Greetings from Portsmouth, New Hampshire!
I have to admit: I'm still adjusting to Eastern Standard Time after more than a week in Munich, Germany, attending our inaugural DPI-Deutschland event. I enjoyed seeing familiar IAPP members and meeting new ones. It was a great experience being part of this bilingual conference.
And, yes, I did briefly visit the Oktoberfest activities last weekend, but I can assure you I did so purely as an objective observer. Munich, and the surrounding Bavarian Alps to the south, is a beautiful area, filled with friendly people and delicious food. If you ever get a chance, don't hesitate to visit.
Jet-lagged or not, however, I had to hit the ground running this week, as the momentum toward a U.S. privacy law has picked up speed. You may have seen a couple of my reports earlier this week, here and here.
Senate Commerce Committee Chairman John Thune, R-S.D., squared things ahead of Wednesday's hearing in an op-ed for The Hill, writing, "The time has come for Congress to work on putting consumer data privacy protections into law. ... The question is no longer whether we need a national law to protect consumers' privacy. The question is what shape that law should take."
Indeed. But the devil's always in the details, right?
Amid these conversations and in the wake of the EU General Data Protection Regulation's authority to fine companies up to 4 percent of annual turnover, a major enforcement action took place this week here in the U.S.
A collection of state attorneys general fined Uber $148 million for its breach and delayed response last year. That's a big-time fine.
How big time? If we look at numbers published last April in Bloomberg, Uber made approximately $7.5 billion in sales in 2017. Doing some quick math, $148 million would be 2 percent of Uber's 2017 revenue.
Coincidentally, a look at the EU General Data Protection Regulation shows that contravention of Articles 25 to 39 face up to a 2 percent fine. Article 32 covers security of processing, and Article 33 outlines breach notification.
What did Uber get in trouble for? Poor data security and lack of timely breach notification. Is that 2 percent number a coincidence? I'll leave that up to you decide, but the numbers don't lie. Perhaps an attorney general office staffer or two has taken a look at the GDPR, though.
Regardless, the state attorneys general have flexed their muscles. Enforcement does have teeth here in the U.S., even if the regulatory framework isn't as prescriptive as the one in place across the pond.
Now, about that U.S. privacy law ...