We’ve seen France’s data authority, CNIL, level €50 million in fines at Google for violating the General Data Protection Regulation (GDPR) thanks to a Not Your Own Business (NOYB) and La Quadrature du Net filing. NOYB, the nonprofit European center for digital rights, filed a fresh suit against eight major tech players (see chart below). Max Shrems, NOYB Director, also sank the U.S. Safe Harbor law and challenged Privacy Shield and still has additional projects in play. While not every company is a Google or an Amazon, these fines establish precedence that can easily be applied to other organizations.
Every day plenty of scare tactics and odd products (like GDPR shredders and recycling bins marked “confidential”) likely land in your inbox under the guise of GDPR compliance. But now that we’re seeing major fines, we thought it was time to take a realistic look at data privacy impacts companies can expect as they move through 2019 and prep for 2020.
"A realistic look at data privacy impacts companies can expect as they move through 2019 and prep for 2020."
EDITOR’S NOTE: Each regulation/law has minimum sizes for impacted organizations. Please check each for specific details.
Brexit Possible ‘No Deal’ (March 29, 2019): The proposed withdrawal agreement would have protected data transfers between the UK and the EU through December 2020. If the UK leaves the EU without a deal in place — and this seems likely, see the next paragraph — this leaves international data flows in jeopardy, with an inadequacy ruling for the UK.
ComputerWeekly reports that the Jonathan Bamford, director of strategic policy at the Information Commissioner’s Office told a Westminster eForum event on GDPR in London that the UK government and the EU believe a “magic adequacy agreement” is unlikely. “So you need to think about what the situation will be if there isn’t an implementation period as the result of a withdrawal agreement — a no-deal Brexit — and you need to prepare for that.” Organizations may find this IAPP article on impacts of a ‘No Deal’ useful.
Impacts: Companies transferring data from, to, or through the UK.
ePrivacy (late 2019 possible): Data privacy is covered under GDPR, but also under upcoming ePrivacy regulations, expected to come into force sometime during 2019. The tech industry continues to express concerns that the regulation replaces the EU directive on telecommunications, but also includes digital communications, is much too strict. Cookies, consent, data collection should sound familiar to anyone having dealt with GDPR, however, ePrivacy reportedly places electronic communications under a stricter set of rules than other personal communication, reports IAPP. Once a final draft is accepted, organizations doing business with the EU will need to revisit data privacy policies.
Impacts: Organizations doing business with the EU and/or EU citizens
California Consumer Privacy Act (CCPA) (six months after publication of the Calif. Attorney General's implementing regulations, or July 1, 2020, whichever comes first): “Nobody should assume that being GDPR compliant makes them CCPA compliant,” says Lydia de la Torre, CIPP/US in a Privacy Tracker Post on CCPA and GDPR for IAPP. She also notes that the CCPA definition of personal data is broader than that of GDPR. “As the first U.S. attempt at a comprehensive data protection law, the CCPA has the potential to become as consequential as the GDPR. After all, California is the fifth largest economy in the world, the home of many technology titans, and traditionally a trend-setting state for data protection and privacy in the U.S.” The rapid adoption of the law, which was passed after only a week of debate indicates that legislators are looking to show action in the face of increasing mega-breaches.
Impacts: Companies doing business with California citizens. Also, the law is frequently put forth as a potential model for a U.S. data privacy law.
Cross-Border Data Transfer Pact/Privacy Shield: GDPR compliance has reportedly diminished the value of the EU-US Privacy Shield, which is a cross-border data transfer pact that allows the flow of data between participating EU countries and the U.S. Threatened over the summer, the voluntary program got a recent boost with the news that DocuSign’s former CEO Keith Krach may come on as ombudsperson for the pact. Shrems (the guy who brought down Safe Harbor and runs NOYB), is also challenging Privacy Shield for the way that personal data is transferred from the EU to the U.S. How the ruling plays out will have implications for the thousands of companies that rely on trans-Atlantic data transfers. Most recently, the Irish Supreme Court agreed to hear Facebook’s appeal after acknowledging the complexity of the law. At publication, the court had yet to rule.
Impacts: U.S. companies transferring data across the Atlantic.
EU Data Protection Supervisors Management Strategy (2019 Priorities): EU’s Data Protection Supervisor, Giovanni Buttarelli, listed several priorities for 2019 while responding to the news that the U.S. had put forth an ombudsperson for Privacy Shield, including “digital ethics, better cooperation with national Data Protection Authorities (DPAs), identifying Artificial Intelligence threats to society, and finding closer alignments between consumer law, data protection and competition rules,” reports Euractiv.
Impacts: Companies with EU customers and/or doing business in the EU + possibility that these new standards could influence data privacy in other regions.
