The year 2015 may well go down as one of the most important years in the history of privacy and data protection. True, it feels like we say this every year: Another watershed year for privacy. But 2015 has been dramatic, significant and groundbreaking for privacy pros. And for many reasons. Let’s put it this way, the hack of 80 million Anthem users, the appointment of a new European Data Protection Supervisor and the passing of major new U.S. surveillance reform are but footnotes in this yearly roundup.
First off, the most important privacy story of the year just happened this week. Twenty years after passing the Directive 95/46, and almost four years since the original proposal came to fruition, a political agreement has finally been reached on the General Data Protection Regulation. Soon to be the gold standard in privacy law, the GDPR has long been on the minds of privacy pros on both sides of the Atlantic, and throughout the year, we heard everything from off-the-record whispers to bold predictions that 2015 was indeed the year for the GDPR. Well now, it looks to be that way.
Amazingly, what would have been the lead privacy story any other year except 2015 was the dramatic invalidation of the EU-U.S. Safe Harbor Agreement. The now infamous Schrems decision by the Court of Justice of the European Union put an end to this long-standing data transfer mechanism to the chagrin of businesses on both sides of the Atlantic. Those who already set up Binding Corporate Rules and Standard Contractual Clauses were likely less peeved—or frazzled—by the judgment, but who knows whether these will eventually get invalidated? Perhaps more fodder for 2016.
Really, the year got off to a hot start, when, last January, U.S. President Barack Obama featured privacy and data security in his State of the Union address. The White House, throughout the year, has recognized the importance privacy plays in the economy and workforce, including this month's call for a Federal Privacy Council. The Obama administration even met with privacy advocates to discuss encryption in communications technology.
Government access to encrypted data—otherwise known as the CryptoWars 2.0—has been a running debate throughout 2015. Law enforcement calls for so-called back doors into encrypted communications have been driven by the rise of ISIS and a spate of terrorist attacks going back to the Charlie Hebdo murders last January all the way through the Paris and San Bernardino attacks in recent weeks. National security and privacy, once again, have been pitted against one another, for better or for worse.
Ironically, it was lack of sound data protection that led to the biggest breach of government records in U.S. history. The summer of 2015 was the summer of the Office of Personnel Management (OPM) hacks. In what appears to be an act of nation-state cyberespionage, tens of millions of records of government workers, vendors and many others were accessed and exfiltrated. If the first breach of OPM records was bad enough—numbering in around 4 million—the second breach of security clearance background checks was egregious. More than 21 million records—including biometrics—were accessed. By the end of it all, OPM Director Katherine Archuletta, after several public floggings in front of the House Oversight Committee, was out of a job.
Three main takeaways came out of the OPM hacks: One, data security is of the utmost importance. Legacy systems and outdated technology helped adversaries gain entry, long-term access and exfiltration capabilities without the agency knowing. Second, the OPM’s response—particularly in hiring a contractor to help with credit monitoring and notification—was ill-conceived. And finally, the top executive can lose his or her job because of a data breach.
The OPM wasn’t the only headline-grabbing hack of 2015. Anthem was the victim of a hack of 80 million users and children’s toymaker VTech was recently hacked, exposing the identities of more than six million children. Plus, infidelity website Ashley Madison was also breached, exposing the identities of millions of would-be adulterers. The exposure of identities connected to a morally dubious site lead to demonstrable harm, including some who allegedly committed suicide after being exposed. In more positive news, revenge porn finally became a mainstream issue that was taken seriously in 2015.
Consumer harm was the focus of a major federal court decision in a case involving retailer Neiman Marcus. Nearly impossible to prove in court, harm has generally lacked standing in courts, but in the Neiman Marcus case, the Sixth Circuit ruled there is harm. As the IAPP’s Omer Tene wrote in July, “Neiman Marcus elevates the complexity of challenges facing businesses in privacy and cybersecurity. It potentially portends a new era where the floodgates of litigation based on rampant data breaches are opened.”
Plus, consumer harm took on a whole new dimension when Fiat-Chrysler had to recall thousands of its vehicles after white hat hackers showed the world they could gain control of the vehicle and override the driver of the car. It was the first major recall of a product because of a hack. Welcome to the new world of Internet-of-Things harm.
Regulators were also busy announcing a flurry of enforcement actions in 2015. The Federal Communications Commission (FCC) made waves with a number of enforcement actions that reached into the tens of millions of dollars. In fact, the FCC has been like a new privacy-enforcer on the block, sharing the spotlight with the FTC. FCC Director of Enforcement Travis LeBlanc has not been shy about the agency’s intention to go after bad actors with hefty fines.
That said, the year was an interesting one for the Federal Trade Commission (FTC) as well. Perhaps most significantly, it finally settled its case against Wyndham hotels. Interestingly, the settlement came just weeks after it had lost a court battle with LabMD (which is now being appealed by the agency).
Though Wyndham might be a draw—it depends on whom you talk to right now—the FTC has ended the year on a high note. Just yesterday, it slapped LifeLock with a $100 million fine for violating the terms of a 2010 action against it for poor privacy practices and deceptive advertising. To date, it’s the biggest monetary penalty ever levied by the FTC.
Cross-device tracking—the FTC held a roundtable on this practice—also continued to emerge as a privacy issue in 2015. The ad tech business faced stiff consumer resistance to tracking, evidenced by the dramatic rise in consumer adoption of ad blockers, or what some have called, “DNT 2.0.”
Just today, Congress passed an Omnibus bill that included controversial cybersecurity legislation, the European Council approved its agreement with the European Parlimanet on the GDPR and U.S. presidential candidate Bernie Sanders is in trouble with the Democratic National Convention over access to voter records.
As we move headlong into 2016, many of the issues that reared their heads in 2015 will continue to affect how privacy pros do their jobs on a day-to-day basis. Looking forward, will we see a new data transfer agreement between the EU and U.S.? Will this new cybersecurity bill hurt those chances? Assuming the full Parliament passes the GDPR, how must organizations begin building systems and policies to achieve compliance? And in the U.S., how much of a role will access to voter data play in the U.S. presidential elections?
Surely, 2016 will bring with it a new host of data breaches, class-action lawsuits, enforcement actions and privacy laws. What will also continue is the growing role and import privacy professionals play in helping organizations navigate the past developments of 2015 with those on the horizon in 2016.
There were so many other developments in 2015. Please share ones you think should be mentioned. In the meantime, Happy New Year!
Top photo generated by WordItOut