There were a number of high points in the data protection space this past month. There was a great deal of focus on the exchange of information between the US and the European Union (UN). However, it would be a mistake to think all the action took place in Brussels or the other European capitals. In fact, as public reaction to the various tech-related privacy breaches has begun to manifest itself, the focus has been on creating regulations on both sides of the Atlantic that work for everyone.
That is not to say that Europe and the US are the only countries involved. When the General Data Protection Regulation (GDPR) went into force over a year ago, the European Commission was quite clear that the rules would apply to anyone doing business in the EU. And on that score it has been merciless. The UK-based international law firm CMS, whose GDPR tracker traces those that have been convicted, or are being investigated for breaches of GDPR, already lists more than 70 companies, many of them inside the EU. The myth propagated in some quarters that GDPR is targeting American companies exclusively is simply incorrect.
UK-US Bilateral Data Access Agreement
What is really notable over the month of October is the creation of new initiatives to ensure cross-Atlantic trade that complies with data regulations in all jurisdictions and the creation of some kind of reference point that tech vendors can use to build effective privacy measures into their products. The most significant of these initiatives was a new agreement between of new data access agreement. That's not to say that the new UK-US Bilateral Data Access Agreement will necessarily be a good thing. In fact, there have already been a number of complaints about it that have some merit.
The agreement will dramatically speed up investigations and prosecutions by enabling law enforcement, with appropriate authorization, to go directly to the tech companies to access data, rather than through governments, which can take years. The agreement was signed with US Attorney General William P Barr in Washington DC, and the UK Home Secretary, the person responsible for internal security in the UK.
While the motivation is to stop internet-driven crime including terrorism and pedophilia, it is not entirely clear how this is going to fare in the courts in either the UK or the US.
The current process, which sees requests for communications data from law enforcement agencies submitted and approved by central governments via mutual legal assistance (MLA), can often take anywhere from 6 months to 2 years. Once in place, the agreement will see the process reduced to a matter of weeks or even days.
Related Article: GDPR: What You Need to Know About the Right to Erasure
Facebook Refuses to Open ‘Back Door’
No one in either jurisdiction is arguing that law enforcement should not have access to data relating to criminal activity, but the way that this will happen is causing concern. Facebook’s Mark Zuckerberg has already said that it will not compromise the privacy of billions of users by building “back doors” into WhatsApp and other apps.
It is not entirely clear how, or even if, this "back door" will work, but previous reports suggested the agreement would require social media firms to build “back doors” into messaging apps in order to assist with investigations. This would require firms like Facebook to backtrack on numerous privacy and encryption pledges by redesigning how messages are sent and received.
In essence this would disclose the content of encrypted messages, or provide agencies with a key to decrypt messages. In a statement issued to the UK’s Independent newspaper Facebook said,“We believe in the right for people to have a private conversation online. End-to-end encryption helps protect that right and is fundamental to the value we provide to over a billion people every day. We oppose government attempts to build backdoors because they would undermine the privacy and security of our users everywhere.”
It would be a mistake to think, though, that the public was rallying to back Facebook on this. Some organization like the National Society for the Prevention of Cruelty to Children have already welcomed the agreement (for obvious reasons) despite the possible implications for privacy and the relationship between the public and data driven organizations.
What's likely is that this will end up in the courts in much the same way that Microsoft went to court to protect the emails of a known criminal that were stored in one of its data centers.
After five years of court hearings that went all the way to the Supreme Court, the issue was finally resolved by Congress, which in March last year passed the Clarifying Lawful Overseas Use of Data Act (or CLOUD Act) that requires a US-based company to turn over the stored electronic data, regardless of where the data is stored, if served with a warrant, although there were caveats.
Related Article: What is the California Consumer Privacy Act of 2018 and How Does it Affect Marketers?
Microsoft Turns to the Courts Again
That should have ended there and to a certain extent it did. However, there are still legal problems ahead with Microsoft once more turning to the courts to clarify the rights and privileges surrounding data.
The recent legal spat between Microsoft and the courts goes back to Sept. 5, 2018, Microsoft challenged a secrecy order issued by a federal magistrate judge in Brooklyn, N.Y., in connection with a federal national security investigation.
The secrecy order prevented Microsoft from notifying the enterprise customer that it had received a warrant seeking its data.
A recent, revealing blog post about the issue by Dev Stahlkopf — corporate vice president and general counsel at Microsoft — outlined not just the company's position in this case, but also its position in relation to data. She wrote, We believe customers have a right to know when law enforcement requests their email or documents, and we have a right to tell them. The reason is simple — we believe our customers own their data and have the right to control it. Absent extraordinary circumstances, government agents should seek data directly from our enterprise customers, and if they seek our customers’ data from us, they should allow us to tell our customers when demands are made.”
There are dozens of implications in this statement, but the bottom line for Microsoft is that customer data is inviolable.
And the company went back to court to fight. Microsoft argued to the court that there must be an executive or representative of the company — which has thousands of employees — who can be notified of the warrant’s existence, without jeopardizing the federal law enforcement investigation. The lower court denied its effort to modify the secrecy order to permit that notification.
Microsoft has now challenged that order in the lower court, and says it will pursue an appeal in the appellate court if necessary. “When law enforcement seeks access to a customers’ data, our thorough review of law enforcement demands helps ensure that governments are respecting the rights of internet users around the world. We take this responsibility seriously, and have repeatedly called for principles to govern law enforcement access to data in the United States and internationally,” the blog concludes. It is clear even at this point that this is only the start of another legal battle in the US courts over data, data privacy and data access.
