We all knew 2018 was going to be a busy year, but it's fair to say that, somehow, it was even crazier than most of us expected. Of course, 2018 is the year of the EU General Data Protection Regulation. May 25 was the big day. And like Y2K, the world didn't end May 26.
For those of us on the IAPP publications team, we thought life after May 25 would consist of more operational how-tos for implementing and operationalizing GDPR-compliance initiatives, but, lo and behold, GDPR was just the tip of the iceberg in 2018.
Brazil passed a national privacy law, India released a draft comprehensive law, oh, and you may have heard that California passed new law, too. This was also the year of the Cambridge Analytica revelations, the continuing Brexit saga and more major data breaches. And as we wrap up 2018, there's more momentum for a U.S. federal privacy law than perhaps ever before.
These massive issues often require difficult conversations and give rise to debate about what it all means and where it will lead to. Sometimes we just need to express our opinions. That's what Privacy Perspectives is for.
We had so many great contributions from members and thought leaders — and even a regulator— throughout this year. Though we can only include the top 10, there were so many more that added to the privacy conversation. A big thanks to all of you who shared your thoughts.
India is home to 1.3 billion citizens and the sixth largest economy in the world. So when it moves toward creating a data protection framework, it's a pretty big deal in the privacy world. Shaundra Watson, CIPP/US, director of policy at BSA, the Software Alliance, pointed out that "India is at an important crossroads." When this was published in February, the Government of India's Committee of Experts was just in the early stages of creating a draft law. Watson wrote that "its approach to important issues related to the scope of personal data, the legal bases for processing data, and the need to facilitate cross-border data transfers will shape India's future — and the global economy — for years to come."
One of the year's major privacy stories, the Cambridge Analytica revelations exposed to the public the extent to which private information was shared with third parties. But that wasn't the only thing it revealed. Citigroup Senior Vice President and Assistant General Counsel Amanda O'Keefe, CIPP/US, CIPM, FIP, put a practical spin on what lessons could be drawn from this story. "Privacy pros have been asking good questions, and drafting provisions to cover data collection minimization, use limitations, and secure deletion, but have we thoroughly thought through the potential for third party exploitation of the data, and are we doing enough to monitor and enforce these commitments after the contracts are signed?"
Perhaps overshadowed by some of the other big stories of 2018, the Privacy Shield remains a significant part of EU-U.S. cross-border data transfers. We were delighted this year to house European Data Protection Supervisor Giovanni Buttarelli's thoughts on Shield. In this post, Buttarelli, with some wit and humor, draws upon an old Italian idiom: "conoscere i propri polli’ — literally, to know one’s own chickens."
Naturally, privacy pros use a lot of brain cells deciphering different provisions within the GDPR and what they mean for their companies. And as with any law, there's room for interpretation, like this post from DPR Managing Director Tim Bell with regard to Article 27. This post had the most comments of the year, something we always hope to cultivate with Privacy Perspectives.
May 25 was a Friday and the most anticipated day in the history of data protection. Luckily, the sky didn't fall. To reflect on the whirlwind that lead up to GDPR Day, IAPP President and CEO Trevor Hughes, CIPP, offered up his thoughts on this major regulation, noting that May 25 "can also serve ... as a day to look back on the work that has led to this moment and the changes that have occurred as a result of GDPR. In the middle of our efforts to prepare for this regulation, it has been too easy to lose sight of the massive evolution (revolution!) in the privacy field."
Perhaps lost in the shuffle leading up to the GDPR was the hard, often thankless work, that privacy pros engage in every day. To shine a light on all that work, Hunton Andrews Kurth's Centre for Information Policy Leadership President Bojana Bellamy, CIPP/E, wrote a letter to all the unsung heroes of the GDPR. "I want you to know that I think you are amazing and to say thank you for the herculean effort and boundless commitment you have given to getting your organizations ready for the GDPR."
75,000. That's the IAPP's estimate of how many data protection officers are needed worldwide because of the GDPR. Jeroen Terstegge, CIPP/E, CIPP/US, a partner at Privacy Management Partners and IAPP country leader for the Netherlands, shared some valuable advice last summer on the top five things a prospective DPO should look for in a job. If you haven't read this one yet and are on the hunt for one of these positions, this post is for you.
The surprise story of 2018 was California's quick passage of its Consumer Privacy Act. It's comprehensive and places a whole new set of obligations on companies doing business in the state, which also happens to be one of the biggest economies in the world. Many privacy advocates celebrated the bill, but that wasn't a sentiment shared by everyone. Santa Clara University School of Law Prof. Eric Goldman didn't mince words in this Perspectives post. Maybe you agree?
The surprise passage of the CCPA has now in part lead to momentum for a U.S. privacy law, something that was unthinkable in 2017. And maybe I'm cheating by adding a series of three posts here, but long-time privacy thought leader and consultant Robert Gellman shared his thoughts on what it would take to get federal legislation. And you guessed it: It won't be easy! You can read posts two and three here and here.
It wouldn't be a conversation about privacy in 2018 without mentioning Brexit. When I was at the Data Protection Congress last month, Brexit news was front-and-center on BBC and Sky. There's a ton of uncertainty around it, and it has huge implications for data protection. Luckily, Hogan Lovells Partner Eduardo Ustaran, CIPP/E, laid out the potential scenarios for Brexit and what that could mean for the privacy profession. Over the years, Eduardo has been one of Privacy Perspectives most-read contributors, so I'd be remiss to not include his recent take on the European Data Protection Boards "common sense" approach to the GDPR's territorial scope.
Last, but certainly not least, Morrison Foerster Senior Of Counsel Lokke Moerel shared a thoughtful perspective on reducing discrimination in algorithms. Data ethics, algorithmic accountability and the increased use of artificial intelligence in the market place are creating significant challenges for privacy professionals. In this post, Lokke offers her thoughts on one way to reduce discrimination.
If you want to comment on this post, you need to login.