As we enter into 2015, it is likely to be a year of progress on several privacy fronts and, sad to say, lack of progress on others. Generally, the rapidly colliding issues of corporate security and cybersecurity issues are going to be the primary global focus. After that, new laws, amendments to existing laws and final regulations on recently enacted laws will continue to create a fluid environment.
In the US
The Sony security breach in November has raised the bar on protecting non-infrastructure-critical assets to a new level. When stolen corporate information such corporate emails and movies are used for political blackmail, we have entered a new era of risk for company assets. There was an interesting Q&A with White House Cybersecurity Coordinator Michael Daniel reported in POLITICO Pro on this issue.
A number of cybersecurity laws related to government agencies were passed in late December, mostly codifying current practices. One of the most important ones did allow DHS to create new job descriptions for workforce positions in critical cybersecurity roles that allow them to hire more competitively in the private sector, which was a critical need. Notably missing was any legislation addressing guidelines for data sharing between the private and public sector on cyber matters, something we also badly need. Expect the debate on this to resume early this year.
With a Republican controlled House and Senate, we should expect Congress to be one of the most active in passing legislation in recent years. The R’s want to demonstrate to the American public they can effectively govern the country before the 2016 election, and Obama has shown early signs that he won’t veto everything that comes across his desk. Furthermore, the R’s have such a strong hold in the House that they can afford to let some Tea Party members defect and still retain a majority.
We should expect this Congress, either this year or next, to finally pass federally preemptive security breach notification legislation, some thing that should have happened years ago. An Obama veto is not expected. However, if Congress loads this legislation down with too many other un-related matters, it could fail once again to pass.
As to other privacy legislation, these issues are still tier 2 issues, and, while there will be bills introduced, we are not likely to see any comprehensive privacy legislation passed. Anything that does pass is likely to be specific to some practice, such as drone regulation, rather than a broad omnibus privacy law. There is still no agreement on what this kind of legislation should look like in the US.
All this means that self-regulation should continue to be the focus. Good examples of industries who want to get ahead of the legislative curve is the facial recognition industry and the connected car industry.
After 3 years of negotiations, we still don’t have a draft privacy regulation that most everyone agrees upon. While the Council talks about getting general agreement on all outstanding issues before summer, experts warn that three or four months will be needed to consolidate the various agreements. Only then, will it be possible to start the final “trilogue” negotiation with the European Parliament. A reasonable prediction is that the process will conclude closer to mid-2016. For an excellent analysis of the history of the regulation read The EU data protection regulation after 3 years of negotiation.
In Latin America and Asia
Things continue to move slowly along in various countries. Brazilian legislation is supposed to move, but cross-border data issues are still unresolved.
With both Latin America and Asia, we have laws which were modeled after Europe [the old European laws] and all will need to be modernized rather rapidly to accommodate the realities of big data.
Japan plans to modernize their privacy law this year, and with what we know of their efforts, they look to be moving in the right direction. They are incorporating a strong component of self-regulation into their new approach.
One bright spot in the world is the APEC Cross Border Privacy Rules [CBPR] for Processors are expected to be finalized this summer. The CBPR for Controllers continues to gain momentum. Even countries like South Korea are interested. Eventually, this should ease issues with data movement around Asia.
On My Wish List for 2015
My top three wishes for 2015 are not new, but that hasn’t diminished my desire to make even more progress on them this year.
More Comprehensive Self-Regulation: The gap between what is possible and reasonable guidance about where the ditches are on the digital highway widens every day. Self-regulation is the ONLY short-term answer. The industry is active, but should be far more aggressive in setting its own rules.
More Seamless Cross-border Data Flows: Every year it gets more important for us to have more seamless opportunities to safely move data around the world. We need continued, but more rapid progress, on deployment of APEC CBPR adoption and integration with BCRs and Safe Harbor.
More Cooperation on Security and Cybersecurity Issues: The cybersecurity challenges we face can ONLY be solved with maximum cooperation between the private sector and the public sector across the globe.
Acxiom believes that we need to think about privacy issues more as ‘ethical’ issues, rather than ‘compliance’ issues. If we do, we think most responsible companies will make the right decision and are far less likely to have consumers revolt.