The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. The GDPR strengthens privacy protections in the EU and includes a number of additional rights and responsibilities.
A common myth is that the U.S. Congress is a leader in creating privacy and data security law. But this has not been true for quite some time. Congress isn’t leading, and even the policies and practices of US companies are increasingly built around the law of the European Union (EU) or the states.
In the 1970s through the end of the 1990s, the US Congress passed a large number of important privacy laws. Here are some of the most prominent of these statutes:
Recently, Congress voted to overturn new FCC rules that regulated the privacy of broadband Internet Service Providers (ISPs). The rules implemented the Communications Act, 47 U.S.C. § 222 to ISPs, requiring opt in for sharing sensitive customer data, opt out for sharing non-sensitive customer data, as well as transparency requirements. Sensitive data includes precise geo-location, children’s information, health information, financial information, Social Security Numbers, Web browsing history, app usage history, and the contents of communications. The rules required reasonable data security protections as well as data breach notification.
This development is a setback in Internet privacy protection, but it doesn’t mean that Internet privacy is doomed. There are many other regulators and sources of privacy law to fill the void.
Pro-industry advocates often decry much privacy regulation and cheer the death of rules such as the FCC rules. They advocate for rolling back the jurisdiction and power of regulatory agencies like the FCC and FTC.
Ironically, efforts to weaken the FTC and FCC probably won’t lead to more freedom for industry. In the short term after regulation is weakened or killed, there is a void, so this seems like a nice freer zone for companies.. But nature abhors a vacuum. Other regulators will fill the void, and typically it is regulators who are most passionate about protecting privacy such as California and the EU. They are far more likely to regulate privacy even more stringently than the FCC or FTC.
In the absence of federal regulation, many states pass laws that create a complicated patchwork of inconsistent regulation. This is what happened with data security regulation and data breach notification. Way back in 2005, after the ChoicePoint breach captured national headlines, Congress was considering enacting a law. But it failed to act. Instead, the vast majority of states passed data breach notification statutes, and many states passed data security laws. Instead of having to comply with one law, companies must navigate laws in many states. The most common strategy for companies operating in all states is to try to follow the strictest state law, Thus, the de facto rule is the law of the state with the most strict protections.
I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
I have produced a new Privacy Shield training course that provides a short introduction to the EU-US Privacy Shield Framework. Privacy Shield is an arrangement reached between the EU and US for companies to transfer data about EU citizens to the US. Privacy Shield replaces the Safe Harbor Arrangement, which was invalidated in 2015 in the case of Schrems v. Data Protection Commissioner.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected posts on privacy issues:
Last week, the EU issued the General Data Protection Regulation (GDPR), a long-awaited comprehensive privacy regulation that will govern all 28 EU member countries. Clocking in at more than 200 pages, this is quite a document to digest. According to the European Commission press release: “The regulation will establish one single set of rules which will make it simpler and cheaper for companies to do business in the EU.”
The GDPR has been many years in the making, and it will have an enormous impact on the transfer of data between the US and EU, especially in light of the invalidation of the Safe Harbor Arrangement earlier this year. It will has substantial implications for any global company doing business in the EU. The GDPR is anticipated to go into effect in 2017.
Here are some of the implications I see emerging from the GDPR as well as some questions for the future:
Under Article 79, violations of certain provisions will carry a penalty of “up to 2% of total worldwide annual turnover of the preceding financial year.” Violations of other provisions will carry a penalty of “up to 4% of total worldwide annual turnover of the preceding financial year.” The 4% penalty applies to “basic principles for processing, including conditionals for consent,” as well as “data subjects’ rights” and “transfers of personal data to a recipient in a third country or an international organisation.”
These are huge penalties. Such penalties will definitely be a wake-up call for top management at companies to pay more attention to privacy and to provide more resources to the Chief Privacy Officer (CPO). Now we can finally imagine the CEO at a meeting, with her secretary rushing over to her and whispering in her ear that the CPO is calling. The CEO will stand up immediately and say: “Excuse me, but I must take this call. It’s my CPO calling!”
To date, EU enforcement of its privacy laws has been spotty and anemic, so much so that many characterize it as barely existent. Will the new GDPR change enforcement? With such huge fines, the payoff for enforcement will be enormous. We could see a new enforcement culture emerge, with more robust and consistent enforcement. If privacy isn’t much of a priority of upper management at some global companies, it will be soon.