According to Gartner’s “Emerging Risk Monitor Report” for the first quarter of 2019, Accelerating Privacy Regulation is now a top issue for the third quarter in a row. It is regarded by many as a greater challenge than cloud computing or even the pace of change. That is astounding!
With the European GDPR (General Data Protection Regulation) now in its second year – and a myriad of other regulations being considered around the world in Brazil, India, Japan, South Korea and Thailand – data privacy is now a costly and complex requirement that all companies will have to deal with soon.
Globally, there is a powerful pro-consumer course correction underway. The continuing bad press associated with daily breaches of personal data is creating a landscape where consumers are beginning to finally understand that they are the ‘products’ in the world of free social media and online advertising. Digital businesses built on this freemium model are seeing their business under increasing pressure from regulations and consumers. Facebook is the prime example of such a company and has been reeling with disclosures of poorly secured consumer data and a clarion call to have their business model altered.
How will this effect tech companies?
It may be too early to tell. One might think that it will take huge fines to a slew of marquis companies before the industry will take notice. A large fine in the billions is expected on Facebook any day.
Many believe that companies that collect user data, and monetize it, could be the target of mass class-action litigation.
GDPR vs. CCPA (California Consumer Privacy Act)
In the USA, California has already announced the CCPA, which goes into effect in January 1, 2020. Other states are pushing similar legislation through their system.
Who must comply?
The GDPR applies to all businesses that process data of EU citizens, irrespective of their location or size. The CCPA is only applies to California-based businesses with a revenue above $25 million USD or those whose primary business is the sale of personal information.
The GDPR mandates penalties for non-compliance which can reach up to 4% of the company’s annual global turnover or 20 million euros (whichever amount is greater). CCPA fines are applied per violation (up to a maximum of $7,500 USD per violation) and are not capped.
Both regulations endow the consumer with specific rights such as the right to have information deleted or accessed.
The use of encryption is addressed in both laws
Both laws call for data encryption, making this an essential privacy protection component for businesses.
Could we see one Privacy Regulation for the USA in 2019?
The prospects of this happening are slim to none.
GDPR took between 6-10 years to be promulgated. Legislation traditionally moves at a snail’s pace in the USA, and that process is just beginning. A U.S. House of Representatives hearing on consumer privacy largely dismissed the EU’s General Data Protection Regulation and the California Consumer Privacy Act as the basis for future federal privacy legislation.
Tech companies are calling for regulations.
We are in a new world where some of the same companies that monetize personal data, now believe that regulation is inevitable. Besides Facebook and Google in that category, others like Apple and Microsoft, are also now calling for privacy regulations.
The prospect of having to navigate a labyrinth of privacy regulations – one for every country – is a daunting challenge for every company.
In a release on May 21, 2019 Microsoft stated that any new legislation in the USA should be compatible with GDPR so that companies do not have to build separate systems for conflicting regulations.
Whereas such alignment would certainly be more efficient and less costly, the chances of this happening are low. That is why Accelerating Privacy Regulations remains a clear and present danger for most companies.