There has been no shortage of data privacy laws enacted in the past few years. The one that has received the most attention is the EU General Data Protection Regulation (GDPR), in force since 25 May 2018. In the United States, the California Consumer Protection Act (CCPA) and Maine have passed new laws with the promise of more to come. Brazil’s General Data Protection Law goes into effect in 2020. Many countries, including Bosnia and Herzegovina, Monaco, Montenegro, North Macedonia, and Ukraine, have amended their existing data protection legislation to align with GDPR.
Why Do We Need Laws?
Generally, laws exist to correct behaviors that various jurisdictions consider to be unacceptable, everything from homicide to littering. It is not as though there was a sudden realization that personally identifiable information (PII) was at risk of the disclosure; there were plenty of data privacy laws already on the books. GDPR itself replaced the EU Data Protection Directive of 1995. The Canadian Personal Information Protection and Electronic Documents Act (Pipeda) was enacted in 2000. Japan’s Act on the Protection of Personal Information (APPI) dates back to 2003. Almost all countries have had some form of the privacy legislation in effect in this century or before. So, what has caused so many governments around the world to upgrade their privacy laws recently?
Fines and Enforcement
If people and organizations were not observing the EU Data Protection Directive, what would lead us to believe that GDPR will make things any different? Ah yes, there are harsh financial penalties for disregarding GDPR. And, indeed, there were 59,000 reported GDPR breaches in the first eight months the law was in effect. That sure is a lot. But there were only 91 financial penalties issued, for a total of €56 million, of which the vast preponderance was the €50 million fine issued to Google. This year alone British Airways faces a $230M GDPR fine for 2018 data breach. The Information Commissioner's Office plans to hit the airline over a data breach that affected 500,000 customers.
I am sure that Google is not fond of paying out so much money for not properly disclosing to users how data are collected across its services—including its search engine, Google Maps, and YouTube—to present personalized advertisements. However, Google’s parent company, Alphabet, reported US$142 billion in revenues for 2018. Is the fine that was levied on the company enough to significantly change the way Google does business or make a big difference to data privacy in Europe?
Castles in Spain
I suggest that the spate of new data privacy laws has come about because governments are aware of their inability to constrain the use of PII for purposes other than those for which it was collected, the very core of data privacy. They cannot restrain the enterprises that have arisen as a threat to that definition. This century has seen the arrival and massive growth of organizations whose entire business model is the collection of personal information for the purpose of selling it to advertisers and others trying to reach targeted market segments. With minimal exceptions, these companies do not steal our PII. We sell it to them, if not for a mess of pottage, then at least for online services that seem to us to be free.
PII has a monetary value. Maybe it is not much on an individual basis, but in the aggregate, it is worth a lot, in the billions.
If I decide that I want to buy a castle in Spain and look up the prices online, I am sure to be inundated by ads for Spanish castles. I could save myself the mild aggravation of seeing all those advertisements by not using a search engine, or getting driving instructions from Seville to a castle, or using social media to tell my friends about the magnificent parapets I saw or find out the weather in the Alcazar. Perhaps there is a yak herder in the deepest depths of Siberia who is not using the Internet, but for the rest of us, the services offered on the latest apps are a part of our lives. We bought them with our PII.
So, did I get appropriate value for the pittance my PII was worth? Was the benefit sufficient to reimburse me for the loss of a portion of my privacy? Do I care if someone thinks that I am a mover and a shaker in the Spanish castle market? I suppose I have reached an accommodation with the companies with which I have carried out a de facto transaction. And so has everyone else who uses the Internet.
Genuine Harm
None of the above is meant to downplay the honest and grave consequences of genuinely serious privacy breaches. The ease with which victimizers can find their prey on the Web is not to be dismissed. Credit card numbers are being sold; people are being stalked; politicians are illicitly swinging elections. As I write this, there is a controversy about YouTube being used by pedophiles to seek out little kids’ pictures and, perhaps, the actual children themselves. My point is that the latest generation of data privacy laws should be focused on cases of actual harm, not 59,000 cases of which 58,909 were so trivial as not even to merit a fine. Take the case of recent events in India where Privacy Laws are lacking related to the case of a fast-food restaurant called 'Chaayos Cafe' is using facial recognization for order entry.
Information security professionals have to implement systems and procedures to comply with the laws, however, they are written. I think it is time for the community of those who work in our field and those who read the Journal to ensure that their work is not being used to hurt people and their legitimate interests. Designing “privacy” into systems wherein a breach will have no real consequences diminishes the attention that is required to protect us against truly intrusive methods.
Comments