What were the key privacy events of 2018 and the issues that triggered? And, what can we expect this year in terms of security, regulation and new practices? John Tsopanis, Privacy Director at the data discovery experts, Exonar, shares his insights.
Privacy legislation advanced leaps and bounds in 2018 with Europe (GDPR), California (CCPA) and India (PDPB) pioneering the way for privacy protection for their citizens.
For many organisations, 2018 was the year that ‘data privacy’ became the two most cumbersome words in the professional lexicon. To comply with new legislation, organisations assessed their data practices and ability to protect citizens’ privacy rights in accordance with new legislations. With GDPR fines of up to €20m or 4% global turnover, 2018 was the year that businesses started taking data privacy seriously.
2018 Key Privacy Events
Europe and the GDPR – May 2018
Europe implemented the GDPR in May 2018 providing European residents the right to access and erase their personal information upon request, whilst mandating organisations to report security breaches to affected citizens.
In the UK, reporting of data breaches to the Information Commissioner’s Office (ICO) increased by 260% in the three months after May 2018 compared to the same three months in 2017; a remarkable cultural change in identifying and reporting data breaches.
The ICO also levied its first successful fine against AIQ, the Canadian data firm linked to Cambridge Analytica, before levying another fine against Cambridge Analytica itself for failing to comply with a data subject access request (SAR) from Professor David Carroll.
Key Privacy Trigger:
Cambridge Analytica, Brexit and Trump – 87 million US and UK citizens were psychologically profiled and micro targeted with political messaging and misinformation to influence the Brexit and Trump vote. There are 11 ongoing criminal enquiries into breaches of electoral law in the UK and illegal data practices are the cornerstone of those investigations. These investigations will escalate and conclude in 2019 heightening citizens’ understanding of how their privacy rights were abused.
USA and the California Consumer Privacy Act (CCPA) – July 2018
California announced the incoming CCPA which will come into effect on January 1st 2020. The CCPA provides similar rights to access and erasure as the GDPR, and also requires organisations to disclose which third parties they buy and sell personal data from upon request.
The CCPA has led to New York following suit with data privacy regulation of its own, and there are talks of federal privacy law being developed in 2019 as the complexity of state-by-state data privacy laws seem too impractical to overcome. This point was made clear after the two largest American data breaches of 2018 affected Americans across all 50 states.
- Exactis – 340 million records breached
- Marriott Hotels – 323 million records breached
Key Privacy Trigger:
California Consumer Privacy Act and the right for Americans to sue
The CCPA provides California residents with a private right of action, allowing individuals to pursue their own lawsuits against organisations (rather than waiting for regulatory enforcement action). Individuals can enact this right when a breach occurs due to a demonstrable lack of appropriate security controls.
In the USA, a litigious society, we can expect the individual right to sue to drive interest in data privacy rights at a quicker rate than in the build-up to the GDPR, which will in turn lead to federal calls for those same data privacy rights.
India and the Personal Data Protection Bill (PDPB) – September 2018
6 months after the Indian national identity system was breached exposing the data of 1.1 billion Indians, India announced their personal data protection bill. Openly modelled on the GDPR, the PDPB gives Indian citizens rights to access, erasure and the right to report breaches to a new Indian data protection authority (DPA) that will also have the power to influence rulemaking (unlike the ICO in the UK) and levy hefty fines.
The PDPB will also include sectoral consideration vis-a-vis the CCPA and include provisions for national security concerns similar to the Chinese data protection regulations (CDPR).
Key Privacy Trigger:
Aadhar Data Breach
In March 2018 a breach of India’s national identity database left personal and biometric information of 1.1 billion Indians exposed. The data was of sufficient detail to open bank accounts, enrol in state financial programmes and register SIM cards, sparking a nationwide debate on data privacy, national security and a six-month turnaround to announcing the PDPB.
What to Look For in 2019
Public outrage at AI’s abilities to psychologically profile and microtarget citizens in real time
The investigations into AIQ/SCL/Cambridge Analytica’s role in both Brexit and Trump campaigns will escalate through 2019. As indictments are served in relation to data crimes, the public will develop an understanding of how AI algorithms psychologically profile and microtarget them in real time.
The focus on authoritarian regimes’ use of these data practices to suppress opposition via social media platforms will come under specific scrutiny. This will lead to a strengthening of the political movements calling for AI transparency and major regulatory reform for big tech and microtargeting data practices.
Big Tech vs Regulators battle it out over US federal privacy law
The fight over details of the CCPA are ongoing and we can expect the lobbyists of Google, Amazon, Facebook and Apple to continue actively resisting tighter regulation at each opportunity. We can expect pushbacks on citizens rights to access data, a sparking of a conversation surrounding consent for data usage, and an attempt by journalists to reveal the network of third-party data analytics firms who would be the worst violators of new data privacy laws.
The first £100m GDPR fine?
It is difficult to understand the privacy impact of a data breach, especially when the number of citizens affected runs into the hundreds of millions. These are numbers too large for individuals to comprehend but the privacy impacts will be accounted for by regulators in the form of mega fines in 2019.
The maximum fine for Facebook under the GDPR is an approximated $1.6bn and with investigators across the world scrutinising the data practices of multiple technology companies, 2019 could be the year of the first truly eye-watering fine.
Author: John Tsopanis, Privacy Director, Exonar