U.S. cloud storage companies’ data as well as EU Court of Justice rulings against agreements to shield U.S. firms from General Data Protection Regulation enforcement.

More:

• In 2013, former National Security Agency (NSA) contractor Edward Snowden revealed that the NSA was conducting a massive surveillance campaign that included access to personal data of customers of U.S. telecom carriers and cloud providers.
• The EU Court of Justice has ruled twice against agreements designed to provide regulatory cover to U.S. firms regarding EU data privacy regulations. 
• EU relations with the U.S. government have been strained throughout the Trump administration.

The Singapore Parliament has passed amendments to its Personal Data Protection Act to enable local businesses to use consumer data without prior consent for “legitimate purposes,” business improvement, and research and development. In addition, the legislation increases penalties for data breaches up to 10% of a company’s annual revenue, or SG$1m ($735,490), whichever is higher. Consumers would also be able to request copies of their data to be sent to another organization.

More:

• Singapore's Communications and Information Minister S. Iswaran said in a speech that the amendments were intended to maximize the benefits of the digital economy while minimizing the risks of collecting and using personal data.
• Critics of the legislation argue that the exceptions for prior consent are too broad and might be abused by businesses.
• Singapore passed the Personal Data Protection Act in 2012.

Amendments to Turkey’s Internet Law and recent decisions by the country’s data regulator have further eroded data privacy in the country, warned the Electronic Frontier Foundation (EFF). The Internet Law and amendments require foreign companies with a large social media presence to appoint a local representative, localize their data, and facilitate data demands from the government. Companies that fail to appoint a local representative could face hefty fines up to TRY 30m (more than $3.5m).

More from EFF:

• The deadline to appoint a local representative was Nov. 2, only 30 days after the regulator sent the first notice for companies to comply with the requirement.
• Foreign tech firms are required to take “all necessary measures” to keep data on Turkish people in the country.
• The amendments create new tools for removing personal data from the internet: de-linking search engine entries, ordering companies to delete information, and blocking foreign hosts that refuse to comply.

Privacy-enhancing technology (PET) could aid the sharing of health data during the COVID-19 pandemic while also protecting data privacy. These technologies include homomorphic encryption, secure multiparty computation, trusted execution environments, and differential privacy. The tools enable the sharing of health data in a decentralized way without compromising data privacy and security.

More:

• The U.S. Department of Health and Human Services has eased some of HIPAA data privacy requirements in response to the COVID-19 pandemic.
• The Research Data Alliance has developed best practices and advice for data sharing related to COVID-19.
• To facilitate COVID-19 research data, the National Institutes of Health advises organizations to identify a specialized or general repository, deposit datasets, and add metadata.

South Australia (SA) is considering using QR codes for COVID-19 contact tracing, raising concerns among privacy advocates. SA Premier Steven Marshall said his government was considering using QR code scanning for contact tracing at hospitality locations. The state’s COVID-19 response coordinator said the data would be “dumped” every 28 days.