Greetings from a humid Portsmouth, New Hampshire!
After a brief vacation and holiday break, I was welcomed back this week with a 1-2-3 punch for privacy news. Though not strictly related to the U.S., the U.K. Information Commissioner's Office essentially kicked off "GDPR 2.0" by notifying the public of its intent to fine British Airways $230 million and Marriott International $130 million for alleged GDPR violations. After many of you spent years preparing for the regulation, and followed a fairly quiet year for GDPR enforcement, it looks like the hammer is dropping. With these headline-grabbing fines, it's hard to imagine that other EU supervisory authorities will sit back in the coming months.
Not to be outdone, the Court of Justice of the EU heard the highly anticipated "Schrems II" case on data transfers, specifically the validity of standard contractual clauses and possibly the EU-U.S. Privacy Shield framework. This is, obviously, a big deal. Though we likely won't hear a final decision until early 2020, you can expect the court's advocate general to issue a non-binding opinion this December. Early reports suggest SCCs and the Shield could be on shaky ground. If you're looking for some answers, Bird & Bird Partner Ruth Boardman supplied the IAPP with some answers to "Schrems II"-related FAQs here.
The other notable development this week involves the nascent privacy tech vendor industry. Since 2017, we've been tracking the industry through our Privacy Tech Vendor Reports (stay tuned for our 2019 report in the coming weeks). Venture capital is beginning to fund several privacy tech vendors. This week alone, OneTrust announced it is now valued at $1.3 billion after securing $200 million in Series A funding, making it the first "unicorn" in the industry (a VC term for a startup valued at more than $1 billion). That news came the day after TrustArc announced it raised $70 million in Series D funding. BigID, Privitar, Radar and WireWheel, among others, have also secured major funding in recent months. There's even a new Privacy Tech Alliance geared toward aligning VC firms with vendors and other stakeholders.
This is a huge deal for the privacy industry. The regulatory ecosystem is growing increasingly complex, and regulators are hungry for enforcement with steep fines. It's the automated governance systems, centralized privacy management dashboards, data discovery and mapping technology, data subject access request tools and so much more that are now required in organizations. Excel spreadsheets and Word docs just aren't scalable or equipped to handle these new obligations.
The increased funding into the market also demonstrates the growing maturity of the privacy profession. This hopefully means growing budgets and greater visibility for the privacy office. It will also demand more communication between the legal, engineering and IT teams within the organization. True, the risk profiles for companies are increasing, but the privacy technology is here, and it's getting better.
If you want to comment on this post, you need to login.