The disclosures this week from Yahoo, about government access to private emails, have fueled another round of discussions about the role of privacy and security in an internet/social age.
One of the issues that I think is not fully understood about this issue – especially in the U.S. – is the fundamentally different perspectives about privacy that exist in Europe, and how those differences then manifest themselves into policy.
In Europe, “privacy” is considered a basic human right, and thus, privacy policy approaches are more absolute and vary a great deal from those in the U.S., where privacy is usually defined more like a tradeable consumer right. (And interestingly, one that Americans seem to have no problems ceaselessly trading off for even modest increases in convenience.)
This fundamental difference is evident in the new European Union General Data Protection Regulation, which enters into force in May 2018. Unbeknownst to more U.S. companies, the GDPR applies even if you have no physical presence in Europe. And the old days of the relatively flexible Safe Harbor rules that characterize the current data privacy regime are no more.
According to IAPP-EY Annual Privacy Governance Report 2016, “For privacy and data protection professionals, 2017 may prove to be a watershed year. The leading change agent is the ramp-up in preparations for the European Union’s new General Data Protection Regulation [GDPR], which enters into force in May 2018 to replace the EU Data Protection Directive…Together with the challenges brought by the invalidation of the Safe Harbor framework and entry into force of the new Privacy Shield, all eyes will be on Europe.”
Until recently, the protection and security of information on identifiable individuals had taken a relatively low profile. Most countries, regions, and states have data protection legislation, but they vary considerably in the level of protection decreed. Exposure of personal information or data breaches were relatively rare, and state surveillance of such information was generally covert and not acknowledged by governments.
All of this has changed quite dramatically in the last few years. The amount of personal data stored by companies and governments has soared, and the value of that data has multiplied as more and more personal business is transacted on the internet. Identity theft has become a major new crime. In addition to the disruption to business and the impact on customer loyalty that data breaches create, many jurisdictions are looking to bring their data protection legislation into line with the new, internet-based world – although unfortunately, not in line with each other.
A new set of European rules and standards related to privacy and data protection has set in motion a mad compliance scramble not for European companies, but for any company doing business in Europe or with European customers.
So what do you need to know to start thinking about the implications of these regulations, especially if you are a company from outside Europe?
Check out my new Tip Sheet for 4 Tips on Getting Started with the GDPR.