Greetings from Portsmouth, New Hampshire!
We had a couple strong summer storms blow through here this week. One hit the office during the day — we grimaced as marble-sized hail bounced off the roofs of cars in the parking lot — and part of the same storm snapped in half a wide swath of trees at a golf course nearby. Originally from the Midwest, I have always been fascinated by thunderstorms — specifically, how a day can change from calm and sunny to dark and stormy and back again in the matter of an afternoon. The swiftness with which the weather changes reminded me of the privacy space the past few weeks.
It was less than a month ago that the U.K. ICO announced its intent to fine British Airways and Marriott what were then record privacy and security fines for violations of the GDPR. Little more than two weeks later, the profession started to measure fines in billions rather than millions when the FTC announced its settlement with Facebook, and Equifax agreed to settle claims stemming from its 2017 security incident for an amount large enough to be measured as a fraction of a billion dollars. Then this week, that Equifax settlement drew ire from the public because the amount set aside for consumers who opted for cash payments appears to have been insufficient to meet the number of claims.
In the matter of a month, we saw regulatory enforcement at its most aggressive and then immediately received an example indicative of a common critic of the current regulatory enforcement toolkit.
Add to the mix a U.S. Securities and Exchange Commission settlement and fine with Facebook that found fault with the company’s risk disclosures in its regular SEC filings as they pertain to data misuse, the expectation that additional significant GDPR fines from European DPAs will be announced yet this summer and continued CCPA amendment activity (among increased state interest in privacy legislation) and privacy enforcement starts to look like a volatile weather pattern. It is a pattern that has been the norm since last year when the GDPR had just gone into effect six weeks before the CCPA changed the landscape of privacy in the U.S. (Related, if you want to contribute to industry understanding of CCPA readiness, please participate in our CCPA readiness survey.)
I, for one, am curious to see how businesses approach privacy compliance over the next couple years. The FTC and SEC settlements with Facebook clearly place privacy practices in the laps of the board of directors and the C-suite, and as fine amounts increase more, attention must be paid to internal and external data practices.
I will never be one to characterize privacy, data protection and security enforcement as a competition — every jurisdiction has independent motivations — but you are forgiven if you have whiplash from looking at either side of the Atlantic to determine where the center of enforcement authority is at the moment. It sets up an interesting dichotomy going forward: as Europe, with a mature and well-developed framework for data protection enforcement, and the U.S., where traditional consumer protection institutions and new legislation own the day, both navigate a field that has become increasingly complex and important to modern society. If you are part of a large multinational company, your organization has long faced the need to prioritize limited resources for compliance with disparate global regulations, but it is increasingly apparent that those challenges are no longer reserved for the largest and most geographically diverse companies: data practices are front and center in the U.S.
I am not a meteorologist, but it seems more likely than not that another storm or two will roll through and bring a new wrinkle to the enforcement playbook before the atmosphere stabilizes and privacy professionals have the benefit of hindsight to craft a coherent strategy for compliance.
Until then, I hope the actual weather outside your door is 75 and sunny.
If you want to comment on this post, you need to login.