Sixteen months ago, the European Parliament implemented the General Data Protection Regulation (GDPR) 2016. GDPR is a regulation on data protection and privacy for all individual citizens of the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU.
The result of four years’ work, the idea was to move European countries into the digital age while at the same time protecting the privacy and use of personal data. While the regulations concern all organizations doing business in the European Union, it had a particular impact on the tech industry, especially those tech companies that are developing and building technologies that aim to squeeze insights from personal data gathered across literally millions of digital touch points across the web.
In the original regulation, Article 4 defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’).” It adds that:
“…an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The regulation also pointed to circumstances where personal data could also include IP addresses and mobile device IDS, and outlined the concept of pseudonymous data, or data that could not be identified without some additional information. Under certain circumstances, personal data includes online identifiers such as IP addresses and mobile device IDs. Similarly, the GDPR introduces the concept of ‘pseudonymous data’ — personal data that cannot be attributed to the data subject without some additional information.
In practical terms this means an awful lot of personal data. Take Google for example. Explaining what it does and doesn’t collect in its Safety Center, Google wrote:
“When you use our services — for example, do a search on Google, get directions on Maps, or watch a video on YouTube — we collect data to make these services work better for you. This can include:
- Things you search for.
- Videos you watch.
- Ads you view or click.
- Your location.
- Websites you visit.
- Apps, browsers and devices you use to access Google services.
- Information you create or provide to us.
The company adds that when you sign up for a Google Account, you provide personal information. If you are signed in, “we collect and protect information you create when using our services.” This can include:
- Your name, birthday and gender.
- Your password and phone number.
- Emails you write and receive on Gmail.
- Photos and videos you save.
- Docs, Sheets and Slides you create on Drive.
- Comments you make on YouTube.
- Contacts you add.
- Calendar events.
And this is only one company, albeit a big one. Since GDPR has been introduced, many tech companies have tried to balance the regulations with the practical need to use personal data.
The Struggle for Privacy
The technology has been successful to a certain extent, but many enterprises are still struggling. In recent research, carried out by the Ponemon Institute and the international legal firm McDermott Will & Emery, a survey of more than 1,000 companies in the United States and European Union, showed that nearly 50% of respondents experienced at least one personal data breach that was required to be reported under GDPR. Furthermore, only 18% of organizations were highly confident in their ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours of awareness
The report showed that most companies missed the GDPR deadline last year and many are renewing their GDPR budgets accordingly. A number of organizations had GDPR data breaches required to be reported to regulators. Most striking, 45% more US companies reported GDPR cyberattacks than other regions.
And this is only the beginning. While most of the focus on GDPR has been on the exchange of data between the US and Europe, there are other jurisdictions governed by the regulation.
According to the report, Chinese and Japanese respondents lag in their GDPR efforts. Only 29% of the Chinese respondents and 32% of Japanese stated that they were fully compliant with the GDPR, more than 10% lower than Western companies.
EU-US Privacy Shield in Question
This is not the only story in the data privacy world at the moment. While everyone’s attention was focused on GDPR, other regulations were under the microscope. It is often forgotten, for example, that the EU-US Privacy Shield is still in force, although how long this will continue remains to be seen.
The EU-US Privacy Shield is the mechanism to facilitate the transfer and processing of the personal data of individuals from the EU to and within the US. However, it is by no means certain that it will remain in place.
Access Now, an international organization that defends and extends the digital rights of users at risk has called on the European Commission to strike down the EU-US Privacy Shield.
In a recent letter to the European Commission, the organization wrote, "the Privacy Shield has manifestly failed to meet the standards set by EU law from inception to today."
The letter continues: “The EU’s reputation, leadership role and its influence are severely hindered by allowing incompliant arrangements like the Privacy Shield that manifestly fail to meet the standard of EU law and compromise rights and values. With the world watching, the EU cannot afford to contradict itself and let the United States continue to undermine human rights without consequence.”
It also cites the limited redress provided by the Privacy Shield Ombudsperson, increased US border surveillance, and the Cambridge Analytica scandal among the shortcomings in US privacy protection, as further reasons for its suspension.
The Privacy Shield is up for renewal next month, but this in the face of opposition from many privacy protection organizations across Europe. We will take a deeper look at this when it happens.
General US Privacy Regulation on the Way?
