On May 25, 2018 – less than a year from now – the EU will put into effect one of the most far reaching and punitive measures dealing with digital privacy. The General Data Protection Regulation (GDPR) is literally privacy on steroids and far beyond what we have ever seen.
A long list of identifiers (aka Personally Identifiable Information or PII) now fall within the purview of this regulation. In addition to the more recognizable PII like name, gender, sexual orientation, location data, economic, cultural, and economic data etc. we can now add IP addresses, genetic information and even bio-metric data.
Further, any EU resident may request access to their data and is entitled to enforce the “Right to be forgotten” whereby their personal data must be erased. The catch is that such erasure needs to occur from every instance where such data may have been shared! In cases where the data is deemed to be inaccurate, the data subject can enforce the “Right to restrict the processing of personal data”. Data subjects have the right to data portability and even to object to be evaluated on the basis of automated processing systems. The list is very long indeed.
The law applies to any company doing business in the EU, and not just for companies based in the EU.
Breaches must be disclosed within 72 hours and if you have second thoughts about complying with the regulation, consider the penalties: 4% of global gross revenues or € 20 million – whichever is higher!
Based on 2016 revenues, a fine for Apple would be $ 8.6 billion. Think they are not going to take this seriously? Unlikely. By some estimates fully 95-98% of US companies doing business in the EU, are not prepared and are not on track to become compliant by May, 2018. A frightening prospect.
United States of America
On April 3, 2017, while the country was occupied with the latest crisis headlines, President Trump signed the repeal of the internet privacy rules into law. There wasn’t even a comment from the White House and no photo opportunity of the President signing this law. Very few even noticed. The resolution passed by a 50-48 vote in the Senate and 215-205 in the House.
The repealed internet privacy rules had been aimed at preventing internet providers from selling personal data without permission.
This battle, which had pitted large internet service providers and tech giants against consumer advocates and privacy rights groups, became history, and those ISPs that were interested in selling private data, won the day. Privacy took a blow to the nose.
In one report, consumer and rights advocates were outnumbered 50:1 by the lobbyists for their opponents. Critics of the rules had argued that this was an example of government overreach. One of the arguments for eliminating the rules was that these rules “would cause consumers to miss out on customized promotions”.
Now experts argue that these huge new databases of personal information are likely to become targets for hackers, law enforcement and spies.
The tide of consumer complaints, as more citizens become familiar with what has transpired, is now causing some lawmakers to consider the repeal of the repeal of the internet privacy rules! Time will tell.
What is a large multinational that is doing business on both continents to do?
EU residents want to enhance privacy and here in the USA, we have just shredded it. With this diametrically opposed cauldron of laws to deal with, how should companies respond?
Unfortunately, this is now a very confusing and contradictory landscape with no quick and easy path to resolution. This week, Angela Merkel, the German Chancellor called for international regulations for the digital world. She went on to say that the US and Europe need to work together to ensure sensible rules because the “standards had been very erratically set so far”. For many companies, the statements resonate but a collaborative approach between continents is an elusive dream.
In the meantime, global companies must deal with a bipolar set of regulations making compliance a nightmare scenario.