Did we see the start of a new global understanding of Data Privacy and Security?
by Antimo Fiorillo and Ben McPherson
If ever a governmental regulation could be said to be famous, the European Union’s General Data Protection Regulation (GDPR) probably comes the closest. Before going live this past May 25th, 2018, the GDPR had already been the subject of years of discussion and debate, with thousands of articles along the lines of “How to Get Your Business Compliant” and “Does the GDPR Apply to You?”. The broad scope of the regulation, the applicability it has to businesses outside of the EU, the size of the potential penalties (€20 million or 4% of global annual turnover), and the real potential for those fines and penalties to reach non-EU businesses, give it a reach and impact seldom seen. Meanwhile, even the most tech-illiterate data subjects may have gotten a whiff of change, as practically every email list and website rolled out new prompts and requests for consent for various processing.
Despite all this, you don’t have to look far to see businesses dragging their feet at adapting to new regulations, especially if those businesses aren’t based in the territory the regulation covers. Post-May 2018 was thus an interesting time as the world waited to see how tough enforcement would be and how it would take place.
This is exacerbated by the EU system of different national regulatory bodies with their own jurisdiction, creating a complicated framework for which the balance of power is still being worked out today. These various Data Protection Authorities (DPAs), like the UK’s Information Commissioner's Office (ICO) or France’s Commission Nationale de l'Informatique et des Libertés (CNIL) are under an EU body, the European Data Protection Board (EDPB). The EDPB issues guidelines to help the GDPR be applied consistently and effectively across the EU, but the primary responsibility for enforcement remains with the country agencies. For cross-border and international processing, there is a ‘one-stop shopping’ method to get a single authority to deal with a given case, but this has its own complications.
The GDPR’s evolution of enforcement
With all the hype and years of discussion, advocacy groups were ready to go on May 25th. Almost immediately, Max Schrems, the activist that was responsible for getting the EU-US Safe Harbour data protection framework killed, filed complaints in Austria and France against international supermajors including Google, Instagram, WhatsApp and Facebook over their consent provisions. This was in coordination with two data protection groups, La Quadrature du Net in France, and None of Your Business (NYOB) in Austria.
What followed was somewhat of a hush, as the world waited to see how these, as well as the many other complaints and potential enforcements against smaller players, would shake out. Regulators even made announcements that there was an unofficial period of leniency, with the CNIL saying that companies not yet fully compliant “can expect to be treated leniently initially provided that they have acted in good faith,” and the Dutch authority noting that “fines will only be imposed at the beginning if it is obvious something is very wrong”. [1] Authorities also needed to staff up, with the Irish DPA going from 30 employees in 2014 to 130 employees in 2018, for instance. [2]
The first enforcement press releases to come out, in late 2018, were not actually about the headline-grabbing cases against supermajors, but instead for Portugal’s national regulator fining a Portuguese hospital €400,000 for access violations—985 employees of the hospital had the access rights of a doctor, while the hospital had only 296 doctors on staff. This was followed by other small actions like Germany fining a social media platform €20,000 for storing passwords as plaintext, and Austria fining a small business €4,800 for CCTV cameras capturing too much public space.
While these cases may have seemed somewhat underwhelming, by the end of the year solid news emerged about DPAs flexing their authority, giving insight into the future of GDPR enforcement.
Carrots and sticks: Microsoft and Google
Though most of 2018 had been quiet, DPAs were indeed hard at work at those big cases. In early January, it was reported that the French CNIL had levied a €50 million fine against Google LLC, finding them guilty of “lack of transparency, inadequate information, and lack of valid consent regarding ad personalisation.” [3] The fine came as a result of those very first complaints levied by La Quadrature du Net and None of Your Business, and dwarfs the previous high-profile judgement of £500,000 levied against Facebook by the UK for the Cambridge Analytica scandal. [4]
The Google case demonstrates a few things, most importantly that DPAs are stepping up to take on the biggest alleged offenders. Beyond that, it offers important insight into how seriously DPAs are looking at ‘boring’ details. The nature of the complaint and eventual judgement is around those most ubiquitous parts of using the internet today: information notices, “I agree” consents, and the processing they are supposed to enable. While it was well known and frequently discussed that clarity and conciseness of notices was a point of emphasis in the GDPR, companies were feeling out where the exact line was.
In Google’s case, the CNIL judged that the information Google was conveying about their processing purposes (particularly for their ads) was scattered in different documents which did not allow the user to be fully aware of what they were consenting to. CNIL alleges that “it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.” [5] In other words, while Google collected user consent, that consent was not specifically informed, nor “specific” or “unambiguous”. It’s not enough just to have a checkbox or “I consent” button—this must be preceded by clear, unambiguous information that is specific about what users are consenting to.
Microsoft, meanwhile, is in GDPR-related hot water as well, as a report commissioned by the Dutch government alleges that the Office suite collects telemetry and other data from Office applications, transmits and stores that data in the United States, all without user consent. Differently from the French authorities, the Dutch are using this report to work with Microsoft to fix the issue. Microsoft reportedly committed to an improvement plan for its services in October 2018, to be completed by April 2019. The Dutch authorities are monitoring this compliance and reserve the right to pursue fines if Microsoft does not address the issue to their satisfaction.
