Whatever else it may bring, 2019 will be a breakout year for online privacy, as the EU’s GDPR takes root and legislation in other nations follow suit. But not everyone is on board with the new privacy regime. Who will be the privacy leaders and laggards in the New Year? (Editor’s note: this post originally appeared on Hitachi Systems Security’s blog.)
Anyone who doubts that 2019 will be the year that the EU’s revolutionary privacy regime, the General Data Protection Regulation (GDPR), finally starts to bite should look to the complaints filed just last week against Google by consumer protection agencies from seven EU countries.
The 44 page complaint (PDF) filed with national data protection authorities in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden accused Google of engaging in deceptive practices to track its users’ location. Google, the complaints allege, uses subterfuge and “dark patterns” to nudge users to give consent to information like their mobile phone location history. Because of that, Google “lacks a valid legal ground for processing the [location] data in question” because its users’ consent “is not freely given” to Google – a violation of one of the key tenets of GDPR, which went into effect in the EU in May.
Indeed, six months after GDPR went into effect, the true impact of the EU law is beginning to be felt around the world. For the first time, complaints are being lodged and fines levied against non-compliant firms. Companion legislation is being planned or implemented everywhere from California to Colorado, India and Brazil. Those changes set up 2019 to be a breakout year for online privacy rights. Here are some of the privacy developments – pro and con- that I see coming soon after the Champagne corks pop.
No more Mister Nice Guy
The complaint filed against Google is just the beginning. Already, complaints and even fines for GDPR- and other privacy law violations are starting to bite. It is a trend we can expect to see accelerate in 2019. In just one example, the authority of the German state of Baden-Württemberg (“LfDI”) imposed a fine of Euro 20,000 on a social media provider for violating Article 32 of the GDPR (“Security of Processing”). That after a hacker gained unauthorized access to personal data on around 330,000 of the platforms users. The company immediately informed its users about the attack and its local data privacy regulator in an “exemplary manner,” the authority said, which accounted for the small fine.
While the German fine was tiny, large and wealthy companies that show a disregard for user privacy won’t be so lucky. Case in point is ride sharing firm Uber, which was fined the US equivalent of $492,000 by the UK Information Commissioner’s Office (ICO) for a 2016 incident that resulted in the theft of information on 2.7 million customers (including 82.000 drivers) in the UK. The company was fined another $600,000 by the Dutch data regulator Autoriteit Persoonsgegevens. In both cases, the fines were issued under pre-GDPR legislation – some of it 20 years old. Under the terms of GDPR, those fines would be far larger – in the neighborhood of $100 million dollars.
Big fines serve a purpose. “You have a data breach and it doesn’t affect the stock price for more than a couple of hours,” Vanessa Henri, Hitachi Systems Security’s Director of Legal and Compliance told me. “Governments have come to the realization that they have to enforce privacy in a strict and spectacular way for people to change their ways.”
“More than ever it will be important to have good security and privacy measures in place,” Henri said. “In the future, there will be no way around it. There are too many authorities to notify and it’s not an easy process. You need to have good incident response in place.“
We’re all GDPR now!
In 2018, GDPR was mostly a bold and ambitious privacy law designed to protect the data of EU citizens and residents. As 2019 rolls along, however, it will become increasingly clear that the law is more than that. The General Data Protection Regulation is already becoming a global gold standard for online privacy protections that private- and public sector organizations are orienting themselves to, regardless of whether they do business in the EU.
By setting a high bar, GDPR has become the iron standard that organizations measure themselves against. “We tell our clients to aim for the iron standard that you know, rather than always being reactive,” Henri of Hitachi Systems Security* told me. And that goes even for companies and organizations that are operating under less stringent privacy laws.
Privacy Leaders…and Laggards
Even as it becomes a de-facto global privacy standard, GDPR is poised to exacerbate tensions between nations that are privacy leaders and laggards. In the United States, for example, lawmakers in Washington D.C. have struggled for more than a decade to craft a comprehensive, federal data privacy law, even as the EU, Canada, South Africa and other nations have moved ahead: adopting aspects of GDPR in new or updated privacy laws.
In the U.S., that has led to a proliferation of state-level privacy laws with conflicting requirements and agendas. Now, with GDPR in play, states like California – which created the nation’s first data breach disclosure law -have passed digital privacy laws modeled in part on GDPR.
But as countries like the United States continue to struggle to articulate clear consumer privacy rights that align with those of GDPR and other nations, bilateral tensions between the US, EU and other nations are likely to mount in 2019. Already, EU regulators consider the U.S. CLOUD Act, passed in March, a source of tension, Henri told me. At the same time, human rights groups in the US are arguing that UK authorities should not be granted access to data held by American companies because British laws fail to meet human rights obligations. At the United Nations, there is evidence that China and Russia’s authoritarian, “closed borders” approach to Internet regulation and censorship is gaining traction amongst a large group of developing nations, while the open Internet model advocated by countries like the U.S. Canada and the United Kingdom is losing adherents.
These divisions over online freedom, civil liberties and privacy protections may simply reflect a changing political consensus and a “new normal” in which the international order is increasingly fractured and polarized. “These different approaches to privacy are cultural,” Henri told me. “We grow to have these laws and don’t understand where they come from.”
(*) Hitachi Systems Security is a sponsor of The Security Ledger. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.