Protection and Privacy in the Super-Connected World
In a recent blog post, I explored the challenges of securing privacy while preserving the benefits of data-driven innovation. The European Union is wading into this issue with the soon-to-be-implemented General Data Protection Regulation (GDPR). The statute is sure to influence the development of the U.S. data protection regime—a patchwork of industry norms, private contractual terms, state statutes, sector-specific federal laws and far-flung national regulatory authorities. Numerous legal precedents and the borderless nature of the virtual world suggest that the legal and regulatory hodgepodge will give way to a more universal framework. This report summarizes major provisions of the new EU law, identifies key questions about its effects, and suggests lessons learned to help inform U.S. harmonization initiatives looming on the horizon.
The law applies the new regulation across the European Union (EU) and to U.S. enterprises doing business there. Certainly, a “digital single market” is far preferable to a collage of 28 national privacy protection regimes. While uniformity makes it much easier for firms to understand and comply with requirements, a major question remains how the promised “one stop shopping” will work given that each country must enshrine the standards in its national law to be adjudicated by their own courts. This is a matter of great significance to U.S. companies that, whether they know it or not, are subject to the new EU regulation. As the global law firm DLA Piper reports, “The simple act of selling a product to an EU resident…and processing that one resident’s data during the sale, will be enough to trigger oversight by the GDPR.”[i] By and large, this makes the GDPR an international standard.
U.S. policy lesson: The fewer jurisdictions and regulatory layers enterprises must navigate, the easier it is for them to comply with the law, and the more attractive the business environment can be. Even with more uniform law, a multiplicity of enforcement and adjudication authorities add unpredictability, sowing uncertainty and unevenness that can chill data investment and innovation. Enterprises and individuals covered by data protection statutes need to understand the scope of the law’s application to them. Their corresponding responsibilities, liabilities, and rights must be clear.
The law holds any company or individual that controls or processes data “by which an individual can be identified” responsible for their protection and liable in the event of a data breach.[ii] A central tenet of the law is that the proper handling of personally identifiable digital data and cyber-privacy protection is a shared responsibility accruing to data processors and controllers—the latter defined as the “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.” [iii] For that reason, all enterprises and individuals in the chain of access to a data set and control of the systems used to transmit, process, and store it fall under the regulatory umbrella. Accordingly, enterprises are at risk not only from their actions related to a privacy breach but those of their vendors and partners, requiring heightened levels of corporate diligence.
What qualifies data as traceable to a particular individual is a complex question likely to be fraught with controversy. Data analysts have shown that, under the right circumstances and using the correct algorithms, anonymized data can be mapped back to their individually identifiable source. Does liability accrue if a government supercomputer could figure out the named origin of anonymized data, or does some more widely available level of technology apply? Companies should brace for additional costs and uncertainty as regulatory and judicial bodies parse what constitutes personally identifiable data, the standards to be applied, and the parameters of data controllers’ responsibility in handling data from origin onward.
U.S. policy lesson: The standard by which a data set is deemed personally identifiable needs be reasonable and well-understood by those falling under the purview of data protection law. Moreover, the definition of what constitutes a data breach must be reasonable and clear. Equally important is ensuring that the statutory scope of liability is transparent, fair to all stakeholders, and commensurate with a controllers’ culpability for a damaging event and its cost.
The law subjects data users to compensation claims for data breach, loss, or destruction. GDPR creates legal causes of action and the payment of damages for the breach of data, exposing companies to significant new cost liabilities. To limit the uncertainty, the law provides safe harbor for data holders that meet individual’s “reasonable expectations” of data privacy. Moreover, it establishes that encryption and anonymization of data meets the reasonableness test.
Litigation will likely be required to determine precisely what data privacy expectations are “reasonable” and what level of encryption is needed to achieve safe harbor, particularly as privacy standards and expectations evolve and decryption technology advances. Moreover, the law does not appear to have guardrails against the usual litany of plaintiff bar abuses: frivolous suits, out-of-whack judgements, and anti-competitive chicanery.
U.S. policy lesson: It is important to enable individuals and enterprises damaged by data breaches to recoup fair compensation while avoiding the aforementioned excesses. Liabilities should be proportionate with responsibilities and damage, and should fairly consider the degree to which an enterprise is duly diligent in its behavior and compliant with proper standards of protection. Vast new legal structures for data protection without corresponding tort reform to rein in excesses will put our data-driven economy at risk.
The law imposes significant restrictions on the transfer of data on EU citizens to non-EU countries. Data holders in non-EU countries will be required to provide an “adequate” level of data privacy protection. This provision would seem destined to stoke further controversy with the US and other non-EU nations over what will likely be an evolving standard of “adequacy.” Protection requirements will need to change as threats and the tools to defeat them evolve. Any specific standard or norm will most likely be obsolete before it is implemented, while non-specific standards will likely breed controversy and costly litigation.
