Enterprises Facing New, Stringent Privacy Regulations
Are you ready for new global data regulations? Even if your company doesn't have a business relationship in the EU or Canada, your customers, partners, or suppliers might be reluctant to do business with anyone who can't abide by their data privacy rules.
- By Steve Swoyer
- June 22, 2017
The era of draconian privacy regulations is nigh -- whether we're ready for it or not.
The European Union's (EU) General Data Privacy Regulation (GDPR) is probably the best known of the new privacy rules. However, the Canadian Digital Privacy Act (DPA) -- an amendment to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) -- arguably has even more salience, especially for North American companies.
Businesses in the EU and Canada probably aren't thrilled about the GDPR or the DPA. The former governs what data companies may collect about EU citizens, as well as what they may do with it, how they may store it, where they may store it, and -- no less important -- under what conditions they may retain it.
The DPA, on the other hand, introduces new regulations that stipulate how companies may obtain valid consent for collecting, retaining, and using personally identifiable information (PII). It also expands the power of Canada's Privacy Commissioner to enforce "compliance agreements" with organizations that have committed (or are likely to commit) PIPEDA violations.
The GDPR isn't supposed to kick in until May of 2018; the DPA was enacted in 2015.
However, the DPA's most disruptive provision -- the requirement that companies report data breaches and notify the people and/or organizations affected by them if certain conditions are met -- isn't yet in force. That conditional clause -- "if certain conditions are met" -- is the hang-up: government, businesses, and other interested parties are still hammering out the details. The upshot is that the DPA's data-breach notification requirements, which were first expected to take effect in 2016, are still in limbo -- although probably not for too much longer.
Clearly, organizations in the EU and Canada will have to retool their IT and data management infrastructures in order to comply with the requirements of either the GDPR or the DPA.
The thing is, the effects aren't localized or confined to the EU's member states or to the provinces of Canada (several of which -- Alberta, British Columbia, and Quebec -- enforce their own regulations on personal information).
Data Flows Complicate Compliance
Organizations in the U.S. got their first taste of EU-style privacy standards in 2015, when the European Court of Justice invalidated the Safe Harbor Privacy Principles, an agreement that had governed the transfer of PII from EU member states to the U.S. Under the terms of Safe Harbor, U.S. companies could "self-certify" their compliance with the EU's data protection standards. The EU's executive body, the European Commission (EC), subsequently approved a new framework, the EU-U.S. Privacy Shield, but this may also be embattled.
To cite just a few examples: in March, the European Parliament approved a resolution to call on the EC to conduct an assessment to verify that the safeguards of the EU-U.S. Privacy Shield comply with both the EU Charter of Fundamental Rights and the GDPR. Concurrently, the Privacy Shield faces at least two legal challenges in the European Court of Justice.
It's also scheduled to come up for its first annual review this September. This might seem like a formality, but the European Parliament also asked the EC to use the review process to conduct a "thorough and in-depth examination of all the shortcomings and weaknesses referred to in this resolution ... on transatlantic data flows."
A Potentially Chilling Cascade Effect?
The controversy surrounding the EU-U.S. Privacy Shield is a good example of how interconnected global trade undermines the efficacy of safe harbor-like frameworks. After all, even if a company doesn't have a business relationship with organizations in the EU, its customers, partners, or suppliers might.
Because of the complexity of managing data to suit the requirements of the GDPR, these entities might be less inclined to do business with any organizations that aren't dead serious about privacy.
Handling Digital Trade Barriers Is Challenging
Regulations such as the GDPR and the DPA constitute digital trade barriers. Consider one of the most important provisions of the GDPR: a "right to erasure" requirement that formalizes a process whereby an EU citizen can formally petition an organization or Internet intermediary (including search engines such as Google or Bing) to purge his or her data.
Failure to comply with this regulation could cost a company up to 4 percent of its global revenues, according to GDPR guidelines. Conceptually, "right to erasure" sounds innocuous enough; implementing it, however, will prove to be extremely challenging.
Donald Farmer, a principal with information management consultancy Treehive Strategies, has noted that data sources are more numerous, diverse, complex, and geographically distributed than ever. In large organizations, it can be practically impossible to safeguard sensitive data so as to be in compliance with the GDPR or the DPA.
During a discussion on privacy and metadata standards at last summer's Pacific Northwest BI Summit, Farmer used a conversation he'd had with an enterprise architect from file hosting service DropBox to illustrate this point.
"Under European Union regulations, [DropBox has] to be able to ensure that something is deleted. They have to be able to prove that it's deleted. That's incredibly difficult when you've built all of these self-replicating redundant data sets and they're distributed all over the enterprise," Farmer told attendees. "The [data architecture] diagrams you [usually see] are all about pushing data out. Nothing [concerns] how you track back through the whole system and ensure that data doesn't exist anymore."
All Global Value Chains Are Connected
Even if you don't have a business relationship with Canada or an EU member state, one or more of your customers, partners, suppliers, etc. probably does. You share data with these companies; they share data with you. What happens if your information systems are breached and their sensitive data is compromised?
Even if regulatory authorities in the EU or Canada can't touch you, they can touch the organizations you do business with. More to the point, they can also touch the organizations that do business with the organizations you do business with.
In this case, the biggest danger isn't punitive sanctions, per se, but the possibility that organizations will be charier about whom they do business with, as well as how they source their parts, products, services, etc.
Governments Take Up Data Governance
This is why national governments outside the EU and Canada are newly interested in issues (such as data privacy and data retention) normally associated with data governance. "It's essentially the first time I've ever seen a government take an interest in data governance. They're used to negotiating over borders and tariffs, not privacy regulations," said Michael Whitehead, president of WhereScape, a company that develops automation software for data warehouses and big data analytics.
Whitehead says his company has worked with the government of New Zealand in this capacity. "I think what we're going to see is that the different countries or trade blocs are going to formalize data privacy regulations that hew -- loosely or more closely -- with [GDPR]," he told Upside last year.
"The idea is that if I have a set of regulations in place about data and you don't comply with those regulations, then you can't have any of my data. What we're looking at [in New Zealand] is aligning things [such as] privacy and security with [the requirements of] other jurisdictions, so that to meet the New Zealand standard for data security is to meet the EU standard for data security. The idea is that you don't have to go and figure out every single country's requirements, the governments will figure those out themselves."
The laissez-faire attitude the U.S. holds vis-à-vis privacy rights is something of a global outlier, at least in the developed world. In the same way, there's growing opposition in Canada, the EU, and other regions to the permissive frameworks that (depending on one's perspective) either provides nothing more than a guide for -- or meaningfully regulates -- the transfer of data to the U.S.
U.S. firms would do well to plan for both the GDPR and the DPA. Their competitors in the EU and Canada -- to say nothing of New Zealand! -- already are.