Balancing data security and data commercialization
Data breaches and identity theft are now everyday events, but that state of affairs doesn’t make them any less dangerous, distasteful, and annoying. However, most people with an online footprint understand that at some point in their lives they are going to be the victim of an internet crime — that is, if they have been fortunate enough to avoid it to this point.
What made 2018 different was seeing the pendulum begin to swing toward a new approach to privacy rights and a disruption of the digital status quo. There were several significant events and tipping points that marked 2018 as an important year in the history of cyberspace.
The General Data Protection Regulation (GDPR)
As the first transnational attempt to regulate the processing and movement of personal data, the European Union’s GDPR was truly a landmark piece of regulation. Implemented in May 2018, the GDPR is the clearest, most comprehensive and forceful statement yet by a government entity regarding an individual’s rights to his or her own personal data. The GDPR squarely puts the regulatory burden of maintaining these rights on the back of business enterprises engaged in handling data and allows for substantial penalties if such burdens are not met. Notably, the GDPR implements a comprehensive framework within its member countries for the commercialization of personal data by:
- Providing a robust definition of what constitutes personal data;
- Establishing national supervisory authorities to enforce GDPR;
- Establishing the parameters for lawful data processing;
- Mandating that data controllers establish default procedures and processes that allow for the highest possible degree of data privacy;
- Establishing additional individual data privacy rights, such as the right to access one’s own data and the “right to erasure”;
- Establishing uniform data breach protocols; and
- Establishing the ability to impose substantial sanctions upon companies for failure to comply with the law.
As one might imagine, the GDPR received a decidedly less enthusiastic response from some in the U.S. business community, many of whom felt that the regulations were aimed at reining in the power and dominance of U.S.-based businesses. This charge is not altogether untrue, especially given Europe’s fitful embrace of economic nationalism. However, GDPR’s significance far outstrips such provincial concerns and, given the global nature of data-intensive businesses, is already having an impact on the way data is collected, handled, stored, and commercialized.
California Consumer Privacy Act
One such follow-on event to the GDPR is the new California Consumer Privacy Act, signed into law in July 2018. It is one of the first state-level attempts in the U.S. to articulate individual rights regarding the collection and use of personal data. Similar to the GDPR, the law establishes four basic rights:
- A right to know what personal data has been collected, where it was sourced, and to whom it has been disclosed and for what uses;
- An opt-out right to disallow third-party use purchase and use of personal information;
- A right to erasure that compels businesses to delete personal information upon request; and
- A right to equable pricing of services despite the assertion of the rights listed above.
The similarities of the California law with the GDPR are noteworthy and provide some reason to believe that the GDPR has started a snowball of momentum in setting the parameters for the data privacy conversation.
Evolving discourse on data privacy
Partly due to the GDPR, this past year witnessed a stark change in the tone and substance of how we talk about data privacy. Until 2018, the bedrock principle of how the “free” internet operated was largely unchallenged in mainstream discourse. That is, people largely accepted that, in order to access the plethora of free services online, the providers of those services collected personal data and commercialized it. But the GDPR has changed this balance in Europe and it will be interesting to see whether these norms required by the GDPR continue to proliferate across the globe, particularly in view of the continuing exposures of data breaches involving personal data.
There have been many recent high-profile disclosures of misappropriation of data, namely Facebook (including its Cambridge Analytica revelations), Marriott, MyFitnessPal, and even the U.S. Postal Service. There are also continuing inquiries into the use of personal data to target social media messages to users in order to interfere in the 2016 U.S. electoral cycle. These politically charged events — in concert with daily revelations of data mishandling — have led to a reappraisal of the free internet business model and have underscored the rapid implementation of data privacy regulation.
Striking the right balance
The GDPR by itself would have caused a global re-evaluation of the competing rights of business enterprises and individuals, but the context into which the GDPR (the regulations were adopted two years ago) came to life, and the continued exposure of personal information through data breaches, have reinforced the notion that something important has changed in consumers’ approach to data privacy.
We have reached, it seems, an inflection point, and the conversation to follow will likely be more serious and practical than those that came before, particularly in view of the expanded data collection necessary to realize the benefits offered through the internet of things and the proliferation of connected devices. Given that we have only scratched the surface of what is possible in the wired and networked world we have created — a world in which our devices speak to one another in a language we cannot hear, generating even more data — the turn toward informed and serious conversation as to how to protect individuals while also recognizing important commercial benefits that support continued innovation was long overdue.
Bob Bowman is a Denver-based partner in Husch Blackwell’s Technology, Manufacturing & Transportation industry group and a co-leader of the firm’s internet of things team.
Click here to sign up for the free IB ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.