Three years since GDPR, there’s much to learn from what’s happened since. We can also predict what’s next in privacy regulation.
One piece of regulation has never before had such global impact as the EU Global Data Protection Regulation (GDPR.) It’s firmly established data privacy in the public mind, giving extensive and unassailable rights and affecting behavior well beyond the EU’s borders.
GDPR legislation was a pioneer that other regions followed. The California Consumer Privacy Act (CCPA) came into force in 2020. The more expansive California Privacy Rights Act (CPRA) will replace it in 2023. While there is no federal nationwide data protection law in the US, all fifty states have regulated data safeguarding, disposal and breach disclosure. US data privacy is pointing towards giving consumers more rights.
Africa and Asia, with few exceptions, have a way to go in privacy regulation. It may be fair to say data protection regulation follows economic and political development. But China has a different focus. Having enacted strong privacy regulation, it’s regaining control of local Big Tech, starting with corporate dismemberment of Alibaba. It aims to control the massive amounts of data held by Chinese companies that may list overseas.
New consumer expectations of data privacy
GDPR and other regulations worldwide have raised awareness of privacy issues.
Organizations need to focus on disclosure and incident response best practice or risk consumers seeing them as not transparent and losing trust.
There’s a gap between what customers want and what businesses think customers want in their digital experience. Businesses think it’s profiles (for example, offering relevant suggestions,) live help and price-matching. But consumers prioritize rewards, free shipping and data protection.
Forced innovation is also good innovation
Data protection is now front of mind for everyone. Many once saw security regulations as an innovation inhibitor adding friction to the customer experience, but now they’re customer experience’s new best friend.
With today’s cybercrime landscape, data protection has never had so much focus, driving the need for strong authentication. 3-D Secure is a great example. Ecommerce businesses saw the first version of 3-D Secure as an important tool for tackling fraud, but also the main culprit for customers not completing checkout. But the same businesses are finding the latest version, which includes new security features like biometrics, highly attractive for easier authentication across the whole customer experience. 3-D Secure’s latest iteration links with new EU regulation’s authentication requirements.
Privacy expectations impact on cybercrime
The COVID-19 pandemic has sped up changes in digital consumer behavior like never before. Security and fraud risk increased, triggering more stringent regulation.
But stricter regulation has also seen cybercriminals weaponize data protection against those it’s supposed to protect.
Ransomware gangs try to extort money from victims by encrypting their data, but also releasing it if the ransom isn’t paid, adding data privacy insult to injury.
Nations are stepping up to address ransomware, now the world’s biggest cyberthreat. But it’s early days. Attempts to reduce ransomware risk are sometimes surprising with little consensus on how to address it, like US proposals to make ransomware payments tax-deductible or, conversely, making paying a ransom illegal. Once a profitable niche, cyber insurance now struggles to stay afloat with increasing ransomware and skyrocketing demands.
Emerging trends in data regulation and oversight
Data protection and privacy regulations are now part of life. We also see several emerging trends. For example, increased data protection and privacy oversight; in the three years since GDPR, nearly half of UK businesses have been reported to the Information Commissioner’s Office over breaches. With longstanding data breach disclosure laws in the US, a new bill could force businesses to report breaches faster. India has long deliberated its Personal Data Protection Bill (PDP.)
We’re also seeing financial and security regulations aligning. Financial services regulations now include extensive obligations overlapping with security. Penalties are no longer the sole domain of national data protection authorities but could come from any regulator. UK’s Financial Conduct Authority fined Tesco Bank 16.4 million pounds sterling for failing to protect customers’ accounts and not doing enough to prevent financial crime.
And we see increased desire to control Big Tech. The most notable example started in China with Alibaba in 2019. New Chinese data protection regulation has more scope for oversight, as we saw with the crackdown on ride-hailing service Didi and others.
China perhaps sees its companies listed overseas as a national security risk because foreign governments could scrutinize the massive amounts of data they hold. But there are other risks: Several shareholders sued Didi since their share price fell after regulatory crackdown.
It’s not just China wanting to rein in Big Tech and their data – security concerns led to Germany’s data protection commissioner telling government organizations to shut down their Facebook pages. UK’s draft Online Safety Bill proposes a new Big Tech oversight body to help tackle illegal and harmful online content.
Another trend is increasing regulatory oversight of start-ups, especially in fintech. Stock trading app Robinhood must pay 30 million US dollars to the New York State regulatory body for cybersecurity and anti-money laundering failures. The Swedish financial regulator is investigating buy-now-pay-later firm Klarna for data privacy breaches.
Coming soon: The data regulation to prepare for
Data regulation laws are often challenged. In Europe in 2020, the Schrems II judgment invalidated Privacy Shield, the data-sharing mechanism between the EU and the US. Austrian activist Max Schrems scored a major win as his case questioning Facebook’s legal basis to collect data was referred to the EU Court of Justice.
Trump’s US attempt to ban TikTok and WeChat shows this isn’t confined to the EU. India’s Reserve Bank banned Mastercard from issuing new credit and debit cards for not keeping to local data storage rules.
Three years since GDPR came into force, regulators aren’t standing still. In April 2021, the EU Commission published a draft proposal to regulate artificial intelligence in line with GDPR. With increased automation globally, this is one area to watch.