Europe is not the only geography that is concerned about data privacy. Over the past couple of years, a number of different privacy regulations have been introduced across the US, including the California Consumer Privacy Act (CCPA), which was introduced last year and will become law next year. The CCPA applies to any business, including any for-profit entity that collects consumers' personal data, which does business in California, and, like the GDPR, sets out protections for those that interact with businesses in California.
The problem now for the US is that it lacks a single, comprehensive federal law that regulates the collection and use of personal information. Instead, the government has approached privacy and security by regulating only certain sectors and types of sensitive information (e.g., health and financial), creating overlapping and contradictory protections.
Now, with their companies under unrelenting scrutiny over how they handle user data, Facebook CEO Mark Zuckerberg, Apple CEO Tim Cook and Google CEO Sundar Pichai have called for similar “comprehensive privacy legislation” on a federal level in an open letter to Congress on behalf of Business Roundtable.
The Business RoundTable is an association of CEOs of America’s leading companies working to promote a thriving U.S. economy.
The open letter was, in fact, signed by 51 tech companies and reads:
“Now is the time for Congress to act and ensure that consumers are not faced with confusion about their rights and protections based on a patchwork of inconsistent state laws. Further, as the regulatory landscape becomes increasingly fragmented and more complex, US innovation and global competitiveness in the digital economy are threatened..
We urgently need a comprehensive federal consumer data privacy law to strengthen consumer trust and establish a stable policy environment in which new services and technologies can flourish within a well-understood legal and regulatory framework.”
This is a marked step forward in the process of developing US privacy legislation. In February, the US Government Accountability Office published a 56-page report advocating to Congress the development of internet data privacy legislation to enhance consumer protections, similar to the GDPR.
The report was approved by lawmakers and now the US Congress is working on legislation similar to GDPR. It is unclear when legislation will complete, but with pressure from the tech industry looking to assuage consumer concerns over privacy, it is likely that progress will be rapid.
Data Transfer Initiative Grows
In the meantime, tech companies have been developing their own initiatives to tackle the problem, the Data Transfer Project (DTP) is one such initiative. Launched in 2018, DTP aims to create an open-source, service-to-service data portability platform so that all individuals across the web could easily move their data between online service providers whenever they want.
Initially, it consisted of Google, Facebook, Twitter, Microsoft among others, but not Apple. However, in a statement updating the position of the DTP, the organization explained that Apple has officially joined the project.
So how does it work? DTP uses services’ existing APIs and authorization mechanisms to access data. It then uses service specific adapters to transfer that data into a common format, and then back into the new service’s API.
This means that currently, user can download pictures, ideas and other data directly to the hard drive, however, the data sharing project helps all users of these five tech companies transfer data however they want with no fear of data leakage or data loss at all.
Currently, the DTP has 18 contributors. Their partners and open-source community have inserted more than 42,000 lines of code and changed more than 1,500 files in the Project. But it’s not finished. “We are continually making improvements that might cause things to break occasionally. So as you are trying things, please use it with caution and expect some hiccups,” the website reads.
Finding a Tech Solution to Data Privacy
Then there are the individual tech solutions that aim to protect consumer data and provide an experience that promote confidence in that vendor. Only this week, IBM announced the release of IBM z15, a new enterprise platform delivering the ability to manage the privacy of customer data across hybrid multicloud environments.
According to Big Blue, with z15, enterprises can manage who gets access to data via policy-based controls, with an industry-first capability to revoke access to data across the hybrid cloud.
The release of this platform is driven by the knowledge that the movement of data between partners and third parties is often the root cause of data breaches. In fact, 60% of businesses reported they suffered a data breach caused by a vendor or third party, according to the Ponemon and Opus 2018 Data Risk in the Third-Party Ecosystem: Third Annual Study. With the growing adoption of hybrid multicloud environments, the importance of maintaining data security and privacy only grows more acute and challenging.
The IBM z15 culminates four years of development with over 3,000 IBM Z patents issued or in process and represents a collaboration with input from over 100 companies.
It is not the only such release — there are literally dozens of them every month — and to understand how enterprises are managing data privacy (or not managing it as the case may be) we will be taking a monthly look at some of the releases, research into privacy and, when it happens, legal changes that occur as enterprises look to tackle the issue of privacy. If you have any subjects that you feel should be covered please email: [email protected]