On May 25, 2018, the European Union’s General Data Protection Regulation, or GDPR, went into effect. As a consequence, everyone responsible for using personal data of EU residents has to follow strict rules called “data protection principles” and take steps to ensure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation
These new regulations will have a global impact. Not only are EU-based companies required to comply with the new regulations, but any company doing business with EU residents must have policies and procedures in place to protect personal information. We are already seeing U.S. companies update terms and conditions, privacy policies, information security procedures and more to harmonize their practices with their competitors around the globe.
In contrast to Europe, the United States has taken a very different approach to data privacy regulation, preferring to focus on specific areas of information, such as health care and financial information, rather than enact a broad series of data privacy rights or guiding principles that would cross industries and the public and private sector.
Health Privacy in the US
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Financial Privacy in the US
The Gramm-Leach-Bliley Act seeks to protect consumer financial privacy. Its provisions limit when a “financial institution” may disclose a consumer’s “nonpublic personal information” to nonaffiliated third parties. The law covers a broad range of financial institutions, including many companies not traditionally considered to be financial institutions because they engage in certain “financial activities.” Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to “opt-out” if they don’t want their information shared with certain nonaffiliated third parties. In addition, any entity that receives consumer financial information from a financial institution may be restricted in its reuse and redisclosure of that information.
New Trends in Privacy
In the wake of the unauthorized access to 87 million Facebook users’ information by data analytics firm, Cambridge Analytica and a series of recent high profile data breaches, including 3 billion Yahoo users from 2013-2016, 143 million Equifax users in 2017, 412 million Adult Friend Finder users in 2016, 145 million eBay users in 2014, privacy and information security has become a global priority.
Google and Facebook, as a response to GDPR requirements, but also an acknowledgment that data privacy is good for business are taking aggressive steps toward embracing enhanced information security by updating user agreements, accelerating the deployment of new technology and inviting engineers, designers and IT professionals to brainstorm additional ways to protect data.
Nimble startups are also rolling out innovative solutions to protect personal information. Envilope, a Gibraltar-based blockchain technology company, is launching a virtual envelope in which users can lock emails, digital files, or secure messages containing text, images, audio, video – anything that can be sent online. These solutions give senders unprecedented privacy and control over their content, including who views it, when, and where. Only the intended recipient can open an Envilope, and only after accepting the sender’s terms and conditions. If a user ever suspects a breach or regrets a message previously sent, he or she can vaporize the content with a click, regardless of how many times it has been shared or forwarded and fully restore that vaporized content at a later date.
For highly regulated industries where privacy and confidentiality are of paramount importance, like finance, legal, healthcare and government, the emergence of new technology, especially blockchain technology, is a promising development for individuals and companies who want total control of their information and how it is seen, stored and shared.
We can also expect that regulators will continue to play an active role in shaping the future of privacy, especially impacting large multinational corporations and certain countries which have, until now, played fast and loose with data privacy protections. “While the language of GDPR cites the marketing of goods and services in the language of an EU member state and the tracking and monitoring of consumer behavior on EU soil, it seems reasonable to assume potentially broader implications of the new data privacy regulations for the world’s largest data powerhouses — companies like Google and even countries like China,” explains Jayen Madia, Managing Director, Head of Risk Assets at AXIS Capital, “as data privacy is inextricably linked to data dominance, cross-border trade, and national security, big data should expect to see more in the way of future, global regulation.” Madia noted that Google controls ten times more user data than Facebook, and its companies constitute more than 25% of time spent on digital media today. EU regulator Margrethe Vestager voiced suspicion about Google’s market dominance, following the largest-ever EU antitrust fine imposed on a single company.
In China, the combination of technology, infrastructure, and weak data privacy laws position the government to control the largest future reservoir of data. Chinese data giants have made a strong push into artificial intelligence, facial recognition, and the establishment of a global footprint.
As we look ahead to the future of privacy, the combination of regulatory reform and technological innovation should lead to a brighter future for safeguarding personal data.