The global privacy landscape has changed dramatically in the beginning of this millennium. On the one hand, data is regarded as power and the new commodity or even currency, on the other hand, both data subjects and regulators have increasing demand of data privacy to avoid personal data violation.
This fast-changing privacy landscape will continue gather its pace in 2019. Below is breakdown of what we’re seeing across the globe and what it means for us as researchers.
The United States
The US is going through a phase of deregulation on the federal level under Trump administration, but different states are enacting privacy related bills independently. In the US, there is no single, comprehensive federal (national) law regulating the collection and use of personal data. However, each Congressional term brings proposals to standardise laws at a federal level. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered "best practices". These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.
States including Alabama, California, Colorado, Arizona, Iowa, Louisiana, Nebraska, Carolina, Oregon, Virginia, Dakota all have privacy bills pending or due to be effective. The most famous one is California Consumer Privacy Act (CCPA, A.B. 375), which has a nickname of ‘mini GDPR’. It is unanimously rammed on June 28 2018, likely to have some amendments by effective data - Jan 1 2020. The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice, and financial obligations on affected businesses.
Also inspired by GDPR, Brazil enacted its General Data Protection Law – Lei Geral de Proteção de Dados (LGPD) (Law 13,709/2018) in Aug 2018. The law will come into effect after its 18th adaptation period, in early 2020.
The LGPD creates a new legal framework for the use of personal data in Brazil, both online and offline, in the private and public sectors. It is important to note that the country already has more than 40 legal norms at the federal level that directly and indirectly deal with the protection of privacy and personal data in a sector-based system. However, the LGPD is replacing and/or supplementing this sectoral regulatory framework, which was sometimes conflictive, marshy, without legal certainty and made the country less competitive in the context of an increasingly data driven society.
Similar to the GDPR, the LGPD sets out general principles that must underpin all processing of personal data, and then builds on those principles by identifying specific legal bases that can be relied on to support particular acts of data processing. Importantly, while the LGPD focuses mostly on data privacy, the principles also impose substantive data security requirements: companies must adopt “technical and administrative measures to protect personal data from unauthorized access and accidental or illegal destruction, loss, alteration, communication or dissemination.”
In addition, India, Thailand, Japan, Australia and South Africa all have privacy legislation similar if not identical to GDPR due to be effective in the coming months.
As Europe’s GDPR legislation dominated headline in 2018, the ePrivacy Regulation will be the next one to pay attention. It isn’t just about cookies. It concerns electronic communications and the right of confidentiality, data/privacy protection and more. In other words: again, personal data protection.
Electronic communications means that it includes the Web, the Internet (email, apps, you name it), telephone, instant messaging and so on. So we are also talking about spam, direct marketing, telecommunication firms, mobile app developers, online advertising networks and, often overlooked, the IoT (Internet of Things), among many others. A look at the text, the impact, the challenges and the evolutions. As the European Commission made clear in the scope of the progress of EU member states with the GDPR, all focus is on the GDPR at this time and it is pretty sure that the ePrivacy Regulation will NOT enter into force before 2019 and even most probably the second half of 2019.
UK’s Brexit and future relationship with Europe might not be certain, Information Commissioner Elizabeth Denham sets out how the ICO is helping businesses, particularly SMEs, prepare for a possible no-deal Brexit. The Government has made clear that the General Data Protection Regulation (GDPR) will be absorbed into UK law at the point of exit, so there will be no substantive change to the rules that most organisations need to follow. But organisations that rely on the transfers of personal data between the UK and the European Economic Area (EEA) may be affected.
What does this mean to us?
Besides the U.S.-China division, internet fragmentation is also happening in less obvious places, Oxford cybersecurity expert Emily Taylor explains. Europe’s global data protection regulation (GDPR) has led some companies to overreact and block their sites to European visitors. Other jurisdictions are following suit and considering data localization laws. “You're going to end up with cross-cutting national and regional laws that are reaching over their borders, making it very difficult for companies to comply,” Taylor warns. “People will just choose to be very limited in what they do and the audiences that they try to reach.”
After a year of scandals, the implementation of Europe’s GDPR and upcoming copycat legislation from other jurisdictions, the advertising business will move away from the wholesale collection of personal data and the extreme personalization of advertising, predicts Mihael Mikek, the founder and CEO of digital advertising platform Celtra. “The question will come down to, Is the data being used in a way that benefits the consumer or not?” he explains. “In the last five years, it’s been such a crazy race to collect as much as possible.” Advertisers will follow consumers, who will demand more ethical and consent-based use of their data. After The New York Times' investigation of location-tracking apps published yesterday, location data is likely to be the next battlefront.
The intensity of privacy demand from consumers, ever increasing privacy legislations and big data capacities of corporation are increasing. 2019 is likely to see some high-profile lawsuits of based on this tension and rebalance this relationship.