I cannot remember a time when privacy was as relevant as it is right now.
Across the EU and US, privacy has morphed from an abstract legalese concept to a kitchen table issue.
The controversial Apple and FBI matter – where the FBI sought to compel Apple to unlock an old iPhone model as part of a domestic terrorism investigation – has already become old news.
In the EU, terrorism in Brussels and Paris is forcing uncomfortable and morally difficult conversations about security, privacy, and fundamental human rights.
While I am optimistic that we will arrive at a good place, the EU is enacting a flurry of powerful new privacy laws that will impact us all.
General Data Protection Regulation (GDPR)
On the 14th April 2016, the EU Parliament formally adopted the GDPR; another legislative step in the multi-year process to overhaul the EU’s disparate data protection laws.
The next step will be for the GDPR to be officially published, translated, and put to print in the Official Journal of the European Union, hopefully by June.
Just 20 days following that, the two-year countdown to the GDPR taking effect will commence.
As the GDPR winds its way through the end of this legislative process, it’s important to note how much work organisations will have to complete during this small two-year window.
It will strengthen the individual’s control over their personal data by new rights that will be bestowed upon EU citizens, such as the right to data portability and the right to be forgotten (erasure).
On the flip side, organisations will have new codified obligations to honour the individual’s rights, and these obligations will force companies to create new privacy-centric business processes – no easy task in the best of times.
For example, the quaint notion of “bundled” consent – those dense, unreadable Terms and Conditions buried in the footer of a site that say use of the website constitutes consent to the company’s data practices – is non-existent.
In it’s place, companies are going to have to give prominent notice and obtain a user’s consent when a person visits their website.
Other changes include more transparent privacy policies and the requirement to have processes for a person to access, review, and correct their personal data, as well as request that data can be easily transferred or taken from one service provider to another.
All of this, and more, needs to be considered, created, tested, and put in place by the time the GDPR takes effect. That means you need to start now.
Why is this important?
Namely because the EU’s data protection authorities have enhanced new enforcement powers that include the ability to penalise an organisation up to €20m or 4% of it’s annual global turnover, whichever is greater.
While the GDPR’s impact will be huge, at the same time, the evolution of the digital world continues to sprint forward.
Similar to the Berlin Wall, digital borders have come crashing down; allowing for the natural flow of data between Member States but also between the EU and US, its largest trading partner.
Both economies are in fact dependent upon this fundamental notion.
However, the fledgling Privacy Shield – a heavily negotiated replacement to the invalidated US Safe Harbor Program – recently received a tepid review by the Article 29 Working Party (WP29).
The Privacy Shield at the highest level is a mechanism that allows organisations to transfer personal data about EU citizens to companies in the US.
It’s needed because the EU, for a host of reasons, has not recognised the US as a country that has “adequate” data protection laws, although the US does in fact heavily regulate data protection through a variety of laws and robust enforcement.
But because of this political fact, a negotiated agreement that created a mechanism needed to be put in place, thus the Safe Harbor Program (which became obsolete), and now the Privacy Shield.
Although many thought-leaders have concluded that the Privacy Shield provides essentially equivalent levels of data protection as EU law, the WP29 has chosen a more cautious route, one that whilst not rejecting it, also doesn’t endorse it.
I anticipate the Privacy Shield will be heavily challenged in the EU courts, but that it will ultimately prevail.
Any other result would have a tremendous negative impact on both economies, which no reasonable person could want.
On the 12th April 2016, the European Commission began its comprehensive review of the ePrivacy Directive.
Some call it the cookie law, which requires companies to give notice and get consent before they use any sort of tracking technologies or analytics tools when you visit their sites.
The Directive also restricts how telecom providers can treat or move electronic communications. The review aims to close any potential gaps between the ePrivacy Directive and the GDPR.
As a stakeholder in the process, I am aware how important it is to get it right.
Of concern to me is the separate notice and consent requirement the ePrivacy Directive has from the GDPR.
But I am also confident that the distinct transparency requirements between the two laws can be merged so the consumer can be well informed and make meaningful decisions that are best for themselves.