Digital privacy about to feel real-world shock to its system
Will 2016 be the dawning of the new era of digital privacy or another off-the-mark attempt to keep up with spiraling data collection?
New privacy reforms agreed upon earlier this month by the European Union are raising as many questions as answers. The EU is expected to approve in early 2016 its new privacy legislation: the General Data Protection Regulation (GDPR). Implementation will take two years as the EU seeks to educate citizens and help business understand the GDPR's obligations.
The EU agreed to overhaul its data protection directive with a single data protection law (the GDPR), a refined system of enforcement, and fines with teeth (4 percent of a company's global revenue). The regulation supplants the EU's existing Data Protection Directive (DPD).
Here's the scenario, the DPD is outdated. It was created in 1995 before the explosion of personal data collected from such gold mines as credit card trails, social media posts, "free" online services or wearable trackers. Continuing with the DPD, which also suffers from unbalanced enforcement across the EU, would be a farce. Continued debate on replacing it with the GDPR is a waste of time as the GDPR proposal was introduced nearly four years ago, a lifetime in technology, and has already seen numerous amendments.
What's needed is a ball in motion, a real-world implementation that reveals what works while exposing any warts on these new ideals. Anything less at this point is the white noise of postulators and posers.
Proponents say the regulations offer strong personal data protection for EU citizens along with benefits for businesses that encourage growth in the EU economy. Data sharing between EU members, proponents say, will help law enforcement. The regulations combine Privacy by Design concepts such as minimized data collection, deletion of aging data, restricted access and data lifecycle management. It's hardest line is perhaps determining fines using a formula that features corporate revenue.
Tanguy Van Overstraeten, a lawyer at Linklaters told the Irish Times, "A step change in sanctions will make privacy a board-level issue. Some businesses will need to start taking these issues a lot more seriously."
While the EU's privacy concepts seem logical on their face, there is opposition.
Concern with the new rules has come from groups including the Industry Coalition for Data Protection (ICDP), Interactive Advertising Bureau Europe (IAB), European Telecommunications Network Operators' Association (ETNO) and the Confederation of British Industry (CBI).
ICDP members include Google, Facebook, Amazon and IBM, all of which are concerned about chasing off investment in Europe's most innovative technologies.
In addition, the Electronic Frontier Foundation (EFF) argued that the GDPR has unintended consequences for free speech online. Jeremy Macolm, a senior global policy analyst at EFF, and Aylin Akturk, a Ph.D candidate at UC Berkeley School of Law, said in a blog on the EFF website, "In their determination to protect the personal information of users online, the drafters of the GDPR introduced provisions that streamline the erasure of such information from online platforms--while neglecting to consider those who published that information to those platforms who were exercising their own human right of free expression in doing so, and their audiences who have the right to receive such information."
Divides over privacy ideals aren't new among citizens, businesses, and policy makers and influencers. Businesses don't want to give up the golden goose that is user data, and citizens don't want business rummaging around in their personal data collections. Modernized EU regulations will provide, at least, a testing ground for addressing, and perhaps closing, these divides.
Can the EU's new regulations prove what works, what doesn't, and create balance via its privacy model for the modern era?
In 2016, we will be on our way to answering that question.