While a complete comparison of these two situations is beyond the scope of this post, it illustrates the frustrations created by needing to deal with 28 [6] different data protection authorities. While the EDPB strives for standardizing approaches and focuses, each one of the 28 may have different priorities and goals, and lead to radically different outcomes for alleged violations. Is the Google judgement just a warning shot, or will everyone be treated like this? Will the EU go after European companies as hard as they did Google? It has been pointed out that many EU advertising companies are failing to obtain proper consent for their processing just like Google did, so, if there’s no action against some of them, it will be said that the regulation is being used for competition and not just privacy. If the GDPR is to be a key part of a new global privacy understanding, it needs to be seen as fair.
While there are many factors involved, one possible reason for more leniency in Microsoft’s situation has been their repeated calls for tougher privacy regulation worldwide. Microsoft CEO Satya Nadella was in the news again just recently, at the World Economic Forum in Davos, Switzerland. In an on-stage interview, he hoped for adoption of a similar regulation to the GDPR in the United States, and called it a “great start”. [7] He’s also walked the walk, as Microsoft was involved in a years-long court battle to protect data on an email account in Dublin, Ireland, from the US government. Shortly after the GDPR went live Nadella announced that Microsoft would be applying similar privacy and security standards worldwide, though, as the Dutch case shows, they have not done so completely successfully.
Worldwide copycats
Nadella’s words highlight the impact GDPR is having, as it inspires copycat laws and discussion worldwide. In the US, an interesting quote came in November from a Texas Republican, Will Hurd, who said: “One of the things we will be looking at is GDPR. Is it working, is it not working, is it something that we may be moving to? A year ago, the answer would have been not 'no,' but 'hell no.' I think more people are open to that now because of some of the breaches."[8] This is noteworthy from the typically-more-hostile-to-regulation-US, and from a Republican congressman at that.
California is already moving ahead, passing a state law in June 2018, the California Consumer Privacy Act (CCPA), that comes into effect in January 2020. The law, coming partly in response to the Facebook/Cambridge Analytica scandal, is a bit less broad than the GDPR, but shares some key characteristics. These include data subject rights such as Disclosure, Deletion, Access, Opt-out, Non-discrimination, which cover a lot of the same things as the GDPR’s rights.
The CCPA is also similar to the GDPR in the impact it will have beyond its boundaries. In the strictest sense, it only applies to large companies operating in California. However, California has 40 million people and an economy, if it was independent, that would be fifth largest in the world. Many companies will find it easier to apply CCPA protections universally, instead of treating such a large and important part of their customer base differently than the rest of the United States population--just like the GDPR.
Worldwide, 2018 also saw a number of concrete developments in data regulation, such as in Brazil and India. In Brazil, for instance, the General Data Protection Law (LGPD) is remarkably similar to the GDPR, having similar provisions on DPOs, DPIAs, international transfers, personal data vs. sensitive personal data, extraterritorial application, and more. Just like the GDPR, Brazilian authorities will attempt to enforce compliance for international companies that have a branch in the country or deal with the data of Brazil’s citizens, regardless of the nationality of the company. Finally, Japan is yet another good example: they had a new privacy law come into effect May 30, 2017, and have spent the second half of 2018 coordinating with the EU in order to harmonize regulations and achieve an adequacy decision that will allow easy EU-Japan data transfers.
What will 2019 bring?
As far as the EU is concerned, 2019 promises to be as interesting as 2018 for data privacy and security. The news about Google and Microsoft will keep analysts and commenters busy for a while, as they try to read the tea leaves about what this means for Facebook, Instagram, and all the smaller players. Meanwhile, new laws such as the ePrivacy Regulation, which will expand and clarify provisions especially around cookies and online marketing, are upcoming that will (hopefully) be cleanly integrated into the overall regulatory framework headlined by the GDPR. We say hopefully, because inconsistent application of rules across the 28 different DPAs has risks that could undermine the strength of the framework being created around the GDPR.
After all the discussion, it’s safe to say that 2018 was indeed a year in which the right to privacy and security took a big step forward. This isn’t all, or even mostly, due to the GDPR, as public and governmental anger at repeated scandals and data breaches continues to build. Scandals like Cambridge Analytica shape public opinion far more quickly than boring government regulations, and companies are more and more seeing the public relations value of being strong on privacy and security. In this, the GDPR’s Article 25 ‘Data protection by design and by default’ is bolstering a trend already developing through market forces. We can credit the GDPR, however, with successfully going live and providing a blueprint that is becoming more tested and established every day.
As we get into 2019, Intellegant expects the world to make more strides towards integrated and global standards for privacy and security. We look forward to this, not only because we believe in the importance of safeguarding people’s data rights, but because it also makes good business sense. The economic power of apps and other digital products is that they can go worldwide easily, meaning that one of their primary concerns are market distortions due to diverse privacy standards and laws in different countries. Standardizing these rules and embracing GDPR concepts like privacy-by-design will be another giant leap forward in unlocking the power of digital transformation.
The journey won’t be easy and many hurdles will have to be overcome to attain these goals. As such, we hope the the GDPR continues to be an example for the rest of the world to build on.
***
Sources:
[1] https://iapp.org/news/a/infographic-gdpr-enforcement-priorities/
[2] https://blogs.absolute.com/will-2019-be-the-year-of-gdpr-fines/
[3] https://voip.review/2019/01/24/google-punished-france-violating-gdpr/
[4] https://www.politico.eu/article/google-fine-privacy-enforcement-france-gdpr/
[5] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
[6] https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
[7] https://www.eweek.com/security/microsoft-ceo-says-privacy-a-basic-human-right-calls-for-global-gdpr
[8] https://www.theregister.co.uk/2018/11/08/gdpr_usa_congressman/