The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
A common myth is that the U.S. Congress is a leader in creating privacy and data security law. But this has not been true for quite some time. Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.
In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws. Here are some of the most prominent of these statutes:
Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.
My cartoon depicts the discrepancy in the security and privacy budgets at many organizations. Of course, the cartoon is an exaggeration. In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were. That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.
Fortunately, it does appear that privacy budgets have increased according to the 2016 IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world. Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.