Feb 12, 201911:12 AMLegal Login
with Mindi Giftos
Balancing data security and data commercialization
(page 1 of 2)
Data breaches and identity theft are now everyday events, but that state of affairs doesn’t make them any less dangerous, distasteful, and annoying. However, most people with an online footprint understand that at some point in their lives they are going to be the victim of an internet crime — that is, if they have been fortunate enough to avoid it to this point.
What made 2018 different was seeing the pendulum begin to swing toward a new approach to privacy rights and a disruption of the digital status quo. There were several significant events and tipping points that marked 2018 as an important year in the history of cyberspace.
The General Data Protection Regulation (GDPR)
As the first transnational attempt to regulate the processing and movement of personal data, the European Union’s GDPR was truly a landmark piece of regulation. Implemented in May 2018, the GDPR is the clearest, most comprehensive and forceful statement yet by a government entity regarding an individual’s rights to his or her own personal data. The GDPR squarely puts the regulatory burden of maintaining these rights on the back of business enterprises engaged in handling data and allows for substantial penalties if such burdens are not met. Notably, the GDPR implements a comprehensive framework within its member countries for the commercialization of personal data by:
- Providing a robust definition of what constitutes personal data;
- Establishing national supervisory authorities to enforce GDPR;
- Establishing the parameters for lawful data processing;
- Mandating that data controllers establish default procedures and processes that allow for the highest possible degree of data privacy;
- Establishing additional individual data privacy rights, such as the right to access one’s own data and the “right to erasure”;
- Establishing uniform data breach protocols; and
- Establishing the ability to impose substantial sanctions upon companies for failure to comply with the law.
As one might imagine, the GDPR received a decidedly less enthusiastic response from some in the U.S. business community, many of whom felt that the regulations were aimed at reining in the power and dominance of U.S.-based businesses. This charge is not altogether untrue, especially given Europe’s fitful embrace of economic nationalism. However, GDPR’s significance far outstrips such provincial concerns and, given the global nature of data-intensive businesses, is already having an impact on the way data is collected, handled, stored, and commercialized.
California Consumer Privacy Act
One such follow-on event to the GDPR is the new California Consumer Privacy Act, signed into law in July 2018. It is one of the first state-level attempts in the U.S. to articulate individual rights regarding the collection and use of personal data. Similar to the GDPR, the law establishes four basic rights:
- A right to know what personal data has been collected, where it was sourced, and to whom it has been disclosed and for what uses;
- An opt-out right to disallow third-party use purchase and use of personal information;
- A right to erasure that compels businesses to delete personal information upon request; and
- A right to equable pricing of services despite the assertion of the rights listed above.
The similarities of the California law with the GDPR are noteworthy and provide some reason to believe that the GDPR has started a snowball of momentum in setting the parameters for the data privacy conversation.