For over two years, GPDR has provided a global framework for how data protection can be accomplished, but it’s not without its challenges. These challenges are rooted in both expectation and within the legislative process itself. From the effective date for GDPR, we’ve seen inconsistency in how the directive has been applied, despite a desire by most businesses to comply.
As it turned out, on May 25th 2018 I was at a conference in Berlin and the Synopsys stand was decidedly in the minority in having a data collection disclosure at our stand for any attendee electing to have their badge scanned for follow-up conversations. Our GDPR disclosure was such a novelty that other exhibitors were snapping photos of it to bring back to their respective teams. This disclosure also served as a counterpoint to the wave of browser cookie disclosures and US-based web properties limiting access to their content to anyone in an EU member nation. Day one also saw the initial wave of complaints filed against the Big Tech giants which highlighted a pent-up desire for greater transparency in how consumer data is collected and processed.
It is this desire for transparency and associated implicit consent processes that have fueled global data protection legislation in the past two years. From the California Consumer Protection Act (CCPA) to Brazil’s General Data Protection Law (LGPD) and India’s Personal Data Protection Bill we can see that governments are taking the subject of data privacy for their citizens seriously, while also attempting to future-proof their legislation as businesses innovate in data-driven technologies.
Unfortunately, all legislation is inherently reactionary to the climate in which it’s created. Businesses are agile and their appetite for data is a double-edged sword; one where consumers see the value behind data-based solutions like digital assistants, but where business governance doesn’t adequately protect its customers from employees behaving badly. This is precisely the issue that the German Data Protection Authority faced when issuing a temporary order against Google and its practice of having humans review the results of the Google Voice Assistant.
This is the backdrop against which we see privacy experts raising concerns over the COVID-19 contact tracing applications. While the scientific and public health benefits of identifying who infected individuals have been in contact with aren’t in dispute, the security and implementation of a given contact tracing application should be thoroughly vetted as consumers are ill-equipped to verify the security of any application. Further, the decisions made today surrounding the nature of data collected and who has access to that data is likely to evolve over time. This evolution is particularly challenging as countries start to relax travel restrictions. A given contact tracing application may assume that all users encountered are covered by a single national health scheme or be part of a specific insurance system, for instance.
Effectively, digital privacy legislation provides a static view on the data collection and sharing expectations at the point of enactment, while also capturing the capacity of the jurisdiction to prosecute any violations. Regulatory capacity then becomes the true test of the societal impact of the legislation and not the magnitude of potential fines. This is why the current backlog of cases in Ireland is so concerning.
With multi-national businesses selecting Ireland as their EU base of operations, the Open Stop Shop provision of GDPR creates a significant resource imbalance between the Irish DPC and the legal teams of tech giants operating out of Ireland. Such imbalances can delay decisions and absent a clear determination of a violation in the form of precedent, businesses will continue “as usual” believing they are on the correct side of the law. Meanwhile with the appetite for data within business growing, novel uses for collected data will be found—uses which may be contrary to the expectations of consumers when they consented to their data being collected and processed.
All of which challenges the future of GDPR and its equivalents as both enforcement delays and novel data uses fail to acknowledge that the only data ever subject to a data breach was data that was collected and retained and that given access to data, businesses will find uses for it – often outside the original scope of use. For GDPR and its equivalents to have the desired impact will require a collaborative effort between regulators and business, one where changes in business climate are recognized and addressed before consumer complaints occur.
By Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Centre (CyRC).
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.