I was recently asked to share my thoughts about Data Privacy Day, an annual event that took place on Tuesday, 1/28.
According to the internet, Data Privacy Day is “an international effort to create awareness about the importance of respecting privacy, safeguarding data and enabling trust.” As iovation’s Compliance Manager and Data Protection Officer, I was also asked to include some commentary about how I celebrated Data Privacy Day myself. To be frank, I did what I always do: eat things covered in copious amounts of gravy.
All joking aside, privacy is important. There is no shortage of instances from the news or our history books, in which personal information has been misused and abused. Lost, mislaid, and stolen data have been used to implement some of the most heinous crimes, and this isn't just a recent occurrence. These repeated privacy breaches have gone so far as to undermine our faith in the western democratic model, and erode trust in many of our institutions.
To that end, I’d like to share my thoughts about how things are going under GDPR here in the UK, the progress of data protection laws around the world, some notable events in the privacy world from 2019, and what companies should do to rebuild trust with consumers during this data-breach-heavy time.
Life under GDPR
Here in the UK, we’re approaching the second year of life under GDPR, and EU Data Protection Authorities are now providing clarity as to how it should be implemented. While there are still questions as to how the consistency mechanism will work, there is clarity for businesses implementing this new(ish) form of regulating.
Sure, we’ve had privacy laws in Europe for over 40 years – but now, the stakes for getting it wrong are far higher. And as water will always find a way to cross national boundaries, data can also cross those boundaries with ease, presenting challenges for the application of privacy laws from different governing bodies. So, while the GDPR has been initiated to unify the approach of data protection within Europe, other parts of the world have taken their own approaches.
Data protection in the United States
When Data Privacy Day took place on Jan 28th, California’s Consumer Privacy Act (CCPA) was only 28 days old. This is a cursory step toward a brave new world in the U.S., but the certainty that we’re now starting to see with the GDPR is almost completely absent from the CCPA framework. Indeed, while in Europe we can look back on almost 40 years of precedent via the Data Protection Directive and individual instances of national law, we’re lacking such precedent with the CCPA.
In other parts of the U.S., it appears that other states are on track to implement their own data protection laws, such as Washington state, Florida, Nevada, Massachusetts, New York, New Jersey… the list goes on. But will we see any attempt at a common thread throughout the different manifestations of legislation, or will we see disparate rules built solely to serve individual states? This may prove impossible to navigate, and could result in some form of federally-driven legislation – but even if we don’t see the present administration adopt said laws, we are still seeing important action take place in the U.S.
Data protection around the world
In 2019, change was afoot in Brazil. President Bolsonaro set the National Data Protection Law, or LGPD, in motion, which consolidates dozens of laws that currently govern online and offline personal data under a single, unified law.
And even amidst concerns around Russian involvement in manipulating social networking data, the Rozkommador announced an increase in levels of applicable fines and data localization laws, which necessitate Russian data to (mostly) be kept in Russian databases.
Elsewhere in the world, we’re seeing Thailand and India moving toward their own version of the GDPR, and Japan achieved adequacy with EU law and the first non-European signatories (Argentina and Tunisia) of the Council of Europe’s Convention 108.
Notable data privacy events from 2019
A lot happened in the data privacy world last year. As a fun reminder, here are some notable occurrences:
- Google (kind of) blazed a trail by announcing their plan to end the use of third party cookies on its Chrome browser.
- The Federal Trade Commission’s (FTC) record-breaking $5 billion penalty against Facebook for its privacy practices.
- The FTC’s proposed settlement with Retina-X, provider of stalking apps (I didn’t even know stalking apps existed, but evidently there is such a marketplace).
- The Children’s Online Privacy Protection Act (COPPA) was established to ensure that when it comes to the collection of kids’ personal information online, parents are responsible for their children’s online life. The FTC pursued YouTube after it was alleged that the company collected kids’ personal data without parental consent.
Rebuilding trust in a world that cares about privacy
As we enter 2020, the biggest takeaway of all of this has to be that people care about their privacy. In the same way that we like to close the curtains when we undress (or at least I do), we like to keep our personal business, well, personal. But the potential impact of our online lives extend way further than anything our physical selves could achieve – and online is forever, isn’t it? Well, perhaps not, because many of these laws are attempting to protect us from exactly that.
My final thought is that when it comes to building trust, responsible data stewardship and transparency are key. You can’t have trust without them, and this is where businesses need to sit up and pay attention. You want customers to keep being your customers; you want stickiness. But what is the differentiator between you and your competitors? It could be, and should be, transparency. Apple understands this, having gotten ahead of international law with its “The Only Way is Ethics” stance. By putting privacy tools in consumer hands, the tech giant is going beyond allowing individuals to shape their own privacy, and are actually fostering trust. This behavior, along with safekeeping the information they now possess, needs to be baked into what all businesses do with consumer data.