On January 28, 2020, the National Cyber Security Alliance hosted an event they called Data Privacy Day 2020. The event involved segments and panels led by privacy professionals from around the world. These speakers ranged from members of national government organizations, to high ranking privacy officers of well known organizations, such as LinkedIn and Microsoft. These are some of the takeaways from the event.
Gregory Smolynec, Deputy Commissioner from the Office of the Privacy Commissioner of Canada, began by stating that privacy is in and of itself a human right, and that other fundamental rights are dependent upon it. This sentiment is one of the foundations that the General Privacy Data Regulation (GDPR) was structured upon. Smolynec further stated that the development and implementation of strong privacy legislation worldwide will help engrain trust in commerce, democracy, and economies.
A panel discussion on privacy policies in a global sense then followed. The discussion was moderated by Kalinda Raina (Head of Privacy for Linkedin) and included Smolynec, Jared Ho (an FTC privacy division lawyer), and João Rodrigues (Senior Legal Adviser, European Parliament Liaison Office with the U.S. Congress).
Smolynec began the discussion by stating that Canadian parliament has been evaluating the GDPR, the California Consumer Privacy Act (CCPA), and other policies from around the world in an attempt to create adequate privacy legislation. His department has seen 30 million Canadians (almost the entire Canadian population) personally affected by data breaches in just the last few years.
The panel discussed the various issues facing governments in establishing data privacy policies and legislation. A common factor the panelists observed is a lack of funding available for the emerging field. Different nations, having various views, levels of funding, and sizes are all factors that could cause a lack of harmony, on a global scale, amongst data privacy laws in the near future. This statement infers that there is also a financial burden being placed on businesses associated with establishing frameworks of compliance.
Another issue facing this relatively new field of law is the nature of the channels (the internet and other technologies) that it is attempting to adequately regulate. The current data privacy legislation is relatively new, most of it containing more advisory suggestions than hardline rules. This may be a result of the acknowledgement of the rapid pace in which new technologies are being introduced and the way current technologies will inevitably evolve. These considerations will more than likely present obstacles in the not so distant future with keeping regulations effective and relevant. An example of this question was presented: should companies be able to use a combination of artificial intelligence and cameras in public places to collect data about individuals’ appearances, and make inferences based on that data?
The current model of data privacy that is currently used is a combination of notice and choice, when personal information is collected. The real world application of this framework, although well-intended, seems to be that consumers have been overburdened with lengthy privacy policies that are often too vague for the layperson to fully appreciate. It seems, in fact, that the majority of individuals do not read them at all and consider them to be a nuisance.
The panel portrayed the current nature of privacy policies as placing an unbearable burden on the consumer, which calls for a simplification of policies. They suggest the result of simplification will alleviate fear and anxiety amongst individuals who have a dystopian view of modern day privacy as a result of the prevalence, intrusiveness, and necessity of technology.
An alternate panel, moderated by Larry Magid (CEO, ConnectSafely.org), included; Stacey Gray (Senior Policy Counsel, Future of Privacy Forum), Thomas Hallett (Privacy Solutions Engineer, OneTrust), and Tom Pendergast (Chief Learning Officer, MediaPRO) then led a discussion on the current state of legislation and honed in on the CCPA.
This discussion began by addressing the burden placed on companies trying to comply with current privacy standards. The panel noted the disparity in the level of difficulty with complying between large scale companies and small businesses, saying that small businesses are in greater need of clearly defined rules, so that they can either find a way to comply with current standards or phase out aspects of their businesses that they conclude are too burdensome to bring into compliance.
One of the likely issues resulting from different regions passing their own laws is their determination of definitions. How exactly will they define personal information? How will they define proper de-identification of personal information? How will they define the transfer of data? How will they define the selling of data? These are just a few of the many questions legislators will have to ask themselves (and likely reach different conclusions) when drafting and passing data privacy laws.
The CCPA, which is widely regarded as the most comprehensive American legislation to date, has been criticized as only giving consumers a couple of rights and options. There is a call amongst privacy professionals and businesses for comprehensive privacy regulation at the federal level. The GDPR is up for review in May and will likely add and implement new provisions and adjust current ones. At this point in time, over 100 countries have introduced some form of data privacy legislation and 700 privacy bills have been introduced in the U.S., at the state level in January alone.
Hopefully, in the future, the laws will begin to harmonize and become more palatable for the layperson. Unfortunately, the wheels of justice turn slowly, and for now we are stuck navigating a patchwork of regulations that differ by region. The ultimate destination of data privacy legislation is unknown, but the need for companies to develop/implement privacy policies and keep an eye on regulation has become clear.