One year into the European Union’s General Data Protection Regulation (GDPR), there are important insights and lessons learned that should inform data privacy and security discussions in the United States. The GDPR is arguably the most disruptive data protection regulation in recent memory, impacting any organization that processes the data of European Union citizens, regardless of where they are located. Many organizations struggled to achieve compliance by the May 25, 2018 deadline. Meanwhile, early adopters experienced fewer breaches and shorter sales delays. When these organizations did experience a breach, they lost fewer records, it was less expensive, and it took less time to return to regular operating procedures.
As the steady stream of data security and privacy hearings on the hill continues, two core areas emerge from the GDPR’s first year that should be instructional to these privacy and security discussions. First, accountability is essential. As we have seen time and again, and despite record breaking data compromises and leaks, when it comes to security and privacy, self-regulation is not sufficient to prompt prioritization of appropriate security measures. That said, what exactly constitutes these proper security measures remains vague formally, although GDPR fines over the last year provide some clarity. While additional components of GDPR such as opting in, right of access requests, and breach notification guidelines are necessary and impactful, accountability and security guidelines deserve additional inspection and consideration when framing the ongoing and imminent privacy and security legislation in the United States.
Challenges of Enforcement & Accountability
While record breaking fines for GDPR non-compliance garnered significant attention, the story over the last year is much more nuanced when it comes to GDPR enforcement and accountability. Under Article 83(5), violators risk fines up to 4% annual global revenue for severe violations. However, in the first eight months in effect, almost 60,000 notifications were issued but less than one hundred received fines. Almost a third of these notifications were issued from three countries: Netherlands, Germany, and the United Kingdom. More recent data from the European Data Protection Board points to over 200,000 cases reported, about half of which remain ongoing, and over €55 million in fines imposed.
Recently, Ireland has been under additional scrutiny. As a lead data regulator of many of the big tech companies, Ireland’s commitment for enforcing the GDPR has come into question due to zero enforcement actions for the over 2,000 data privacy violations complaints issued. This imbalance between notifications and fines has surfaced a core collective action problem when it comes to accountability; it only works as long as all participants equally adhere to and enforce compliance mechanisms.
While this is a core component, as always, there are additional factors to consider. For instance, while Ireland has yet to issue a violation fine, numerous investigations are underway. The most recently announced investigation is focused on the adtech company, Quantcast. The Irish Data Protection Commission is exploring whether their transparency and use of data profiling violates data processing and gathering standards within the GDPR. While adtech has not garnered the high profile attention of social media giants, these companies arguably have as much, if not more, data on users, as they sell marketing intelligence tools that scan the internet for personal data.
This uptick in investigations points to the challenges with enforcement. First, regulators may have been overextended and under-resourced to handle the number of violations issued. In identifying employees needed versus current number of employees, 17 of 18 E.U. countries analyzed face employee resource deficits. Any similar component of a U.S. policy must ensure the institutional structures and processes are in place to credibly commit to ensuring accountability. Second, while built on a foundation of previously established laws, the GDPR nevertheless takes unprecedented steps to protect data. Because of this, many of these cases may be precedent setting and therefore require a comprehensive case to be built prior to pursuing fines for non-compliance.
In this regard, fines may be imminent and lead to a significant uptick in data breach notifications in the near future. Many of these existing and new cases may revolve around whether or not companies maintained appropriate security measures. This leads to the second major area where some clarity has emerged over the last year: what are “appropriate security measures”?
Ensuring Security Appropriate to the Risk
Article 32 of the GDPR addresses the security of processing data, noting “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Relevant measures listed include encryption and pseudonymisation, ensuring the CIA of data (i.e., confidentiality, integrity and availability), restoring personal data in light of an incident in a timely manner, and implementing a security assessment process.
While some general guidelines are offered, it is not entirely clear how to evaluate what security processes are required in conjunction with risk. Fortunately, a few cases have emerged that at least begin to offer some guidelines. Last November, a German firm was fined €20,000 for failing to encrypt their data, which resulted in 330,000 credentials being posted online.
More recently, the Italian data protection authority issued its first GDPR fine, which similarly focused on inadequate security measures. In this case, a platform that ran websites associated with an Italian political party experienced a data breach and was fined €50,000 for implementing inadequate security measures. The Italian data protection authority pointed to complicated and time-consuming vulnerability patching processes, weak passwords, weak encryption on the storage of passwords, and weak auditing measures that inhibited the recording of accesses and operations employed on the database. Shared accounts and large access privileges received significant scrutiny, especially in conjunction with the inability to audit access.
From the E.U. to the U.S.
The GDPR will continue to offer insights and lessons learned during privacy and data protection discussions at the state and federal level. There already have been significant comparisons and contrasts made between the GDPR and the most prominent state law, the California Consumer Privacy Act. However, almost every state capitol is debating some form of data protection law instead of waiting to see if a federal privacy law will emerge. In April, Texas legislators introduced two bills aimed at consumer data protection. In many ways, their discussion reflects those occurring across the country. There were testimonials decrying the lack of a federal law and noting the desire to lead, while those opposed to such regulations highlighted a potential to impede innovation. Massachusetts and Washington, DC also have had similar discussions and proposals over the last few months, joining the dozens of data protection bills under debate across the country.
Meanwhile, the Privacy Bill of Rights Act, Consumer Data Protection Act, Data Care Act, American Data Dissemination Act, and DATA Privacy Act reflect a range of data protection considerations as well as the ongoing fragmented approach to data protection at the federal level. Looking ahead, there will be no shortage of insights from the GDPR as the U.S. progresses toward formalizing data privacy and protections. With consumers and corporations increasingly interested in greater government regulation for data protection, accountability and security measures must be integrated into any new legislation, while additional insights are likely to emerge as the GDPR enters its second year.