Data Privacy Musings, February 2016

The global Data Privacy landscape is currently a fairly chaotic, uncertain place – certainly the Snowden revelations, along with Wikileaks and similar have sparked all sorts of questions around who has access to what; global surveillance, monitoring and encryption have been hot topics for Silicon Valley and global governmental leaders There is no ‘compromise’ in encryption debate between Silicon Valley and government leaders, and now we see these issues once again knocking at our front-doors. This is not exactly breaking news, as Data Privacy has always been a concern of business and technology professionals, however, the issue is seeing much more media coverage today than previously, which is resulting in more scrutiny and attention by both clients and regulators alike.

Safe Harbor no more

For example, in October last year (2015), something called the Safe Harbor Agreement was invalidated by the European Court of Justice Europe’s Top Court Strikes Down ‘Safe Harbor’ Data-Transfer Agreement With U.S.  |  TechCrunch ; some 4,700 companies relied on Safe Harbor to operate businesses that handled European data in the US, hence the ruling was met with a fair amount of alarm. Recently, a new transatlantic data transfer deal was announced between the EU and the US – Privacy Shield Data Transfer Deal To Replace Safe Harbor (this does beg the question, will there now be ‘Agents of Shield?’). This new agreement is essentially proposed to act as a more robust, tighter Safe Harbor, but already critics are voicing their concerns. MEP Jan Philipp Albrecht had this to say –

“The EU Commission’s proposal is an affront to the European Court of Justice, which deemed Safe Harbor illegal, as well as to citizens across Europe, whose rights are undermined by the decision. The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the US authorities on their interpretation of the legal situation regarding surveillance by US secret services, as well as the creation of an independent but powerless Ombusman, who would assess citizens’ complaints,”

What is clear, from both Albrecht’ statement and general chatter around the topic, is that global content corporations and SMB’s will need to remain highly flexible in their architectural planning, and be able to adapt rapidly to changing laws. From a technology standpoint, this is a significant challenge, and is especially critical given the trend towards cloud computing. Cloud hosting can potentially remove the technical headache and cost of management for technology departments (although these functions would still be ultimately responsible for the security of the content – who holds the right to what information, and where that information is physically located.), but for most businesses, this would mean a significant change in thinking around perceived security of content by end users – public & hybrid cloud configurations still harbor concern for many clients and content owners, and requires more of a cultural change than anything else.

GDPR, and Global Data Protection

Data Privacy also presents a significant logistical, process and regulatory challenge, as well as the multi-faceted technological challenge businesses are faced with. In addition to compliance with the likes of the incoming GDPR (and global equivalents), there are a multitude of Laws & Regulations and Guidelines on the Protection of Privacy and Transborder Flows of Personal Data which need to be adhered to. To give an idea of how complex all of this really is, check out the below provisions introduced by the upcoming GDPR (source: Data Privacy Monitor) – this is merely an extract of key provisions financial institutions will need to consider once the GDPR goes ‘live’:

  • The law applies to any controller or processor of EU citizen data, regardless of where the controller or processor is located. (Under the 1995 Directive, only controllers were directly liable.)
  • EU Data Protection Authorities have been given new powers, including the ability to fine organizations up to 4% of their global turnover for violations of the new GDPR provisions.
  • In the event of a data breach creating risk to the “rights and freedoms” of EU citizens, notification must be made to the relevant data protection authorities within 72 hours of discovery of the breach.
  • Personal data of EU data subjects should only be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”
  • Processing of EU citizens’ data will only be lawful if the processing is done in accordance with one of the following 6 grounds: (1) with explicit consent of the data subject, (2) to perform a contract, (3) to comply with a legal obligation, (4) to protect the vital interests of the data subject, (5) to perform a task in the public interest, or (6) where “necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, in particular where the data subject is a child.”
  • A data subject’s consent will be invalid if the controller requires consent for the provision of a service where the processing of personal data is not necessary to the actual performance of the service or contract.
  • Data controllers must provide any information they hold about an EU citizen free of charge and within one month of request.
  • EU citizens have a “right to erasure,” which requires data controllers to delete personal data if: (1) the data are no longer necessary in relation to the purposes for which they were collected or processed; (2) the data subject withdraws consent on which the processing was based and there is no other legal ground for processing the data; or (3) the data were unlawfully processed, among other grounds.

Now consider this is but one regulation (albeit a far reaching one) – take a look at Forrester’s Global Data Protection and Privacy Heatmap; this provides a snapshot into global data protection and privacy requirements. It’s quite the minefield!

The Perception of ‘Privacy’

On the other-hand, I can’t help thinking that perhaps many of these issues will simply dissipate over time, as society evolves (relaxes?) its thinking around privacy in general. I’ve had many conversations with individuals in the Generation Z demographic, and they generally are less concerned around where and how their PII data is utilised, more around how they can leverage their own data for their personal gain (whether that be ‘selling’, or promoting in some manner). It is these same individuals that will be running the corporations of tomorrow, setting the appropriate laws and outlining guidelines, so perhaps much of this will simply cease to be an issue. That’s not to broadly paint Generation Z with a brush of indifference around privacy and confidentiality, it’s just that perhaps their baseline is more transparent than my own; Gen Z is generally much more tech savvy when it comes to online privacy, opting for tech such as bio-metrics over passwords, anonymous chatting apps over email, or simply understanding the privacy settings of social media. An article I read a while ago included an amusing quote that resonated (being a Gen Y-er myself, ):

“As far as privacy, they (Generation Z) are aware of their personal brand, and have seen older Gen Y-ers screw up by posting too openly,” (http://www.nytimes.com/2015/09/20/fashion/move-over-millennials-here-comes-generation-z.html)

The Data Privacy Advantage

There is no panacea here – organizations will simply need to remain diligent, flexible and able to adapt rapidly to changes in the privacy landscape – simply demonstrating competence in this space will be a good start, to ensure that regulators and auditors recognize efforts to remain in compliance, but obviously with the ultimate overarching goal of staying one step ahead of any more impactful, legal requirements.

Business & technology leaders need to balance functionality with security – laws and regulations cannot be so stringent to suffocate commerce (and innovation), but equally they must protect commercial and individual interests; companies investing in data can no longer only focus on the value of content, they must also consider how it is protected.

But, this same focus on protection, provenance, auditing and reporting of data can be considered a competitive advantage – the differentiator between two seemingly identical content providers could easily come down to the privacy policies, robustness and transparency offered by the vendor(s).

Perhaps we shouldn’t see data privacy legislation as simply something to be compliant with, but also as another way to compete – this opportunity will likely dissipate over time, as the privacy landscape settles and commodity solutions emerge, but in the interim, early adopters, contributors and champions of data privacy could well provide a considerable advantage in the market.

With the astonishing growth of global data & content, advances in technology and new, disruptive innovation we’re seeing in commerce, 2016 is set to be a fascinating year for data privacy.