Facebook’s data harvesting scandal rocked the privacy world earlier this year, in part because the incident occurred at a time of increased scrutiny and emphasis on the global privacy and regulatory landscape.
I, along with many of my peers in the privacy profession, believed these privacy issues had the power to sink the company as a whole. However, we found that Facebook, along with many consumer-facing brands, have a bigger issue on their hands.
Because tech giants and other large organizations have not historically been transparent with consumers about how and why they were using and sharing their data, coupled with the fact that consumers are becoming increasingly aware of the impact these practices may have on their own lives, the companies now face a crisis of trust and confidence from its users and other consumers.
As a result, building privacy and security by design and default into companies’ core business models has and will become increasingly critical moving forward. Here’s how Facebook’s Cambridge Analytica scandal may have significantly impacted two important pieces of privacy legislation — the EU's General Data Protection Regulation (GDPR) and The California Consumer Privacy Act — and the privacy and security controls of companies around the world.
Heightening GDPR Awareness
While GDPR was years in the making, data breaches and cyber-attacks at prominent companies, along with questionable data sharing practices (like those uncovered in Facebook’s Cambridge Analytica data harvesting scandal) influenced the attention given to GDPR and the plans of regulators to bring enforcement actions under GDPR moving forward. In today’s climate, both consumers and regulators have become increasingly skeptical of the promises businesses continue to make about the use of customers’ personal information — often without their consent. Additionally, regulators in particular are worried about the adequacy of security and data protection controls that companies are implementing.
Because of this, it’s highly likely that Facebook’s Cambridge Analytica scandal and other recent, high-profile data breaches had a significant impact on the way GDPR controls will be enforced and implemented by both regulators and organizations around the world. At a minimum, the scandal may have accelerated investigations and enforcement actions that European Data Protection Authorities (DPAs) may have otherwise implemented with more restraint. It also may prompt the US Federal Trade Commission to take a more swift and aggressive stance, again, depending on the findings during their investigation of Facebook.
And specifically, the widespread impact of GDPR has also affected Congress’s inquiry into Facebook’s wrongdoings. While Congress has already asked for documentation of Facebook’s privacy practices throughout the past several years, GDPR may also accelerate the cry for regulation of social media platforms, which has been ongoing practically since the inception of many of the sites.
Related Article: For Data Protection Purposes, We Are All European Citizens
Easing the Passage of the California Consumer Privacy Act
In what is likely one of the most significant changes to North America’s privacy landscape in recent years, the California state legislature recently passed AB 375, also known as the California Consumer Privacy Act of 2018. Without a doubt the strictest privacy bill in US history, this new law has already had an immediate impact on companies worldwide, and it won’t go into effect until Jan. 1, 2020 (and could potentially be amended before then).
The California Consumer Privacy Act provides new rights for consumers that in many ways are very similar to those granted to European residents under GDPR. It will also require California-based organizations (including many tech giants, like Facebook, that are headquartered in the state) to obtain explicit consent from users before sharing or selling their data with vendors, providers and partners.
The evolution of this law isn’t entirely surprising, especially after Facebook’s scandal and considering the fact that the tech giant is based in the state. However, it is an important first step for regulators and American organizations in prioritizing consumers’ rights and ownership over their own data and privacy.
Moving Closer to Consumer Data Protection
The biggest question mark surrounding Facebook’s data sharing practices is whether it would have caused the same amount of widespread outrage had the actual events taken place in a post-GDPR world. Because the data was harvested years before GDPR was implemented, and the situation is far from black-and-white, it’s unclear who will be found to be at fault and for what charges.
Moving forward, however, there are regulations being introduced and implemented (like California’s new privacy law) that will make the processing of data, along with the relationships of and cross-liabilities between companies and their businesses partners, more secure and heavily regulated. One such example is the ePrivacy Regulation, which will update the ePrivacy Directive and may likely regulate all electronic communications.
As a result, GDPR and the California Consumer Privacy Act are hardly the last opportunities for regulators and consumer advocacy groups to ensure that companies’ business practices appropriately conform to societal expectations of personal data privacy and individual rights. And while the regular practices of companies like Facebook have now been exposed and data breaches that have impacted companies like Equifax, Target, Sears and Panera have been very damaging to consumers, they have also moved the world more closely to a regulatory environment where companies must do the right thing and actively work to change privacy laws to further protect consumers.
Related Article: What You Should Know About the ePrivacy Regulation