The Value of Data in California
So is it worth it, do the economics of data protection add up for enterprises? There are, of course, advantages and disadvantages, according to new research released by California’s Department of Finance. The research found that organizations across California, globally, may have to pay up to $55 billion in initial compliance costs as a result of California’s new privacy bill.
In an introduction to the research entitled Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations, it points out that firms may have to pay up to $55 billion in initial compliance costs when the bill comes into force Jan. 1, 2020.
California is the fifth-largest economy in the world, with a sizeable market leading the development of new technologies, the research reads.
The state is also home to many businesses that have capitalized on the collection of private data from consumers. With the sophistication and scope of technology and data increasing daily, so has the extensive and intensive collection of consumer information by businesses. To keep compliant, the researchers estimate that firms on the low end of the scale with fewer than 20 employees might have to pay around $50,000 at the outset to become compliant. On the high end, firms with more than 500 employees would pay an average of $2 million in initial costs, the researchers estimated.
The $55 billion researchers estimated companies will initially pay to become compliant is equivalent to about 1.8% of California’s Gross State Product in 2018.
In addition, total compliance costs for all companies’ subject to the law could range from $467 million to more than $16 billion over the next decade.
In its present form, the bill, much like GDPR, gives citizens of California the right to be informed about how companies are harvesting their information as well as the right to ask to have their personal information deleted. The law applies to:
- Businesses that generate annual gross revenue over $25 million.
- Earn at least half of their annual revenue from selling customers’ personal information.
- Buy, sell or share personal information from at least 50,000 consumers, households or devices.
According to the research this could impact as many as 75% of California businesses earning less than $25 million in revenue.
However, it may not be as expensive as originally thought to get compliant. In the run up to the passing of GDPR last year organizations all over the world spent millions to introduce privacy protections so as to be able to work in the EU. It seems that large parts of the California act were inspired by GDPR and that organizations may be far more advanced than they thought.
This will be a relief for companies outside of California too as talk about a federal law covering the entire country is already focusing on the California act as a possible base for any new national laws.
One other point worth noting is that the EU currently estimates the average incremental compliance costs for the GDPR is about €5,700 annually (nearly $6,300). The report adds: “Over a year after the introduction of the GDPR, concerns regarding its impact on larger firms appear to have been overstated, while many smaller firms have struggled to meet compliance costs. Resources explain this dichotomy as large technology companies are often several steps ahead of both competitors and regulators.”
GDPR Is Good for Business
So we arrive back at GDPR. There is no getting away from it, nor should your organization try to. In fact, Capgemini has found in a new survey that organizations that are GDPR compliant are also performing better than others.
In the new report from the Capgemini Research Institute, Championing Data Protection and Privacy, the company said it wanted to assess the current state of play and compare and contrast the characteristics of firms that are compliant with the regulation against those that are not. The research found that:
- Compliance is below par — fewer than 30% of companies claim to be compliant with the GDPR.
- Achieving compliance is no mean feat — legacy IT systems emerge as the biggest challenge.
- Proactive compliance brings benefits — including positive impact on the organization’s revenues, customer trust, brand image and improved cybersecurity practices.
For those that are compliant the rewards are already starting to become evident. The company polled 1,100 senior executives in various industries (insurance, banking, consumer products, utilities, telecom, public services, healthcare and retail) in multiple countries.
It then compared the performance of GDPR-compliant organizations against those that were not compliant or only partly compliant. And here are some of the noteworthy unexpected secondary results of GDPR compliance:
- 81% said that the GDPR has had a positive impact on the organization’s reputation/brand image.
- 84% said trust had increased.
- 76% had seen a revenue increase, with strong performance driving benefits such as greater customer loyalty and increases in online purchasing.
- 81% of compliant organizations said the improved consumer trust and satisfaction had a positive impact on targeted leads for marketing.
- 80% of compliant firms agree that the number of data subjects targeted in campaigns has increased thanks to the GDPR, compared to 57% of non-compliant firms.
- Online purchases have increased since the GDPR went into effect for 83% of compliant firms, compared to 63% of non-compliant firms.
For this you can draw your own conclusions, but it seems clear that GDPR compliance is good for business.
Brexit Is Coming
Finally this week, it just wouldn’t be a week, or month, in Europe without mentioning Brexit, the popular term for Britain’s likely exit from the European Union. There are literally hundreds of regulations and standards that are likely to change as a result of this, which is now mooted to happen at the end of January.
However, the British government this month reassured businesses that even if Britain leaves without an agreement with the EU, it will still maintain both the spirit and letter of the regulation once Britain is no longer a member.
A statement from the UK government said that although GDPR is only technically applicable to EU member countries, the UK was one of GDPR’s leading proponents when it was first introduced. Thus, organizations that already comply with GDPR will still need to take action if they receive personal data from the European Economic Area (EEA).
The statement reads: "There will be no immediate change to the UK’s data protection standards. GDPR will be brought into UK law and the Information Commissioner will remain the UK’s independent supervisory authority on data protection."
At least there is that. In the event of Brexit, however, it remains to be seen how British courts will apply GDPR and, in the event where the courts don’t apply the EU law, what exactly the EU can do.