U.S. policy lesson: Electronic data is a borderless commodity. To the maximum extent possible widely applicable standards of adequacy should be harmonized and designed to keep up with changing norms, societal needs, and technology. Big data will yield more if there is ample and responsible trade in data. Rules should not be used as backdoor form of high-tech protectionism, which would have a disproportionate impact on the US.
The law creates a right for individuals to see data held about them and to require data be expunged (what the EU calls “the right to be forgotten.”) Numerous questions go unanswered about the scope and application of the requirement for a data controller to present an individual’s data upon his or her request. Who precisely qualifies as a data collector? What qualifies as individualized data? To what extent are government data holders covered by the regulation? What constitutes sufficient erasure? How far across the expansive data supply chain (collectors, processors, storage firms, and transmitters) does the requirement extend?
U.S. policy lesson: Confusion and opaqueness over legally enforceable standards is a recipe for a regulatory and legal morass. Policymakers owe the public and regulated community clarity about requirements and expectations, a just balance between costs and benefits, and clear answers to fair questions concerning compliance without forcing stakeholders into court to ferret out an answer.
The law requires data controllers to inform individuals of their data protection rights, including the choice to opt in to a data system versus opting out. Informing people of their data protection rights seems just and appropriate. Individuals deserve transparency and a say in how data they provide are used. However, open questions abound. What constitutes sufficient communication and proof of it? Electronic information is ubiquitous and can pass through many nodes in the data supply chain. Is each node responsible for notification? By what means must notification be made and at what cost? To what degree should the informed party acknowledge their data’s use? What’s more, the law is silent on the degree to which individuals should be informed about the personal and public consequences of opting in or out of particular data use.
U.S. policy lesson: Legal requirements backed by enforcement mechanisms, penalties, and civil and criminal causes of action create monumental new risks and liabilities for data holding enterprises. The full costs and potential unintended consequences of regulation must be weighed carefully against quantifiable, well-defined benefits. In addition to knowing their rights, stakeholders should understand their data responsibilities along with the personal and societal pros and cons of their data-use decisions.
The law imposes large, mandatory fines and strong notification requirements for data breaches. Unlike the uncertainty surrounding many liabilities the new regulation creates, the fines it imposes for data breach are quite clear. They are high and punitive, up to 4 percent of an enterprise’s worldwide profits. The law’s requirement for firms to notify the proper public authorities and victims in the event of a data breach is strong and sensible. Notification enables law enforcement to do its jobs and victims to take steps to protect themselves. However, as Computerworld UK observes the absence of a timeline for providing notification creates a glaring uncertainty. Moreover, questions are sure to arise over what constitutes sufficient notification. To help oversee data management and prevent breach, the regulation mandates that large organizations appoint an officer responsible for privacy protection and conduct data privacy impact analysis. These steps reflect strong best practices.
U.S. policy lesson: Transparency and accountability are key pillars of a just and trustful virtual domain. Penalties for breaches that result from the absence of due diligence can be a powerful deterrent to irresponsible behavior. However, to avoid unintentionally chilling data innovation due-diligence standards need to be clear and reasonable, fines must be fair and commensurate with damage, regulators must act prudently, and due processes must be accessible and cost-efficient. Stakeholder notification is fair policy; and baking data accountability and prudent risk assessment into corporate structure and process is sensible practice.
Data protection and respect for individual rights in the cyber-commons and its private byways is a societal and economic necessity. Achieving these objectives presents many challenges, but also enormous opportunities for the United States and our enterprises. America’s business system pioneered the internet, e-commerce, social networking, and big data analytics. We can and should lead the world in creating the technologies, processes, and practices that protect the integrity of the system. Moreover, our public institutions should set the mark and lead the world in responsible cyber-governance.
Companies are rightfully wary of vast legal mandates that often carry hidden costs, excessive litigation, and uncertainty. Effective and well-crafted standards, whether voluntary or statutory, are instrumental in building the public trust necessary for e-commerce and big data to prosper. For these reasons, American companies have an enormous interest in getting ahead of the curve by establishing strong corporate and industry standards and codes of conduct. Proactive industry solutions are good for customers and business, and they model effective approaches for lawmakers. Moreover, responsible and effective data protection measures, voluntarily adopted, are a bulwark against legislative overreach by authorities that aren’t as knowledgeable as markets and business systems are about real-life practicalities and unintended consequences. Above all, responsible, respectful, and secure handling of personal data is the right thing to do!
U.S. companies, policymakers and stakeholders need to carefully observe the implementation of the EU’s GDPR for its impact and lessons. In crafting our own policy, we can build on what works and avoid what doesn’t. Moreover, getting it right can re-establish our leadership in e-governance. After all, American innovation played a critical role in the birth of the internet and its progeny to the enormous benefit of mankind. Its greatest achievements are yet to come—that is, if we are wise enough to stay out of our own way.