From huge GDPR fines to alleged privacy trends for 2019, our roundup blog covers the top 5 stories about data privacy you may have missed this year so far.
They are not necessarily the articles with the biggest headlines, most surprising stats or even necessarily the most well-known. But taken together, these 5 stories paint the clearest picture of where the privacy world sits right now.
This article on TechRadar discusses that while privacy was simultaneously an exciting but also chaotic topic in 2018, this year, will we see a decline in interest or will it remain as high on the agenda?
The answer is most likely, “yes, it will remain on the agenda, but for different reasons”.
The main thrust of the privacy news cycle in 2018 was simple – GDPR’s arrival, the confusion it caused, especially in relation to Brexit, and the domino effect it had globally, as more and more countries adopt their own very similar legislation.
But in 2019, the emphasis shifts. Now we are talking about its enaction and extension.
Big brands are being hit with hefty fines, theoretically being held up as examples to all businesses of the seriousness with which Supervisory Authorities are dealing with transgressions. While this will be true for some, many smaller companies are thinking they can hide under the radar. This is just one of the many misperceptions that we highlight in our Tales from the GDPR Frontline – a collection of anecdotes of the mistakes and oversights that our Privacy team has noticed amongst our clients.
In this article and supporting Podcast, Rory Cellan-Jones, technology correspondent for the BBC, notes how times have changed. Gone are the days where people openly share every detail of their lives on social media, and in particular, on Facebook. Instead, consumers are increasingly concerned about where their data is being stored and how it’s being treated.
Facebook, over recent years, has been accused and found guilty of mishandling its customers’ data regularly, and has been late to the game in adapting to the changing mentality of “privacy-first”.
After a number of scandals Facebook’s CEO, Mark Zuckerberg, has announced in a blog post that the company is changing the way it thinks about privacy and how it wants to implement stronger privacy controls, and make Facebook a “privacy-focused platform.” This in the face of its track record:
“I understand that many people don’t think Facebook can or would even want to build this kind of privacy-focused platform — because frankly we don’t currently have a strong reputation for building privacy protective services. But we’ve repeatedly shown that we can evolve to build the services that people really want, including in private messaging and stories.”
But this BBC article was not chosen to show how Facebook has changed. The point is wider than that. The world view of privacy and acceptable use of data has changed dramatically, and for some, too quickly. Facebook and Google will not be the only ones to suffer from this. Businesses of all sizes, and even execs and department heads, that have grown accustomed to practices that are not strictly privacy-first will find this new world cumbersome, obstructive and frustrating, making the prudent and balanced introduction of Privacy by Design principles vital to their ongoing success.
Nearly a year on since GDPR came into effect, over 200,000 cases have been reported resulting in €56 million in issued fines. An article on this remarkable statistic is available here, and arguably this should have made the top five stories, but there is one fine that stands out the most.
In January, the most significant GDPR fine to date was issued to the technology giant, Google. CNIL, the French regulator, issued the €50 million (£44 million) fine after receiving and investigating reports on how Google handled people’s data.
They found that Google had “not sufficiently informed” people on how it collected their data and a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. Rather than go into the details here of what the decision teaches the privacy industry and wider business, check out the blog post written by our Director or Data Ethics and Privacy, Sophie Chase-Borthwick.
Moreover, it looks like this is the tip of the iceberg. Ron Moscona, a partner at international law firm Dorsey & Whitney, states “The penalty imposed on Google by the French regulator can be seen as a warning shot at the digital industry at large.” And, with complaints filed against Amazon, Apple, Netflix and Spotify, we’re sure to expect to see some hefty fines hitting the headlines soon – notwithstanding the point made above: it won’t be just the big brands.
Building on the point made in the first article, and the domino effect that GDPR had, this article argues that the United States needs to follow the EU’s footsteps and enforce a national data protection law that all businesses and organizations would need to adhere to.
When GDPR was enforced, it prompted numerous discussions of data privacy regulations across the US, resulting in California being the first state to act. The California Consumer Privacy Act (CCPA) was adopted in June 2018 and is set to become state law on January 1st 2020 (although there are proposals afoot that could impact that).
As it currently stands, this new law enables Californian residents to have the right to know what personal information businesses collect, from where they got the data from and how it will be used. It also makes it easier for consumers to file lawsuits against companies who suffer a data breach, prompting more organizations to start pre-emptively examining their data privacy and security processes.
Privacy is clearly a rising tide, but with more and more legislation likely to come to the fore, adherence for companies whose activities cross national borders, whether by virtue of employees, customer base or suppliers, will become increasingly confusing. This is what triggered our Data Privacy Periodic Table project – an ongoing and regularly updated collection of the key points, or “elements”, of data privacy.
This article from Verdict raises one of the most important, but often forgotten, points of data privacy. The relationship between data privacy and infosecurity, and the equal importance of both.
The exact nature of it is constantly debated. Do they overlap? Are they symbiotic? Does one underpin the other? Or is one a sub-discipline of the other? Regardless of the outcome – which may vary from business to business anyway – one thing is clear: they are not the same.
We find that many of our clients, prior to working with us, considered robust infosecurity disciplines and infrastructure synonymous with privacy, or alternatively, they considered the two unrelated.
We take infosecurity’s role in privacy extremely seriously. In fact, our privacy teams comprise as much infosecurity experience as legal expertise. No matter what your personal views on the debate, one thing is certain: when it comes to the protection of data subjects’ data, both fields are equally important. So much so that breaches of any description will always point to failings in both fields.
To find out more about the unusual mix of skills that our Data Privacy Services teams can bring to your business, click on the below.