“Data protection is necessary to protect democracy. Human beings must be at the centre of technology development” stated, among other things, Viviane Reding, Member of the European Parliament who oversaw the original drafting of the GDPR, at the Global Privacy Summit event, hosted by the International Association of Privacy Professionals (IAPP) in Washington, D.C.
Brigit Sippel, the European Parliament rapporteur for the ePrivacy Regulation, also delivered a forceful message to the U.S. audience and its industry: “if you want to play in our backyard, you have to play by our rules”.
As expected, during the two-day event most of the attention was focused on the new EU General Data Protection Regulation (GDPR) and what to expect when it comes into effect on May 25th. Additionally, discussions on the importance of data ethics, algorithm bias, and transparency provided a good opportunity for the audience to reflect on the current Facebook-Cambridge Analytical scandal.
Yes, indeed, the GDPR is certainly shaking up industries around the globe, including here in the U.S., but what are the main areas of concern regarding this new regulation? During several panels, European regulators were faced with questions related to how Data Protection Authorities (DPAs) will handle enforcement actions, and about the effectiveness of the one-stop shop mechanism. Other specific questions were related to the implementation of consent, transparency, and legitimate interest principles under the GDPR. While regulators offered some reassurance that they will be conducting substantial analysis and they will be acting in a pragmatic, fair and proportional manner when enforcing these rules, they hesitated to provide specific guidance to comply with GDPR.
The ePrivacy regulation, to a lesser extent than the GDPR, was also discussed in several sessions. Brigit Sippel made a pitch about the importance of adopting a stricter communications regulation to preserve the “fundamental rights” of people when navigating online. Sippel said the ePrivacy regulation is intended to protect all types of communications services and goods, including telecommunications providers, ISPs, OTTs, IoT data transmissions, and so on. Differences between the GDPR and the ePrivacy regulation are related to the principle of consent. Sippel explained online behavioral tracking will become completely illegal once the ePrivacy regulation becomes law. “We want to abolish the current form of surveillance driven adverting”, she said.
Viviane Reding during her speech.
Viviane Reding reminded that the Snowden revelations broke the trust of European consumers, and GDPR was part of the political answer to bring back consumer trust, while putting citizens back in control of their data. The Facebook-Cambridge Analytica controversy is another reminder that when data collection is used for obscure purposes, the notion that big tech companies can be trusted to regulate themselves is becoming more difficult to sustain. Reding hopes that the Cambridge Analytica scandal becomes a game changer like the Snowden revelations.
In the U.S., however, it is not yet clear if the pressure imposed by GDPR or the Cambridge Analytica events, will bring enough traction on both sides of the aisle to trigger privacy and security legislation. During the panel “Legislative Update on Privacy and Data Security”, Cort Bush, U.S. Senate Committee on Commerce, Science, and Transportation, said in the U.S. the privacy framework discussion is about three issues. First, the use and sharing of data by online platforms and by advertisers. Second, the elimination of the Obama FCC’s privacy regulation through the use of the Congressional Review Act. Third, GDPR. “In the last years, privacy has been one of the more partisan issues in the tech and telecom realm”, Bush said. While Republicans have proposed privacy legislation that would apply to both ISPs and OTTs, democrats have not proposed or supported such types of legislation.
Last year, Republican Chairwoman Marsha Blackburn introduced the so called BROWSER Act, which addresses the un-level playing field of the Obama FCC’s privacy regulation that favored the opt-in model only for ISPs. The question remains whether the Facebook scandal would resuscitate this bill or whether democrats will propose legislation (although Senate Minority Leader Chuck Schumer has signaled this might not happen before the mid-terms). Regarding enforcement actions against Facebook, there are several investigations underway, including at the Federal Trade Commission, at least sixteen user lawsuits, and inquiries from 37 state Attorneys General.
Lastly, the probability of passing data breach legislation is as slim as the probability of passing privacy legislation. Bush said, although members of the Senate are close to reaching an agreement on a legislative proposal to establish a national data breach notification and security standard, there are still longstanding, unsolved issues that make it difficult to see any progress in Congress this year. Further, the net neutrality debate has become very political and it is not helping to bring together members in Congress, he added. Tony Hadler, Senior Vice President at Experian echoed Bush comments, but added that converging events, such as the GDPR, as well as the continued proliferation and updating of state breach reporting and security laws, could expedite the legislative process.
The time seems ripe for having a deep-dive on legislative solutions that address the privacy and security concerns of U.S. consumers in the data-driven economy. And at a time when the world is waiting to see the economic and social impact of the GDPR, policy makers in the U.S. are paying close attention to these effects.