Plus a reminder: Canada - Personal Information Protection and Electronic Documents Act (PIPEDA) (November 2018). This data law update includes new consent guidelines that went into effect in November of 2018.
"The shift from legal to technical data privacy compliance — and how you can mitigate increasing consequences."
What is Acting in ‘Good Faith?’
GDPR and other data privacy fines aren’t leveled automatically with each violation. The bodies have leeway to weigh whether or not an organization was “acting in good faith.” Whether or not the deciding bodies have an understanding of all that goes into being compliant can be debated, but they do get that, for many organizations, compliance can be a massive undertaking.
As legislators move towards increasing consequences for putting personal data at risk, what does “acting in good faith” look like? As we moved toward the deadline for GDPR in 2018, many companies handed GDPR to their legal teams to interpret the regulation in the absence of precedence, taking a “wait-and-see” approach by making the minimal necessary tech investments towards compliance.
Meanwhile, 2018 saw breaches from a host of big brands and lots of talk about the need for additional data privacy laws. Comments from Forrester on the Marriott Mega-Breach lend insight into why the global public and legislators are losing patience: “As the case has been for nearly every other mega-breach in recent history, the methods that the attackers used to exploit this system weren’t magic or exceedingly advanced. Basic database security protocols, good authentication, minimization of lateral movement, and an understanding of how to apply technology strategically would have made a big difference.”
Paralleling the breach consequences of missing the basics are companies that are perceived to be taking advantage of their customers. CNIL’s €50 million GDPR fine against Google wasn’t for a minor violation. The finding cited Google’s violation of transparency, information, and consent. “The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” CNIL wrote in the filing.
And older data laws can have current implications. Illinois’ Biometric Information Privacy Act (BIPA) says that individuals have the right to control their biometric information: fingerprints, iris scans, etc. A lawsuit started in 2014 found that Six Flags Amusement Park cannot collect thumbprints without consent, upholding what Gizmodo called one of the most “rigorous” data laws in the United States.
A Federal data law for the United States is looking increasingly likely. U.S. Senator Marco Rubio (R-Fla.) recently introduced a Federal bill designed to provide national data privacy legislation. Backing legislative interest is Apple CEO Tim Cook’s earlier proposal for a U.S. privacy law and Microsoft CEO Satya Nadella’s recent statement that privacy is a “human right” while calling for “global GDPR.” Meanwhile, U.S. Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) are seeking the power to penalize breached entities under Data Breach Prevention and Compensation Act.
In this current environment of consequences, moving from legal-focused compliance to addressing the legacy technical challenges involves assessing risk and deciding how to manage it.
In 2018, Ponemon reported that data breaches averaged $3.86 million with mega-breaches (defined as greater than 1 million records) costing companies nearly $40 million. But that was before GDPR and its 72-hour reporting requirement. Calculating the potential cost of a breach has become more complex (Although recent news that Twitter is being investigated regarding its Jan. 8, 2019 breach notification may set precedence.
Now says Ian Thornton-Trump, head of cybersecurity, AMTrust International, speaking with Bank Info Security, we’re seeing a body with broad authority level fines. The ICO can refer companies for potential criminal charges if they notice something during their full access to company records during an investigation. Shorthand? Breaches are likely to become more expensive.
And there’s some question over whether or not English law permits insurance companies to cover fines leveled under GDPR because in some instances, the breach/lack of compliance may prove to be “quasi-criminal,” says The National Law Review.
What You Can Do About It
Investigations from a variety of regulatory agencies and insurance companies and class-action lawsuits can mean that a company may see financial and brand impacts from five or six investigations, says Thornton-Trump, but it may take years to play out. Meanwhile, your company’s tech team will likely have moved through multiple tech lifecycles.
Ransomware, breaches, compliance issues all add complexity to an already challenging process, but they also provide concrete reasons to justify preventative measures as well as cleanup costs. Merck, for example, says Thornton-Trump, rebuilt their entire network for $250 million after facing down WannaCry Ransomware.
For ongoing regulatory action, proving “due diligence” is critical. “Being compliant is not good enough. Maintaining compliance is really the key,” Thornton-Trump told Bank Info Security. And maintenance requires ongoing action.
If you’d like to learn how streamlining identity can help support your ongoing data privacy efforts, please reach out to firstname.lastname@example.org.
Auth0 provides a platform to authenticate, authorize, and secure access for applications, devices, and users. Security and development teams rely on Auth0's simplicity, extensibility, and expertise to make identity work for everyone. Safeguarding more than 4.5 billion login transactions each month, Auth0 secures identities so innovators can innovate, and empowers global enterprises to deliver trusted, superior digital experiences to their customers around the world.