GDPR and CCPA, An Update
A look at the compliance picture 3 months into the international year of privacy
Now that we’re a few months into 2019 it’s worth taking another look at the impact of recent sweeping privacy bills, in particular the EU’s General Data Protection (GDPR) regulatory regime, and California’s looming GDPR-inspired Consumer Privacy Act (CCPA).
GDPR has been in effect since May of last year, while CCPA comes into effect on January 1st, 2020. In both cases there have been significant developments.
Approaching a year of GDPR
One of the biggest questions swirling around GDPR in the run-up to its launch was how aggressively regulators would pursue and punish infractions – particularly given some of the ambiguities around how it’s tougher provisions could be enabled technically.
Well now we know, as well-known companies start to feel the EU’s wrath in the aftermath of cybersecurity breaches.
In the UK, cell phone retailer Dixons Carphone suffered a cyber-attack in 2018 that compromised some 1.2 million customer records, including names, as well as postal and email addresses. Under GDPR, companies face hefty fines if they fail to comply with provisions for handling customer data. For Dixons Carphone that could have meant a maximum penalty of 20 million EURO USD, however it appears they will face a smaller £500,000 fine in this case as the breach occurred before GDPR had come into force.
Regulators are understood to be looking for more high-profile test cases however, and it appears they could be spoiled for choice as GDPR has also had the effect of forcing breaches out into the open.
A recent study by global law firm DLA Piper has shown that over 59,000 personal data breaches have been reported across Europe since GDPR arrived. UK organizations have been hit by over 10,000 data breaches. Germany reported 12,600 breaches while the Netherlands had the top spot at 15,400.
The stumbling block for many seems to be GDPR’s requirement for identification and protection of Personally Identifiable Information or (PII). Companies that have been able to map where its PII is located, understand how it is used, and maintain a detailed library of data assets, may have actually benefited from new GDPR-driven efficiencies. This is both from having its data organized and catalogued, as well as minimizing fines and other losses from data breaches.
CCPA gets tougher – before its even come into force
The California Consumer Privacy Act is making its presence felt on the national legislative agenda even before it lands on New Year’s day 2020. Like GDPR, CCPA requires organizations to protect the personally identifiable information it holds on individuals.
But CCPA’s protections are even more stringent. For example, a host of biometric information is covered, as is any record of an individual’s browsing history or other interactions with a company website or app. Companies don't have to be based in California or have a physical presence there to fall under the law. They don't even have to be based in the United States.
CCPA’s wide-ranging requirements seem to have kicked off a biometric bandwagon at the state level, as more and more legislatures move to regulate the collection, use, and retention of biometric data.
In addition to CCPA’s arrival in 2020, Illinois , Texas , and Washington already have biometric privacy laws in place, while Arizona, Florida, and Massachusetts have recently proposed laws that will address biometric privacy. Washington State has also passed a new Washington Privacy act that borrows heavily from both the CCPA and GDPR. Other states are likely to join in.
Class Action Targets
Meanwhile legislators in California are already trying to make CCPA tougher. Under a proposed amendment to the law introduced in February, companies that gather and store personal data could find themselves the target of class-action lawsuits at the state level if they fall foul of CCPA’s provisions. Another proposal calls for data brokers to register with the California privacy authority, and for companies to disclose the value of their user data.
That opens up the possibility of user-driven lawsuits against the likes of Facebook, Google or Amazon for cash damages if they are found to have broken the law. Backed by the California Attorney General, the measure would turn up the heat on companies operating in the still emerging digital economy, and likely influence the shape of new federal regulations being considered by Congress.
Learning the lessons of GDPR?
Perhaps another link between GDPR and CCPA is the level of readiness companies report in the run-up to implementation. The tech and security press were running stories like this one on a regular basis prior to GDPR’s day zero, signalling fears about a compliance crash-out as a large percentage of organizations seemed blasé about the impending deadline.
In that sense a recent study by security vendor TrustArc has a ring of deju vu about it, suggesting that more than 80% of US businesses affected by CCPA are still not prepared.
The adoption of the US National Institute of Standards and Technology (NIST) cybersecurity framework or CSF is seen by many to be a stepping stone that will make CCPA compliance easier.
President Donald Trump issued an executive order in May of 2017 instructing all federal agencies to use the CSF. Italy, Israel, and Japan have also adopted the CSF in legislation, while companies that have implemented it include Microsoft, Boeing, Intel, and JP Morgan Chase.
Data regulation is now a strong, permanent feature of the IT landscape.
Over the past year, a series of sweeping regulations have come into force that have brought change on entire industries.
Global business will have to operate in a new data environment in 2019. With the year coming to a close, this is the opportune time for companies to recap on the most important laws governing digital data.
The EU’s General Data Regulations (GDPR) was a game changer for Europe. While earlier laws governing digital information prohibited specific infractions, GDPR was a paradigm switch, forcing organizations to completely revamp their practices and institute privacy by design. However, in the six months since entering into law, the effects of GDPR have been minimal. While many companies have instituted changes to their protocols, the fundamental shifts regulators hoped for have been slow to come about.
Many experts are saying that it’s just a matter of time . Heavy fines from GDPR violations haven’t yet been reported. Additionally, the infrastructure of enforcement simply hasn't had time to come into its own. 2018 was GDPR’s year codification. 2019 will almost certainly be the year of enforcement.
California Privacy Act
Back in June, privacy advocates recently succeeded in one of the fastest legislative maneuvers in history by passing the California Consumer Privacy Act (CCPA). Under the law, data collectors are now obliged under “the right to opt out” essentially the ability for users to object to their data being distributed or sold. Companies will also be required to “maintain reasonable security procedures and practices appropriate to the nature of the information”, ie the more sensitive, the more protection.
California’s privacy regulations will not become law until January of 2020. However, the more immediate effects of CCPA is its influence on the larger debate over US data laws. The regulations are likely to fuel the efforts of privacy advocates across other states. Even discussions on federal privacy laws have been influenced by the CCPA.
National Breach Notification Law
The Gramm-Leach-Bliley Act, commonly known as GLBA, has been on the books since 1999. The Act was revolutionary for its time, being one of the earliest data regulations in the modern era. The federal law requires financial institutions to explain how they share and protect their customers’ private information. Compliance of GLBA is not particularly demanding. The main section of the law, the Safeguard Rules require companies have an employee designated for data security, maintain a security program, and test it somewhat regularly.
A few months ago, the House Financial Services Committee introduced a bill that would profoundly amend the GLBA. These new rules would supersede a multitude of the state-level laws currently governing data collection, possibly putting an end to major regulations such New York’s DFS regs. Perhaps the biggest change would be a “national breach notification law” for the financial industry. As the name would suggest, the notification law would require companies notify users of a breach within a very short time period after it’s identified.
Cybersecurity and Infrastructure Security Agency Act
President Trump signed the Cybersecurity and Infrastructure Security Agency Act (CISA) into law in mid November.
The repercussions of this bill turning into policy were tremendous. CISA essentially codifies the notion of data security being critical national infrastructure, and authorizes the administration to protect it as such. Under CISA the Department of Homeland Security 9 was charged with assessing risks and threats associated with data systems, and force organizations to comply with safety measures. This important law has had little time to get of the ground. 2019 will be the year the U.S. begins to feel repercussions of CISA.