Data privacy is at the center of core issues that governments are trying to solve this year. Privacy advocates have been requesting more stringent privacy laws and governments have responded. The European Union’s General Data Protection Regulation (GDPR) has served as an effective blueprint for new privacy laws. This year, we are seeing new privacy laws come into effect, such as Brazil’s LGPD, the United States’s CCPA, and more. Under GDPR, there have been over 146 fines imposed on organizations totaling $463 million USD. With the European Union leading the charge, over 80+ countries have enacted data privacy laws and more are soon to follow. This is in response to a plethora of global data privacy issues: online data profiling, internet of things (IoT) devices, a high number of data breaches, facial recognition, data sovereignty….the list of problems that need to be solved could go on.
You may ask, “Why is any of this important or how does it affect me?” Let’s use an online profiling example. For our purposes, we are going to rebrand this for what it is — psychological targeting. Psychological profiling is inferring people’s psychological profiles from their tweets, likes, and purchases. This data is bundled together and used to create a “profile” of the individual. At first, this seems harmless, as it’s used for beneficial purposes such as providing recommendations on Netflix or helping to decide what you want to eat. Not until the past decade have governments become aware of how profiling can be weaponized and used maliciously. Cambridge Analytica provided great insight into how organizations are building profiles of individuals and targeting with specific advertisements to further influence elections. Weaponized profiling is interfering in elections on a global scale. Some notable countries are the United States, Brazil, and the United Kingdom; but every country is prone to weaponized profiling. This, of course, is a more extreme example. But nonetheless important for us to understand how privacy affects individuals on a global scale because under certain privacy laws, this type of profiling is illegal.
As more laws come into effect, privacy becomes stronger, but organizations struggle to comply. According to the IAPP, international organizations are subject to roughly 2-5 privacy laws. Countries take different approaches to enacting privacy laws of which there are subtle differences. The United States takes a sectoral approach to privacy, regulating the healthcare and finance industries through different privacy regulations. Whilst the European Union takes a more holistic all in one approach to data privacy law. Coupled with the privacy laws coming into effect into other large economies such as Brazil, India, and South Africa, it is becoming more difficult for organizations to find a baseline for compliance. There are additional laws that govern cookie compliance and marketing practices, which increases the difficulty of compliance. New international standards are being released to help organizations find compliance, such as the International Organization for Standardization’s ISO/IEC 27701 privacy standards, but it is still new and not yet commonplace.
Privacy regulations are largely needed. However, as we begin to tackle pressing privacy issues, we need to take into consideration how we can continue to enable organizations to do business globally. Privacy laws should not hinder an organization’s ability to innovate, create jobs, and help improve people’s lives, they should improve safety and quality of data, not undermine it.